jdownloads logo bigWith version 4.1.6, we are releasing a security and stability update for jDownloads 4.1.

The focus is on removing legacy upload artefacts that are not part of the regular, secure backend upload workflow and were inadvertently included in a release package.

Important scope note: These legacy artefacts were only delivered in the 4.1 branch (from 4.1.0 onwards). Earlier 4.0.x installations are not affected.

What security-related changes have been implemented?

  • Removal of the affected legacy files from the package
  • Enhanced update clean-up: existing legacy files and any test_uploads directory are removed during installation or update
  • Additional hardening measures in the download and validation environment

Further improvements in 4.1.6

In addition to the security focus, 4.1.6 includes various stability and quality improvements, including in the following areas:

  • SEF/routing robustness
  • ‘Mark all’/checkbox behaviour
  • Monitoring and missing files workflows
  • Download delivery and edge case handling

Recommendation

Please update to 4.1.6 as soon as possible.

Additional recommendations

  • Check whether any old legacy artefacts are still present
  • Check directories and logs if unauthorised uploads are suspected
  • General hardening measures (backups, passwords, permissions policy)

Thank you for responsible disclosure

Many thanks to the community for responsibly and confidentially reporting security-related issues.

Download