Revive Adserver v5.1.0 released

[Revive Adserver Forum]

The Revive Adserver team is proud to announce the immediate availability of Revive Adserver v5.1.0.

We are pleased to announce the release of version 5.1.0 of the Revive Adserver software. This new version has several enhancements and improvements, and addresses some low risk security issues that have been discovered recently.

Here is a list of enhancements in Revive Adserver v5.1.0:

• We redesigned the email sent to users when a password reset request is made.
• We added an agency status, allowing to suspend or deactivate accounts, optionally showing custom messages during delivery for such accounts. No blank impressions will be logged in such cases.
• We added an optional custom message during delivery when a non-existent zone ID is requested. No requests, nor blank impressions will be logged either.
• We replaced the Flash-based video player for video ads with the HTML5 video tag supported by modern browsers.
• We added a new manager level permission to delete items.

We fixed a number of bugs in this version 5.1.0 of Revive Adserver:

• Removed usage of the *et_magic_quotes_gpc() deprecated functions.
• Optimized ad selection context build algorithm.
• Improved compatibility of Asychronous JS invocation with single page applications, by using the srcdoc attribute when possible.
• Updated subdivisions for South Africa, following ISO-3166-2: change of subdivision code from ZA-GT to ZA-GP, ZA-NL to ZA-KZN.
• Added missing delivery script settings for async tags.
• Removed the possibility to set individual permissions for users that are linked to an admin account as such users always have all the permissions by design. Even though the UI was showing checkboxes it has actually never been possible to disable them.

Full release notes for v5.1.0 can be found on our Github page.

Security fixes

This version 5.1.0 contains fixes for some low risk security issues that were recently discovered:

• Fixed open redirect in the click tracking script, by deprecating the existing ck.php script and making it ignore the oadest parameter, so that it only redirects to the destination saved in the banner itself. Alongside, a new “signed” click tracking delivery script as been added, (cl.php): it uses regular query string parameters and HMAC SHA256 signature to ensure the destination URL is not tampered with.
• Fixed a persistent XSS vulnerability caused by missing HTML escaping when displaying the website URL in the affiliate-preview.php tag generation page.
• Fixed a reflected XSS vulnerability in afr.php that could still be achieved on legacy browsers, bypassing a previous fix.

A more detailed security advisory is available at https://www.revive-adserver.com/security/revive-sa-2021-001/

We recommend upgrading to the most recent 5.1.0 version of Revive Adserver as soon as possible.

Download, install and upgrade

Revive Adserver v5.1.0 is available for download now.

Once downloaded, please refer to the instructions for Installations of Revive Adserver or for Updating Revive Adserver. Make sure that the server(s) being used meet(s) the minimum technical requirements.

Community contributions

The continued development of Revive Adserver is being sponsored by community members, either financially or in the form of code contributions. We’re very grateful for the support we’ve received. If you would like to contribute to our project, please consider becoming a patron on Patreon.com.

Another way to contribute to our project, is by using the Revive Adserver Hosted edition.

The post Revive Adserver v5.1.0 released appeared first on Revive Adserver.

[url={url}]View the full article[/url]