This page last changed on May 03, 2010 by smaddox.
This release fixes some security flaws. Please refer to the security advisory for details of the security vulnerabilities, risk assessment and mitigation strategies.

4 May 2010

Confluence 3.2.1 is a recommended upgrade which fixes some security flaws and other bugs.

As part of the security update we have made changes to Confluence functionality, including some parts of the Administration Console. Please refer to the security advisory for a summary of changed behaviour. We have updated the documentation where relevant.

We have also fixed a bug that caused an out of memory error when attempting to display an Excel spreadsheet on a Confluence page. Before this fix, the error might occur if the spreadsheet has a large number of empty cells. Confluence now limits the number of spreadsheet cells it will display. By default, the maximum is 10000 cells. The Confluence administrator can adjust this value in the Office Connector configuration screen, as described in the documentation.

Purging items from a space's trash can was very slow and blocked all other database updates. This is now fixed.

A bug introduced in Confluence 3.2 prevented people from adding a page when using the Left Navigation theme. We have fixed this too.

In Confluence 3.2, we mistakenly introduced the words 'Needs to be updated' into the French and German translations of the UI text in the left navigation theme. We have now removed the extra text. The UI wording is still in English, not translated into French or German, but at least it no longer calls attention to this fact.

Don't have Confluence 3.2 yet?

Take a look at the new features and other highlights in the Confluence 3.2 Release Notes.

Upgrading from a Previous Version of Confluence

Upgrading Confluence should be fairly straightforward. Please read the Confluence 3.2.1 Upgrade Notes. We strongly recommend that you back up your confluence.home directory and database before upgrading.

Updates and Fixes in this Release

JIRA Issues (40 issues)
Type Key Summary Priority Status Resolution
Bug CONF-19441 XSS in page renderer Blocker Resolved Fixed
Bug CONF-19404 XSS vulnerability in some JSPs under admin section Blocker Resolved Fixed
Bug CONF-19403 XSS vulnerability in Advanced Macros plugin Blocker Resolved Fixed
Bug CONF-19382 XSS vulnerability in search Blocker Resolved Fixed
Bug CONF-19381 XSS Bookmark vulnerabilities Blocker Resolved Fixed
Bug CONF-19216 "Needs to be updated" appearing in German translations Blocker Resolved Fixed
Bug CONF-19402 Only strings are encoded Critical Resolved Fixed
Improvement CONF-19398 SOAP and XML-RPC APIs return too much information Critical Resolved Fixed
Improvement CONF-19397 Path for daily backup is configurable through WEB UI Critical Resolved Fixed
Improvement CONF-19396 Require user to answer CAPTCHA after three failed attempts Critical Resolved Fixed
Bug CONF-19388 Possible XSS injection in attachment upload Critical Resolved Fixed
Bug CONF-19384 XSS vulnerability in Colour Scheme settings Critical Resolved Fixed
Bug CONF-19145 creates "plugins-temp" directory, fails to start if current directory is not writeable Critical Resolved Fixed
Bug CONF-15247 Java quits or exits - Seg Fault due to recursive ExcerptInclude Macro Critical Resolved Fixed
Bug CONF-15233 Purging Trash is Slow and Blocks DB Writes Critical Resolved Fixed
Bug CONF-19416 Semi-colon separator used to work for image properties, but doesn't in 3.2.1 which causes broken images on CAC Major Resolved Not a bug
Bug CONF-19401 BootstrapManager exposed in layout templates should be read only Major Resolved Fixed
Bug CONF-19395 The list of Confluence administrators is accessible via a URL Major Resolved Fixed
Improvement CONF-19393 Remove the download link for XML site backups Major Resolved Fixed
Bug CONF-19203 Upload javadoc for Confluence 3.2 to docs.atlassian.com Major Resolved Fixed
Bug CONF-19142 Can't add pages while using Left Nav theme in Confluence 3.2 Major Resolved Fixed
Bug CONF-19104 Exception after clicking on "Attachments" link in "Edit Space Details" dialog Major Resolved Fixed
Bug CONF-19029 Restore behaves differently to Upload and Restore for restoring spaces. Major Resolved Fixed
Bug CONF-18972 Searching for a link using auto-complete replaces your link text with the search result Major Resolved Fixed
Bug CONF-18626 UWC Link in Confluence Administration is broken Major Resolved Fixed
Bug CONF-17718 Downloading a .docx file in IE7/WinXP gives it a .zip extension (technically true but the average end-user wouldn't know that). Major Resolved Fixed
Bug CONF-15946 I18NBean getText method spamming EAC logs Major Resolved Fixed
Bug CONF-14928 System error when removing a username containing a space from a group in Manage Groups page Major Resolved Fixed
New Feature CONF-7211 Increase login security by enabling captcha on login retry page Major Resolved Duplicate
Bug CONF-19392 Mail support request accepts any e-mail address Minor Resolved Fixed
Bug CONF-19391 Anonymise config files in support zip Minor Resolved Fixed
Bug CONF-19390 Not all error strings are encoded Minor Resolved Fixed
Bug CONF-19296 Did you mean suggestion in site search does not work with quoted phrases Minor Resolved Duplicate
Bug CONF-19159 Prevent NPE being thrown on recently updated dashboard. Minor Resolved Fixed
Bug CONF-19073 Print footer got lost in new footer for 3.2 Minor Resolved Fixed
Bug CONF-19045 Downloading an Excel Microsoft Office 2007 file in IE7/WinXP gives it a .zip extension. Minor Resolved Fixed
Bug CONF-19028 Fixed Width Theme: Attachments macro content overlaps the personal space sidebar on IE7 Minor Resolved Fixed
Bug CONF-18887 Indexing excel files with lots of cells can lead to OOM errors Minor Resolved Fixed
Bug CONF-17292 Previewing Excel files with thousands of rows and/or columns can result in OutOfMemoryError Minor Resolved Fixed
Bug CONF-15407 Space logo links are incorrect in the dashboard and recently updated macros Minor Resolved Fixed

Document generated by Confluence on Jul 09, 2010 01:09