Revive Adserver v3.2.3 Released – Security Fixes

Revive Adserver logoRevive Adserver v3.2.3 is now available.

This release has one improvement to the user experience. The campaign banner overview page now displays shortened URLs (when they are very long) and displays a tool tip for the complete URL, to improve the legibility of the page.

Version 3.2.3 also fixes a number of bugs that were discovered in the application. The most important are:

  • We fixed an issue with Revive Adserver failing to connect correctly to the sync service, which advises users about upgrades to the product.
  • Asynchronous Javascript invocation code no longer triggers Javascript errors on unsupported browsers (e.g. IE8), and Asynchronous Javascript invocation code now works even when fl.js has been renamed.
  • We fixed an issue with append code being rendered twice for SWF (Flash) banners with a fallback image.
  • We fixed an issue with the password recovery form sending emails to all the registered users at once.

This release also fixes a number of medium security issues, which were recently discovered and reported to the Revive Adserver Project team. Most of these were disclosed via the Revive Adserver HackerOne project. Please review our Security Advisory for the full details.

We strongly advise users to upgrade to the most recent version 3.2.3 of Revive Adserver. This also includes any user running any version of OpenX Source or older versions of the application, which may also be vulnerable to the security issues fixed in this release.

Full release notes for v3.2.3 can be found on our Github page .

Download, install and upgrade

Revive Adserver v3.2.3 is available for download now.

Once downloaded, please refer to the instructions for Installations of Revive Adserver or for Upgrading Revive Adserver. Make sure that the server(s) being used meet(s) the minimum technical requirements.

Note: if you’ve downloaded the v3.2.3 files before 1645UTC on March 2016, you should redownload them. Briefly after we posted the first set, we found and fixed a small but annoying bug in the user interface of “linked zones”. This has been fixed, and v3.2.3 has been repackaged to include this fix.

Community contribution

The Revive Adserver Project Team wish to thank all community & HackerOne members for their contributions and for their responsible disclosure – the details of all security fixes can be found in the Security Advisory.

If you come across any other security issues, or suspects that a vulnerability exists, please see our page on reporting security issues.

Written by

Revive Adserver is an open source project, dedicated to building and supporting the open source ad server software and the community of users around the world.