January 22, 2021: a bug has been identified in Revive Adserver v5.1.0, which causes the invocation code for email zones (avw.php) to stop working. A bug fix release v5.1.1 is tentatively scheduled for January 26, 2021. If you've already updated to v5.1.0, you can find a patch in the corresponding Github issue. If you haven't updated to v5.1.0 yet, we recommend waiting for the release of v5.1.1.
The Revive Adserver team is proud to announce the immediate availability of Revive Adserver v5.1.0.
We are pleased to announce the release of version 5.1.0 of the Revive Adserver software. This new version has several enhancements and improvements, and addresses some low risk security issues that have been discovered recently.
Here is a list of enhancements in Revive Adserver v5.1.0:
- We redesigned the email sent to users when a password reset request is made.
- We added an agency status, allowing to suspend or deactivate accounts, optionally showing custom messages during delivery for such accounts. No blank impressions will be logged in such cases.
- We added an optional custom message during delivery when a non-existent zone ID is requested. No requests, nor blank impressions will be logged either.
- We replaced the Flash-based video player for video ads with the HTML5 video tag supported by modern browsers.
- We added a new manager level permission to delete items.
We fixed a number of bugs in this version 5.1.0 of Revive Adserver:
- Removed usage of the *et_magic_quotes_gpc() deprecated functions.
- Optimized ad selection context build algorithm.
- Improved compatibility of Asychronous JS invocation with single page applications, by using the srcdoc attribute when possible.
- Updated subdivisions for South Africa, following ISO-3166-2: change of subdivision code from ZA-GT to ZA-GP, ZA-NL to ZA-KZN.
- Added missing delivery script settings for async tags.
- Removed the possibility to set individual permissions for users that are linked to an admin account as such users always have all the permissions by design. Even though the UI was showing checkboxes it has actually never been possible to disable them.
- Fixed open redirect in the click tracking script, by deprecating the existing ck.php script and making it ignore the oadest parameter, so that it only redirects to the destination saved in the banner itself. Alongside, a new “signed” click tracking delivery script has been added, (cl.php): it uses regular query string parameters and HMAC SHA256 signature to ensure the destination URL is not tampered with.
- Fixed a persistent XSS vulnerability caused by missing HTML escaping when displaying the website URL in the affiliate-preview.php tag generation page.
- Fixed a reflected XSS vulnerability in afr.php that could still be achieved on legacy browsers, bypassing a previous fix.
A more detailed security advisory is available at https://www.revive-adserver.com/security/revive-sa-2021-001/
We recommend upgrading to the most recent 5.1.0 version of Revive Adserver as soon as possible.
Download, install and upgrade
Once downloaded, please refer to the instructions for Installations of Revive Adserver or for Updating Revive Adserver. Make sure that the server(s) being used meet(s) the minimum technical requirements.
Special thanks to Roelof Dijkstra, the owner of Bannerflash.nl in The Netherlands, who helped us with this new release by providing several HTML5 banners. This enabled us to thoroughly test the modified click tracking functionality with this banner type.
The continued development of Revive Adserver is being sponsored by community members, either financially or in the form of code contributions. We’re very grateful for the support we’ve received. If you would like to contribute to our project, please consider becoming a patron on Patreon.com.
Another way to contribute to our project, is by using the Revive Adserver Hosted edition.