+---------------------------------------------------------------------------+
| Revive Adserver                                                           |
| http://www.revive-adserver.com                                            |
|                                                                           |
| Copyright: See the COPYRIGHT.txt file.                                    |
| License: GPLv2 or later, see the LICENSE.txt file.                        |
+---------------------------------------------------------------------------+

Release Notes: Revive Adserver 5.1.0
====================================

These release notes cover what's new, system requirements, download and
installation instructions, known issues and frequently asked questions for
Revive Adserver. Please read these notes before reporting any bugs.


What's New in Revive Adserver 5.1.0
-----------------------------------

 * Release date: January 19th, 2021


 Security Updates
 ----------------

 * Fixed open redirect in the click tracking script, by deprecating the
   existing ck.php script and making it ignore the oadest parameter, so that
   it only redirects to the destination saved in the banner itself.
   Contestually a new "signed" click tracking delivery script as been added,
   (cl.php): it uses regular query string parameters and HMAC SHA256 signature
   to ensure the destination url is not tampered with.

 * Fixed a persistent XSS vulnerability caused by missing HTML escaping
   when displaying the website URL in the affiliate-preview.php tag
   generation page.

 * Fixed a reflected XSS vulnerability in afr.php that could still be achieved
   on legacy browsers, bypassing a previous fix.


 New Features
 ------------

 * Redesigned the email sent to users when a password reset request is made.

 * Added agency status, allowing to suspend or deactivate manager accounts,
   optionally showing custom messages during delivery for such accounts. No
   blank impressions will be logged in such cases.

 * Added optional custom messages during delivery when a non existing zone is
   requested. No requests, nor blank impressions will be logged either.

 * Replaced Flash-based video player for video ads with HTML5 video tag.

 * Added new manager level permission to delete items.

 Bug Fixes
 ---------

 * Removed usage of the *et_magic_quotes_gpc() deprecated functions.

 * Optimised ad selection context build algorithm.

 * Improved compatibility of Asychronous JS invocation with single page
   applications, by using the srcdoc attribute when possible.

 * Updated subdivisions for South Africa, following  ISO-3166-2: change of
   subdivision code from ZA-GT to ZA-GP, ZA-NL to ZA-KZN.

 * Added missing delivery script settings for async tags.

 * Removed the possibility to set individual permissions for users that are
   linked to an admin account as such users always have all the permissions
   by design. Even though the UI was showing checkboxes it has actually never
   been possible to disable them.


 Non-Backwards Compatible Changes
 --------------------------------

 * Delivery rules including South African subdivions Gauteng and Kwazulu-Natal
   will require manual adjusting.

 * Click tracking via ck.php is deprecated and the behaviour of some ad render
   internal functions (_adRenderBuildClickUrl, _adRenderBuildParams) has
   changed accordingly. The "{clickurlparams}" magic macro has been removed.

 * Removed 3rd Party click tracking plugin, as the system is not compatible
   with the new signed click tracking functionality.

 * Deprecated PHP execution inside banners by removing the setting from the
   admin UI. The (risky) functionality itself will be still working if enabled
   in the configuration file, but will be removed in a future release.

 * Removed support for Flash banners and the fl.js delivery file that is now
   unnecessary.

 * Removed Flash-based graphs and supporting libraries in the video ads plugin
   reports.

 * The new manager permission is disabled by default, which means that non-admin
   managers won't be able to delete items, unless an admin grants them the
   permission.

 * The VAST output was still using the obsolete video/x-mp4 as content type,
   which has now been updated to video/mp4.


System Requirements
-------------------

Before installing, please make sure your server meets the system
requirements, which can be found at:

https://www.revive-adserver.com/support/requirements/


Downloading and Installing
--------------------------

 * Downloading Revive Adserver

   You can always find the latest version of Revive Adserver at:

   https://www.revive-adserver.com.

 * Installing Revive Adserver

   Installing Revive Adserver is a straightforward process. Follow the steps at:

   https://www.revive-adserver.com/support/installation/

 * Upgrading Revive Adserver

   Upgrading Revive Adserver is a straightforward process. Follow the steps at:

   https://www.revive-adserver.com/support/upgrading/

   Please note: The upgrade process will update your Revive Adserver database,
   and the database may no longer be compatible with your old installation.
   You *must* create a backup of your database before you upgrade, just in case.

   The upgrade wizard supports upgrading from:

   ---------------------------------------------------------------
   | Product                             | Version(s)            |
   ---------------------------------------------------------------
   | Revive Adserver 5.x                 | All previous versions |
   ---------------------------------------------------------------
   | Revive Adserver 4.x                 | All versions          |
   ---------------------------------------------------------------
   | Revive Adserver 3.x                 | All versions          |
   ---------------------------------------------------------------
   | OpenX 2.x                           | All versions          |
   ---------------------------------------------------------------
   | Openads 2.4                         | All versions          |
   ---------------------------------------------------------------
   | Openads 2.0 for MySQL               | 2.0.11-pr1            |
   |   (formerly phpAdsNew)              |                       |
   ---------------------------------------------------------------
   | Openads 2.3 alpha                   | 2.3.31-alpha-pr3      |
   |   (formerly Max Media Manager v0.3) |   (v0.3.31-alpha-pr3) |
   ---------------------------------------------------------------
   | Openads 2.3 beta                    | All versions          |
   ---------------------------------------------------------------
   | Max Media Manager v0.1              | v0.1.29-rc            |
   ---------------------------------------------------------------
   | Openads 2.0 for PostgreSQL          | 2.0.11-pr1            |
   |  (formerly phpPgAds)                |                       |
   ---------------------------------------------------------------

   If you are not running one of these versions, you will need to upgrade
   your existing installation before you will be able to upgrade to
   Revive Adserver.

 * Uninstalling Revive Adserver

   To uninstall Revive Adserver, delete the installed files and database tables.


Known Issues
------------

This list covers some of the known problems with Revive Adserver. Please read
this before reporting any new bugs.

 * The upgrade process may time out with very large databases. See
   https://www.revive-adserver.com/docs/faq for more information if you
   have a large database.

 * If you want to run Revive Adserver with MySQL, please note that MySQL 4.1 or
   higher is required. If you are using an older version of MySQL, you will
   need to update you database software before upgrading.

 * If you want to run Revive Adserver with PostgreSQL, please note that
   PostgreSQL 8.1 or higher is required. If you are using an older version of
   PostgreSQL, you will need to update your database software before
   upgrading.

 * Some of the PEAR libraries used are not compatible with database prefix
   names with double "_" characters (e.g. "rv__"). You should NOT install
   Revive Adserver with a prefix of this format.

 * Some users have reported issues of being logged out when viewing
   statistics. This can be worked around by ensuring that the timezone is
   correctly set in PHP.

 * See https://www.revive-adserver.com/support/bugs/ for the latest bug reports.


FAQ
---

 1. Can I upgrade from OpenX Source?

    Yes. OpenX Source has rebranded as Revive Adserver. You will be able to
    upgrade from any version of OpenX Source.

 2. Where can I get help?

    You can ask for help at the Revive Adserver community forums:
    https://forum.revive-adserver.com/

 3. What can I do to help?

    We need help from both developers and users to provide as much feedback
    as possible to make Revive Adserver even better. You can contribute
    feedback, bug reports, submit patches or help with documentation by
    visiting https://www.revive-adserver.com/.
