We have released new updates for all supported versions of Blesta. These updates address security related concerns with Blesta and have an impact rating of Low. More information about how we rate vulnerabilities can be found on our Security Advisories page.

Affected Versions

Versions 3.0.0 through 3.6.1 are affected.

Description

This update addresses two security concerns:

1. An undemonstrated potential vulnerability. In cooperation with a competing software application, we will release further details about this issue and how it affects Blesta once a sufficient amount of time has passed.
2. Full Path Disclosure.

Resolution

If you are running 3.6.0 or 3.6.1, apply the following patch:

3.6.x -> 3.6.2 - Download Patch

If you are running a version prior to 3.6.0, upgrade to 3.6.2:

3.6.2 - Download Full

Be sure to run ~/admin/upgrade in your browser after updating the files. A new configuration variable will be written to your ~/config/blesta.php config file. Ensure that it is writable.

Related tasks: CORE-2228, CORE-2231

Mitigation

It is best to upgrade to 3.6.2, however, the Full Path Disclosure issue may be mitigated by changing the System.debug variable to false in ~/config/core.php. To do so, open ~/config/core.php and look for the following:

<?php
...
Configure::set("System.debug", true);

Change this to:

<?php
...
Configure::set("System.debug", false);

This will effectively disable stack traces within minPHP “Oh noes” error pages. When upgrading to Blesta 3.6.2, this option is defined and overridden in Blesta’s config file (~/config/blesta.php).

Credits

These items were reported by Sabri (@pwnsdx) in accordance with our Responsible Disclosure Policy.

A patch has been released for Blesta that addresses bugs discovered since 3.6.0 was released. As usual, a big thanks to everyone who reported and confirmed these bugs on our forums, we appreciate your help.

The release notes are available at https://docs.blesta.com/display/support/3.6.1.

Always run /admin/upgrade in your browser after patching or upgrading your installation.

Download 3.6.1 Patch Download 3.6.1 Full

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.

We recently migrated from Subversion to Git for version control as part of our effort to further streamline our development and build processes. We are also now using Composer for all Blesta extensions and have integrated this into our build process. As a result, you may see composer.json files included with extensions, which is normal going forward.

Three SIX is here and it includes the ability to mass schedule cancellation of services, automatic cancellation of suspended services, new payment gateways and more.

See the documentation for details on how to install or upgrade.

What’s new in 3.6?

• Mass edit for scheduling cancellation of services
• Automatic cancellation of suspended services
• Ability to invoice renewing services separately
• Move services to packages in different groups with the “Reassign Pricing” plugin

And more, see everything in the changelog!

Sponsored Development

A big shout out to KnownHost for sponsoring development again for several new items in 3.6! If your company is interested in sponsored development, we would love to hear from you!

The Marketplace

The Marketplace is now available. If you are a developer, list your extensions now if you haven’t already. If you have a developer license with us, you can log in to The Marketplace using the same credentials you use to manage your account at account.blesta.com.

Paymentwall

Paymentwall recently released a payment gateway for Blesta. Download the gateway and find out more about Paymentwall in our new marketplace.

What’s next?

We are raising the minimum requirements to PHP 5.4 for Blesta 4.0. We recommend PHP 5.6 as active support for all older releases has ended. Here are a couple things to look forward to:

• Mass Mailer
• Usability Improvements
• And..? :) Stay tuned. (or poke around dev.blesta.com for clues)

Also, it’s looking like 4.1 will be dedicated to improving domain registration support.

We do our best to prioritize development based on demand. Is there a feature you really want to see in a future release? Let us know on our feature requests forum!

We are excited to announce that 3.6.0 BETA 1 has been released! If you purchased Blesta direct, you may download blesta-3.6.0-b1.zip from the client area now (Login Required). During installation, choose to start a free trial unless you have a dev license you can use. Then, head over to our 3.6 beta forums to report any bugs and let us know what you think.

Beta releases are for non-production use and are not supported.

So what is new in 3.6?

Version 3.6 is intended to bridge the gap between 3.5 and the next major release, 4.0 and includes many improvements. Here are some of the new features in 3.6:

• New Gateways: Converge (aka VirtualMerchant), and Braintree
• Payment types can be designated as non-income
• Automatically set Payment Accounts for auto-debit when saved
• Improved performance of Invoice and Transaction searches
• Added ability to invoice each service independently
• Added ability to mass schedule cancellation of services
• Show invoice line items on client pay page when paying a single invoice

There’s a lot more in this release, see the release notes for details.

When is the final release?

Version 3.6 will be officially released after the beta phase is completed. Generally the beta for a minor release lasts around 2-3 weeks, but it can vary. An official release is only made once we deem it to be stable.

What are you waiting for? Download the beta and let us know what you think!

A patch has been released for Blesta that addresses bugs discovered since 3.5.2 was released. As usual, a big thanks to everyone who reported and confirmed these bugs on our forums, we appreciate your help.

You can read more information about this patch, including the release notes, on our forums at http://www.blesta.com/forums/index.php?/topic/5012-release-353/.

Always run ~/admin/upgrade in your browser after patching or upgrading your installation.

Download 3.5.3 Patch Download 3.5.3 Full

To patch your installation, please follow the instructions for Patching an Existing Install from our user manual.