Significantly, these three releases solve a potential "authentication phishing" exploit inside the SWFUpload library that was reported to us by Julien from RCE Security. Most browsers either no longer have Flash by default, or mitigate this issue sufficiently, therefore the issue is fairly low risk. However, as a precaution, it is recommended to upgrade.
By upgrading you will be entirely removing SWFUpload from your XF installation. You may remember that over a year ago we released XenForo 1.5.12 to introduce a new HTML 5 uploader. This may have required add-on developers to update their code to support the new uploader, otherwise SWFUpload would have continued to be used for file uploads in that add-on. In the event that you have add-ons installed which were not updated to use the new uploader, as of this release, these add-ons will no longer support multiple file uploads and instead will only support uploading a single file at a time.
Some of the other changes in this release include:
- Remove swfupload support.
- Ensure the _xfToken value is retrieved from the request as a string.
- Remove the supposedly invalid "gender" property from the member view structured data.
- No longer import a few social media identities from PHPBB due to reports of those fields no longer existing (and they no longer exist in XF2 anyway).
- Ensure overlays are not de-cached too early when animations are disabled.
- Resolve an issue which could strangely modify the message text when using select-to-quote.