[ZendTo] ANNOUNCE: 5.11-3 released

[Jules Field]

Hi folks!

I have just released a new build, version 5.11-3.

You can download it from the downloads page at
     https://zend.to/downloads.php

* For ZendTo itself, this is primarily a bug-fix release.
* However, I have also configured the yum and apt repositories so they 
are now fully signed, so if you are using the repos you should check the 
https://zend.to/yum.php or https://zend.to/apt.php to find how to update 
your repo settings.
* Oh, and the whole of https://zend.to website is now served over SSL. 
If you use "curl" to download packages from the site, remember to put 
"https" and not "http"!

I have also added a new "X-Frame-Options" setting so you can control how 
that HTTP header is used. By default I would advise leaving it set to 
"sameorigin", but if you embed ZendTo within an iframe on another 
website, you will need to change that.

For your own protection, I would also strongly advise an improvement to 
your Apache configuration. This will add the "SameSite" attribute to the 
cookie that ZendTo uses, which will help modern web browsers protect you 
from cross-site request forgery (CSRF) attacks.
To add this protection, find the Apache config file for the https 
version of your ZendTo site. This is the file where you will have put 
the location of your server SSL certificate. It's usually in
     /etc/httpd/conf.d/zendto-ssl.conf
or
     /etc/apache2/sites-enabled/001-zendto-ssl.conf
Edit that file. Right near the top, just below the "DocumentRoot" 
setting, add these 3 lines:
   <IfModule mod_headers.c>
     Header edit Set-Cookie ^(.*)$ $1;SameSite=Strict
   </IfModule>
then restart Apache (or just reboot your ZendTo server).

I have updated the Installer so that brand new installations get this 
feature added when the sites are created. Sadly PHP does not *yet* have 
built-in support for this cookie attribute, this is promised for PHP 7.3.

Here is the full ChangeLog:

Version 5.11-3
- Fixed bugs with 'X-Frame-Options' setting, and allow it to be disabled.
- Fixed bug where localIPSubnets setting did not handle complete IP 
addresses
   correctly.
- Updated to latest cookieconsent library.
- Added "Header" rules to Apache configuration to add the "SameSite: strict"
   attribute. This will help modern browsers defend against CSRF attacks.
   This is only applied by the Installer on new installations. This will 
have
   no effect at all on existing installations.
   WARNING: This will cause problems if you embed the ZendTo website in an
   iframe. Don't worry, very few sites do and you will definitely know it if
   you do this.
- Removed long-dead 'useRealProgressBar' setting from preferences.php.

Version 5.11-2
- Added note to drop-off summary at the end of uploading files, to tell the
   user their files have been sent successfully.
- Added 'X-Frame-Options' setting in preferences.php for those who need to
   embed ZendTo in a frame or iframe on their website.
- The apt/yum repositories are now signed as are the new deb/rpm files
   in them. You will need to fetch the new zendto-repo.deb or 
zendto-repo.rpm
   files and install them first. See the downloads.php page for how to
   install the key if you are using Ubuntu/Debian.
   (Yum systems do it on their own)
- Added GPG support to the Installer (except for SuSE).
- Added GPG support to the Installer (including SuSE).
- Added SLES 15 support to the Installer.

Any problems or questions, please let me know straight away.

Cheers,
-- 

Jules
Jules at Zend.To