- NET web.config connection string section (encrypted or not) may now be referenced to supply connection strings (see discussion of connection strings in the docs)
- Some additional protection against XML vulnerabilities when parsing manifests
- Reduce logging for invalid API resource identifiers
- Truncate launch history log value when it is longer than the MaxPersistableStringLength value rather than throwing an exception. This prevents a long history log value from causing registration runtime data to not be persisted.
- Fix determination of dispatch registration in cases where multiple registration instances exist, for example when new course versions cause registration restart. [Dispatch Engine only]
- Fixed .NET-only ActivityReport.aspx page
- Removed extra copy of BouncyCastle jars
- Fixed potential SQL injection vulnerability in xAPI code. We suspect it would have been difficult to exploit due to validating code before the vulnerable code, but have not proved it couldn't have been exploited.
- When clearing registration progress, configuration settings previously specified for the registration are no longer removed
- Fixed bug where calls to getLocalHost() in DbLockProvider would occasionally throw an exception (Java Engine)