We have just released an important update for all IntelliJ-based IDEs. This update addresses critical security vulnerabilities inside the underlying IntelliJ Platform. The vulnerabilities, in various forms, are also present in older versions of the IDEs; therefore, patches for those are also available.
While we have had no reports of any active attacks against these vulnerabilities, we strongly recommend for all users to install the update as soon as possible.
Please read more on the issues and ways to update below.
Built-in web server vulnerabilities
The cross-site request forgery (CSRF) flaw in the IDE’s built-in webserver allowed an attacker to access local file system from a malicious web page without user consent.
Internal RPC vulnerabilities
Over-permissive CORS settings allowed attackers to use a malicious website in order to access various internal API endpoints, gain access to data saved by the IDE, and gather various meta-information like IDE version or open a project.
Our huge thanks go to Jordan Milne for disclosing these issues and working closely with us and to Android Studio team from Google for perfect collaboration while working on the fixes.
What to do
To install the update simply select ‘Check for Updates’ from inside the IDE or visit www.jetbrains.com to download the most recent version. If you are using a version prior to 2016.1.x, read below for download links.
For more details about the security update and in case of additional questions, refer to the FAQ below.
FAQ
Q: What products / versions are updated?
A: All JetBrains products built on IntelliJ Platform are affected. The table below shows the minimum versions for which an update is released. If you are using the listed version or a higher one, then you need to update.
| Product | Updates Available as of Version (build number) |
| AppCode | 2.1 (129.772) |
| CLion | 1.0 (141.353) |
| DataGrip | 1.0 (143.1410.7) |
| IntelliJ IDEA | 12.1 (129.161) |
| MPS | 3.0 (129.350) |
| PhpStorm | 6.0 (129.291) |
| PyCharm | 2.7 (125.57) |
| PyCharm Edu | 1.0 (139.280) |
| Rider | Private EAP builds prior to build 144.5342 |
| RubyMine | 5.4 (129.241) |
| WebStorm | 6.0 (127.68) |
Q: Are earlier versions affected?
A: We are not aware of similar vulnerabilities in older versions. Built-in web server was introduced in December 2012 (branch 129.x), and the above-mentioned and fixed internal RPC vulnerabilities did not exist in older versions. Still, a possibility of vulnerabilities in older versions exists, which is why we recommend upgrading your IDE if it was released more than 3 years ago.
Q: What products are NOT affected?
A: ReSharper, ReSharper C++, dotCover, dotMemory, dotTrace, dotPeek, TeamCity, YouTrack, Upsource and Hub are not affected and do not need this security update.
Q: I need a full download rather than a patch for an earlier version of the IDE. Where can I download it?
A: Check the previous versions page for your product below. All versions published there contain the security update or are not affected by these two specific vulnerabilities.
- AppCode
- CLion
- DataGrip — please get the latest version from product website
- IntelliJ IDEA
- MPS
- PhpStorm
- PyCharm
- PyCharm Edu — please get the latest version from product website
- Rider — you should receive an email with a fresh download link
- RubyMine
- WebStorm
Q: I’m unable to update to the latest version. Where can I get help?
A: Please contact us about the problems that prevent you from updating.
Q: I’m building an IDE on IntelliJ Platform. What should I do?
A: Make sure to merge the latest changes from the corresponding branch of intellij-community: the “129”, “131”, .. “145” branches for the “129.*”, “131.*”, … “145.*” builds correspondingly and “master” for the “146.*” or “162.*” builds.) For details please contact security@jetbrains.com or the partner team at busdev@jetbrains.com for any questions or concerns.
Q: I’m using an IDE built on IntelliJ Platform but not from JetBrains. What should I do?
A: We have been in contact with our partners building on IntelliJ Platform. Updates for Android Studio 1.5.x and 2.x should be available already. Please contact the vendor of the IDE for an update. If you have other questions, please contact us.
Q: I’m developing a plugin for IDEs built on IntelliJ Platform. Does my plugin need update?
A: No, plugins are not affected.
Q: I’d like to be notified about security vulnerabilities in future.
A: You can subscribe to the security bulletin at www.jetbrains.com/security/subscribe.
UPDATE: If you’re running on OS X and the IDE doesn’t start after installing the update, please refer to https://intellij-support.jetbrains.com/hc/en-us/articles/208516145 for workarounds
JetBrains Team
The Drive to Develop
Was the bug exploitable when you didn’t start any server, e.g. when you only developed an Android/Desktop app?
The web server is active as soon as you start the IDE, so as such it is vulnerable. The updates will address this problem.
But what if I don’t want the IDE to start a webserver? How do I stop that?
I have to agree. Fixing a bug the webserver is fine, but it seems like an unnecessary attack service for most development.
The Web Server is used for quite a bit of functionality for the IDE, independently of whether you’re doing web development or not. If we were to disable it, it would remove some of this functionality.
Right now our main focus has been to address these issues while doing our best to not break any functionality in the products.
Couldn’t that be served by a Unix socket? Obviously, I don’t know what the webserver is used for; but if all you needed was some form of IPC among locally running processes anyway, it seems there was never a need to expose it to the network.
When we discovered the vulnerabilities, our first and foremost objective was to fix them as soon as possible and release updates for all products, without having a major impact on functionality and the workflow of our customers.
The internal server is not exclusively used for web application development but also serves for other functionality such as the Internal Git SSH support, Http Authorization, Serving Documentation from JAR’s as well as providing a REST API endpoint. Simply disabling it would have caused a lot of functionality to cease. And a testament to this is that currently we are seeing some impact on existing workflows which we’re addressing.
Our next task will be to look at the viability of making the internal server opt-in and see how we could provide the same functionality via other means or at a minimum make customers aware of the loss of functionality
What kind of functionalities would break if web server is removed?
I am maybe ok with losing functionality I don’t want or that I am not a user of if it is means I am getting an IDE with no web server!
– Jennifer
Please see above
Actually, I don’t even know that a web server existing in service.
I will use Surface 3 as my development device sometime. It is not a great performance device. If I can turn off the web server, I think my device can run a bit faster.
I see that some of the functions in IDE require the web server but what if we do not use those functions? I will be thankful if you could tell us what kind of functions depends on the web server.
I also suggest your company add an option to the IDE, let user choose to turn on or off the web server.
Please see my response above.
I disagreee
second that.. please provide steps to ban any web-server starting.
I agree.
+1. I have never used, and do not plan to use, the internal webserver. This simply does not make sense for my work. When I started reading this I thought to myself “well that’s fine, I’m not using this anyway”. Then I find out it is started by default. Not cool.
I believe the IDE is strongly tied to its webserver, like microsoft windows and their internet explorer. You are unable to remove IE from windows, because it would break the OS. I think this is the same case.
Please see my response here http://blog.jetbrains.com/blog/2016/05/11/security-update-for-intellij-based-ides-v2016-1-and-older-versions/#comment-254401
This a vulnerability that had no reason to exist. As requested above, please provide steps on how to remove the internal webserver or ban it from starting
+1: Yep – I don’t need it started. How do I stop it?
Please see http://blog.jetbrains.com/blog/2016/05/11/security-update-for-intellij-based-ides-v2016-1-and-older-versions/#comment-254401
My WebStorm 2016 on Mac become a brick
Rolling back…
No, can’t roll back – you don’t have a 2016 versions in Previous WebStorm Releases. Need to roll further on 11
Why a brick? What’s the issue?
We would really appreciate if you provide a bit more details about the problem. Can you please send us the content of your IDE log folder (menu Help – Show log) on https://youtrack.jetbrains.com/issues/WEB.
Thank you!
Seems like I have the same issue here. Right after the update, IDE just won’t start.
PhpStorm quit unexpectedlythe alert says.Just crashes on start. Here is the issue with logs https://youtrack.jetbrains.com/issue/WEB-21586
Thanks for reporting it. Sorry for the inconvenience.
See https://youtrack.jetbrains.com/issue/PY-19459#comment=27-1431836.
Mine did as well…after finally getting it to load I’m unable to zoom in. Seems like the patch was pushed a little too quickly without full testing
Same issue happen to me.
I can’t zoom in and out with pinch gesture.
This issue irritating me.
It might be related to this issue
https://youtrack.jetbrains.com/issue/IDEA-145815
Trying to download OS X version, got this:
AccessDeniedAccess Denied
206A530861DFFBA2
ijfXc1Wn128We6HEdyPzWY1zgutm0lsNlJo3HZZPoJ2vUjmFYRn6+uWtiRkIT7PW52lvT8m/EVY=
Really sorry for the inconvenience. But please specify more details. What product and version is it? Thank you
Never mind, it is working now.
It was IntelliJ IDEA 15.0.6 for OS X.
Those look a lot like AWS keys. I think they shouldn’t be posted publicly… you may want to rotate your AWS keys if that’s what they are!
When trying to update an older version of Webstorm (10.0), I receive the following error:
Failed to download patch file:
Cannot download ‘http://download-cf.jetbrains.com/webstorm/WS-141.1550-141.3058-patch-win.jar’: Server returned HTTP response code: 403 for URL: http://download-cf.jetbrains.com/webstorm/WS-141.1550-141.3058-patch-win.jar
, response: 403 Forbidden
Thanks for report! We’re investigating. Will let you know. In the meanwhile, you can make a fresh install – here you can find a link: https://confluence.jetbrains.com/display/WI/Previous+WebStorm+Releases
Sorry about that. Pinged the team. They’re looking into it.
Oh, actually already found the issue and re-uploaded the patch update. Please try in an hour or so. Sorry for the inconvenience.
Still it doesn’t work :/
If I’m using the PHPStorm 2016.1.1 EAP, is that sufficient?
Yes, you need to update from 145.969 to 145.970 (from EAP to 2016.1.1).
Can you please document what exactly has been changed? What does IntelliJ now expect requests to include in order to be allowed?
I was relying on this server in my development environment. I had it integrated with a reverse proxy. That is all completely broken and I can’t fix it because there is zero useful information that I can find.
When trying to install the patch (11.0.4) for Webstorm 11.0.3 on Windows 10, Windows Defender removes some of the files due to containing a virus:
C:\Users\user\AppData\Local\Temp\idea.updater.files.tmp.0\temp.tmp.2
Do you have the latest version of Windows Defender? There’s been a known issue, but we’ve fixed that some time ago: https://youtrack.jetbrains.com/issue/IDEA-144421
Alternatively, you can make a fresh install of WebStorm 11, here you can find a download link: https://confluence.jetbrains.com/display/WI/Previous+WebStorm+Releases
Really sorry for the inconvenience.
PhpStorm constantly crashing on opening @ Mac OS X 10.10.5
Rolled it back to 2016.1, thank Odin I have a copy
Same with Intellij IDEA on mac os x 10.10.5. I opened a ticket – https://youtrack.jetbrains.com/issue/IDEA-155856
Thanks for reporting it. Sorry for the inconvenience.
same with cLion, very bad patch jetbrains
What about Project Rider? I checked for updates and it said I had the most up to date version
If your current version is 144.5342 or higher you are up-to-date.
Ok, Thank you
Sorry guys, you have so many bugs in your recent updates, I’d like to wait before install the most recent one.
Sorry to hear that. Could you point us to some of the issues you’re encountering to see why they’re not being addressed?
Sure, I am going to report two usability bugs tomorrow on the bug tracker. However, there are bugs I reported before and they are not seem to be fixed in the nearest future. Anyway, this is your product guys, it is up to you if you want to ruin it completely. I am thinking to change my IDE to something more predictable. Seriously, the quality of your products now is low as never before.
Andrei
I’d very much appreciate if you could send me links (hadi@jetbrains.com – or paste them here) of your issues, both the new ones you’re going to log as well as existing ones. I’ll follow-up with each of them.
Thanks.
Here you go:
https://youtrack.jetbrains.com/issue/WI-31257
https://youtrack.jetbrains.com/issue/IDEA-152049
https://youtrack.jetbrains.com/issue/IDEA-153876
Am getting a “java.io.IOException: Couldn’t create PTY” when trying to open a git terminal in PHPStorm. Used to work before the update
This most likely isn’t related to this fix. Is it possible to log a bug?
Well it was working fine this morning and not working anymore after I applied the patch.
Hi Alex, could you please file a bug to https://youtrack.jetbrains.com/issues/IDEA
Please attach your logs there.
Fixed it – I had to update the settings/tools/Terminal to use quotes like: “C:\Program Files\Git\bin\sh.exe” -login -i
Before it was setup without quotes but that stopped working after the update.
Thanks for the help
Thank you for the update.
Thanks, Alex!
Same problem hit me – You helped
Thanks, Alex!
Thanks, I had this problem too!
Same problem here, on intellij IDEA on windows.
I had to replace : cmd.exe /K cd work
with : “C:\Windows\System32\cmd.exe” /K cd work
Thanks
Thanks Alex ! That helped
Thanks Alex,
Had the same
I second that! Thanks Alex!
Awesome, thanks! This is also the fix if anyone is using powershell as terminal. update the settings/tools/Terminal to use quotes like: “powershell.exe” -Executionpolicy Unrestricted
IT is a miracle business, everything magically stops working without having done something. 😀
BTW: I had the same problem. “Quotes” saved my day! Thanks Alex!
It was definitely related to this fix.
Had the same problem, but Alex’s solution worked! Not cool, Jetbrains 😛
Yes, it IS related to this fix. Had the same issue.
I am using CMDER and it still doesn’t work using single or double quotes
cmd.exe /K “%CMDER_ROOT%\vendor\init.bat”
Again was working just before I updated, now its the same error.
Strangely, if I just load a plain command line, then run this command line inside it then it works…
Enclosing cmd.exe in double quotes helped me too:
“cmd.exe” /K set MAVEN_BATCH_PAUSE=off
Thank you, Alex!
Faced the same issue. Quotes saved the day.
I tried installing it a couple of times but did not work, kept showing that the release was till 2016.1.1 and I need to update again.
I am using Ubuntu 15.10
Same for me, running Ubuntu 16.04.
Same on Mint 17.3
Mostafa, what product are you trying to update?
It happens with idea community 2016.1.1 and pycharm 2016.1.2 for me.
Same for me running Ubuntu 16.04, trying update Clion (2016.1.1) and Android Studio (2.1.0)
Same for me on OSX El Capitan. Trying to update IntelliJ CE 2016.1.1, it downloaded the updates, but fails to apply them. After a restart, the version is still the same and it keeps asking me to update (but did not reattempt the download, so I assume that went OK).
There’s a couple of knows issues with our updater on Linux and Mac:
Linux – https://youtrack.jetbrains.com/issue/IDEA-155904
Maс – https://youtrack.jetbrains.com/issue/IDEA-156936
Sorry for the inconvenience.
Here, I’ve got another problem. Now, when I run my project (in chromium) Webstorm asks for each of my ressources (webp, webm, png) to “copy authorization URL to clipboard” for validation. My projects contains dozens of resources, that’s not possible to validate each of theses one per one.
Are these files under the project directory?
I have this problem too,these files not under the project directory, these files are external resources ,their path begin with http:// .
Yes they are. Theses are dart projects, served by pub.
Sébastien,
Unfortunately we failed to reproduce the issue on our end. Can you please provide details about your project structure (paths to pubspec, main HTML file that you start, resources), full output of Pub Serve tool window, OS, SDK version. Sample project to reproduce would be great. I suggest to file a bug with these details in https://youtrack.jetbrains.com/issues/Web (Dart subsystem).
Thank you!
Hello, I rolled back to the previous install on my system, but ok. I reapply now the security update and make a small sample project. When it’s ready, I’ll send you in your tracking system. Thanks for caring.
Problem reported by my colleague :
WEB-21598 Request without authorization
Thx again.
Thank you, reproduced. Will answer in https://youtrack.jetbrains.com/issue/WEB-21598.
I’m also seeing this. The requested files are under the project directory. I do, though, map a “remote” URL (http://localhost:63342/…) to my JavaScript (and TypeScript) src dir. I’m debugging with a Javascript Debug config.
When I try to apply the update on Linux (debian jessie/Gnome3) I get DataGrip restarting, but it just says there’s an update again each time it starts back up. Is this a known issue?
Seems the datagrip patch is 403:
[ 18865] ERROR – plication.impl.ApplicationImpl – Connection failed with HTTP code 403
com.intellij.util.io.HttpRequests$HttpStatusException: Connection failed with HTTP code 403. Status=403, Url=https://download.jetbrains.com/datagrip/DB-145.862-145.863-patch-unix.jar
PyCharm and WebStorm both updated fine on the same machine.
Thanks, we’ve fixed the issue, please update.
Hello!
It is a known issue, we hope to fix it in several hours.
Thanks!
I have a question about patching older releases, we are on 14.1.x currently.
Above in the blog post, it says that, “The vulnerabilities, in various forms, are also present in older versions of the IDEs; therefore, patches for those are also available.” Later it says regarding older versions to, “Check the previous versions page for your product below. All updates published after May 10th contain the security update. ”
After downloading IntelliJ 14.1.7 from the previous IntelliJ releases page, it shows a build date of April 29th, 2016. This seems to indicate that it does not have the fix.
https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases
1. Is there a fix for 14.1.x?
2. Can the older releases that are patched with the fix be listed by version number in the blog post, or somewhere else?
3. Are IntelliJ licenses entitled to free updates and upgrades until a particular date eligible for bugfixes with the security fix (so long as they remain on the same major.minor release)?
Philip, yes 14.1.7 contains the fix. We built it earlier and it was being tested internally.
We’ve actually published it today so, it is later than May 10. But I see the confusion, will see how the text can be improved.
Thank you!
So, all answers:
1. Yes, there is
2. All versions of IntelliJ IDEA starting from 12.1.x that are published on https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases include the fix.
3. These updates are free, so whatever version is available to you can be updated using a corresponding bugfix update, considering it is 12.1 or newer.
Eugene,
Thanks so much for the clarification and for fixing the older releases.
I tested with 14.1.7 and can confirm the issue appears fixed (at least with the webserver serving up files in the project directory).
Is there a CVE?
Unfortunately not yet. We’re in the process of receiving one.
Is the community version also affected?
Yes, it is. The updates for Community editions are available as well
WebStorm 2016 1.2 (the one with the security fix) crashes for me on MacOS after updating (tried applying the patch and doing a fresh install using the distribution file from the website). In the old version, no WebStorm 2016 can be found. What am I supposed to do? Is rolling back to Webstorm 11 the only option?
Please see this for workaround https://intellij-support.jetbrains.com/hc/en-us/articles/208516145
I updated to PHPStorm 10 and it didn’t apply half of my exported settings that I imported from v8, and now that JetBrains releases a new *MAJOR* version every 3 months, I don’t want to have to reinstall that often, I’d prefer to just get updates.
The Major updates need to slow down to allow security patches like this to happen more easily rather than making us reinstall the entire program and risk losing a lot of configuration often.
Dave, I’m sorry to hear you have problems with updates and lost the settings. This of course should not happen.
I just want to share that our plan is exactly to move to smaller, incremental updates rather than big “major” ones. This is what we’ve started with moving away from so called major versions 8->9->10 to a year-based versioning.
And yes, we should improve our patch installation routines. This is a major task for the team.
Thank you very much for the feedback.
Nice update, lose all settings, all configuration in all projects and all the local history. Epic win guys, epic win… This + lots of troubles recently (many crashes), I’m tired of this… where is the time when everything just work properly ? One year ago ?
You are going too fast, you’re losing it
You shouldn’t have lost anything. Could you maybe provide us with some more information of your settings?
We shouldn’t, but that’s what happened. Our entire team lost all the mentioned configurations. This is ridiculous and unacceptable
It is completely unacceptable, I agree.
Can you please provide me with more details of the product you updating, from which version, and what files went missing? You can reach me on hadi@jetbrains.com or if you prefer to log the issue and send me the ID.
(quote)
The cross-site request forgery (CSRF) flaw in the IDE’s built-in webserver allowed an attacker to access local file system from a malicious web page without user consent.
(end_of_quote)
It would mean that I need to display a malicious website from within the IDE?
If I never display web content inside the IDE I am safe?
Am I getting this right?
Oliver, no not from within the IDE. A page can be open in the browser.
I don’t think so. If you have IntelliJ or WebStorm running there is a webserver running on port 63342. The files here can be accessed from any website through any browser you’re using. I think this is the problem (there are not many details known).
Okay. So for me it is: while having the IDE open do not browse on any other websites than the ones of your own projects.
Thanks for clarification.
The hot-fix-updates seem to be a little too hot for me reading all the problems mentioned here. So I prefer to not install these until they
themselves get fixed.
The above will do it for me until then.
I still don’t get it how exactly the security issue can be used / avoided. As I see it there are two bugs mentioned that have been fixed. For both you need to open a malicious website in any browser and have webstorm started? Then the webpage gains access to the webstorm ports so it can possibly control webstorm? Is that correct?
The malicious website could access any file that webstorm has open or can open? So basically any local file? The website could also control some functions of the IDE and read metadata about the IDE? Is that correct as well?
JetBrains – I like your company a lot and I’m very impressed with your products, but you really should up your QA and delivery processes.
Your releases are often at Beta level, and I don’t think that I even once updated a product without seeing some sort of regression in a common functionality.
Honestly, unless there is a specific feature I really really need – I am reluctant to upgrade for fear of what would be broken. The moment I saw your email about this security issue – I thought to myself – “ok, mental reminder to update my JetBrains products in 3-4 weeks when their patch reaches production level”. In other words: I am more afraid of upgrading than I am of an attack, even with this issue now being out in the open…
Guys – keep up the good work and just slow down. Give bug fixing a higher priority. Educate your developers to test everything they do before they deliver to QA. Keep up the open communication with the community but don’t treat the community as a group of beta-testers…
Thank you for the feedback. We’re listening and we’ll do our best to improve.
What kinds of testing are done in the now? Black box testing? White box testing? Unit testing? Usability testing? Integration testing? Hands on testing? Automatic script testing?
Will web testing now be done of the web server?
– Jennifer
We do Unit Testing, Integration Testing, Hands-On Testing and some of this also includes automatic scripting. And we try this with as many VM’s and OS’s as we can, but obviously not enough.
In terms of White box/Black box, both but it very much depends on the context of the code too.
Whats going on?! I Get an email with some important security update, and after updating it webStorm wont start! it became a brick! I already tried uninstalling and nothing. I got a deadline that I need to meet!!!
We’re very sorry Arthur. Please download the whole installer from either http://www.jetbrains.com or the previous version page depending on your WebStorm version
Please try this for workaround https://intellij-support.jetbrains.com/hc/en-us/articles/208516145
For the records, at least with PyCharm the «Download» button in the «Platform and Plugin Updates» dialog will take you to the site downloads page, where only the latest version is directly available. Those like me who have an old license will find the version that is actually mentioned in the dialog (5.0.5 in my case) behind the «Previous versions» link, in the opened page. Or simply go here: https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases
Thank you Pablo. This is our mistake, we’ll get it fixed
Im getting
hi I’m seeing the ‘PHPStorm quit unexpectedly’ error. Here is the first bit of the debug details:
Process: phpstorm [894]
Path: /Applications/PhpStorm.app/Contents/MacOS/phpstorm
Identifier: com.jetbrains.PhpStorm
Version: 2016.1.1 (PS-145.970.40)
Code Type: X86-64 (Native)
Parent Process: ??? [1]
Responsible: phpstorm [894]
User ID: XXXXXX
Date/Time: 2016-05-11 17:12:29.114 +0100
OS Version: Mac OS X 10.10.4 (14E46)
Report Version: 11
Anonymous UUID: XXXXX
Time Awake Since Boot: 550 seconds
Crashed Thread: 0 AppKit Thread Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGABRT)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000030353230
VM Regions Near 0x30353230:
–>
__TEXT 0000000100af3000-0000000100afc000 [ 36K] r-x/rwx SM=COW /Applications/PhpStorm.app/Contents/MacOS/phpstorm
Application Specific Information:
abort() called
Thread 0 Crashed:: AppKit Thread Dispatch queue: com.apple.main-thread
Please try this for workaround https://intellij-support.jetbrains.com/hc/en-us/articles/208516145
I receive essentially the same crashlog with Webstorm. This after downloading a fresh installer, and already having javac 1.6.0_65. My OS Version is 10.10.5, and upgrade to El Capitan is against my company’s IT policy at the moment. This has left WebStorm bricked. Good thing I’ve got NeoVim.
OK, I take this back. It wasn’t clear that the Java needed is the old “Java for OS X 2015-001” – see https://support.apple.com/kb/DL1572?locale=en_US
After installing this additional Java, WebStorm now starts.
The Apple page states: “This package is exclusively intended for support of legacy software and installs the same deprecated version of Java 6 included in the 2014-001 and 2013-005 releases.”
JetBrains: this seems like an embarrassing and dangerous dependency. Hopefully you’ll be able to move away from it soon.
Thanks for the fast workaround info.
Does this old Java version of which you are referring does it have any known security flaws?
Why does the IDE need to use archaic Java and not new Java?
– Jennifer
Sorry about this issue, it’s not a real fix, just a temporary workaround. You can follow https://youtrack.jetbrains.com/issue/IDEA-155856 for the updates
So how do I get inline documentation to work again?
I press Ctrl+Q and now get “Fetching documentation…” in the doc window and the new prompt:
Page ‘http://localhost:63342/P…letRequestAttributes.html’ requested without authorization,
you can copy URL and open it in browser to trust it.
I follow those instructions and try again, but just get the prompt again.
James, please follow https://youtrack.jetbrains.com/issue/IDEA-155871 for updates
What happened to font in PhpStorm on Linux? It looks slightly different (bold and GUI font). Does it happens only on my machine?
I got the same issue.
Can you show us screen shot so we can see what it look like?
– Jennifer
Me too. Cannot fix it.
I’m seeing the same, not sure if it’s broken now or fixed from the last release (which I remember also looked quite different). The editor font looks a little more crisp, but project view and tabs etc are far bolder than they used to be. The blue text colour everywhere for modified files is also quite intense when you have a lot of changes, but could get used to it.
I got the same issue too, under Ubuntu Linux. Bold fonts appear significantly bolder than in 2016.1. I tried the newest bundled JDK (from here https://youtrack.jetbrains.com/issue/IDEA-57233#comment=27-1432397) but it was the same. But when I copied the jre folder from the 2016.1 version over to the new version, the fonts DID return to their previous appearance. Nevertheless, after a day, I got somehow used to the new fonts.. will probably give them a try and see…
The upgrade went fine on my Windows 7 from 2016.1 to IntelliJ IDEA 2016.1.2
Build #IU-145.971, built on April 29, 2016
Keep up the good work guys
Thanks Gunnar!
Roy, you say: “If you have IntelliJ or WebStorm running there is a webserver running on port 63342”.
My question is, what happens if we use a firewall to block that port. What functionality of IntelliJ would be affected and how?
Tom, if you block the above port the IDE will pick another one.
You are welcome to contact our support team for more clarifications.
Hi just to confirm, is the security issue only present when the IDE is running or is it also an issue when it’s closed down?
Only when it is running
Rider says I have the latest update. See screenshot: http://pasteboard.co/QBlaAKt.png
However, the answer Eugene Toporov says in this post suggests that there are later release made: http://blog.jetbrains.com/blog/2016/05/11/security-update-for-intellij-based-ides-v2016-1-and-older-versions/#comment-254173
Hello Jörgen,
Did you receive an email on around April, 25 with the links to download build 144.5342? At this point it is the latest one.
I searched my emails and found it and have now downloaded the latest. I still think it’s weird though that the app says I have the latest version when I obviously haven’t.
Jörgen,
Sorry for the confusion, but Rider is still in the early stage of development, thus not all the features are available.
I have IDEA 12.1.6. While installing security update 12.1.8, it asks whether I would like to uninstall IDEA 12.1.6 because it is an older version.
I thought I am downloading a patch. Should I uninstall 12.1.6 in order to install this security update version 12.1.8?
Did you do the ‘Check for updates’ from the IDE? Which option did you then select?
We provided update via patch only for IDEA 12.1.7. So in order to update to 12.1.8 from 12.1.6 you indeed need to install 12.1.8 from scratch. You may uninstall 12.1.6 later, after checking that 12.1.8 works properly for you.
Did as instructed. Works. Thank you.
Trying to download OS X version for PyCharm 3.0.3 Professional, got this:
AccessDeniedAccess Denied
CF916CB08E37491C
IXcVJNkD6V+exkms+Ersjg9BBlumwXqPbm6856MEloG/j67Pnn3lbYmSAP8zO4cLbmX6pYPbhSI=
Sorry about it, we’re checking it now.
Please try it again.
Downloaded ideaIU-12.1.8.dmg as I only have a valid license for 12. Did the update but when I start IntelliJ now I get the famous Gatekeeper message: “IntelliJ IDEA 12” can’t be opened because it is from an unidentified developer. Why and do I have to worry?
Philip, version 12 is not signed, it is true. We have introduced signing later. So, if you downloaded it using a link from our pages you do not need to worry.
To be absolutely sure you can also check that sha256sum of ideaIU-12.1.8.dmg is equal to the value from https://download.jetbrains.com/idea/ideaIU-12.1.8.dmg.sha256.
Thanks Eugene & Nikolay! I chose to verify the checksum which was all good!
Can you posts a list of all checksums so we can be sure that the checksums here and the checksums from the download.jetbrains.com and the checksums of the files we get are all the same matching?
– Jennifer
Oh hell not again.
We won’t get just this patch, we’ll get a bunch of new bugs and changes to the way things used to work. I cannot take the time to gamble.
I strongly urge the team to focus on a stable release that lasts forever.
After six years of paying, that’s enough. I had what I needed long ago.
Ever since it has been a nightmare cycle for your sake, not mine.
Which version of which product do you use? The updates for IDEA 15.0.5 and IDEA 2016.1.1 indeed include many other changes, but the patches for older versions (14.1.6, 14.0.4, 13.1.6, 13.0.4, 12.1.7) consist mainly of changes related to security fixes, so they shouldn’t introduce new bugs or change behavior of the IDE.
What ports are used? Is there somewhere documented what is provided by the server?
Why th fk is it downloading the full IntelliJ IDE and not just the patch?
Sorry about it. We’ve provided as many patches as we could but were unable to create them for some. Which version are you trying to update?
Can you post list of products and versions that have patch and products and versions that do not have patch but have full download?
– Jennifer
Why the hell is IntelliJ running a web server in the first place?? Did I ASK you to fire-up a random web server on my dev box??
And the absolute LAST thing I’m going to do is download your so-called “patch”. During the past year JetBrains has demonstrated its so incompetent at writing software, I’m never buying a new version from you again!
I updated IntelliJ Ultimate today. It now doesn’t load a ton of plugins (Java EE, Spring MVC, and the list goes on and on). So my projects won’t load properly. This basically bricked my projects.
That shouldn’t be happening. Can you give us more details on your exact version?
Was this security problem caused in any way by the switch to subscriptions?
http://blog.jetbrains.com/blog/2015/09/03/introducing-jetbrains-toolbox/
http://blog.jetbrains.com/blog/2015/09/18/final-update-on-the-jetbrains-toolbox-announcement/
I am confused why an IDE would have an internal web server?
Like CLion which maybe I am wrong but I do not think it is used for web developments.
Why would it have an internal web server with bugs?
Your clarifications are so very desired!
– Jennifer
Jennifer,
No. This is completely unrelated to switch to subscriptions or JetBrains Toolbox. This web server functionality has been there for quite a number of years and this is why we’re providing back-ports of up to 3 years.
As mentioned previously, we use the internal web server for different functionality such as documentation
Here’s a faster and more reliable solution that works 100% of the time on OSX:
1) Download Little Snitch
2) Block ALL inbound and ALL outbound access for JetBrains products (except the sites you WANT to access)
…And seriously JetBrains, FOUR open ports and THREE outbound connections, including something that looks an awful lot like realtime behavior tracking?
I am SO rotating my passwords and SSH keys!
Hi Carl,
We don’t have any type of realtime behaviour tracking. The only usage statistics we collect, which is opt-in and configurable via Preferences, is sent to us with your consent (and always anonymously), and is not realtime.
Is there any risk to my source codes? If I used vulnerable IDE and accidentally visit page that uses this attack without my knowledges is there chance it would update my source codes? Does web server bug give write access to my files in the IDE? Could malicious web page put malicious code in my source codes without me knowing of it? Should I audit all of my source codes to make sure they were not modified?
Much thank you!
– Jennifer
Hi,
I run version 10.0.2, our company license was valid until November 2015. You write me, I have to update, even older versions, so I downloaded and started the update, but I can’t unlock it, neither the key works nor the login with credentials. Both tell me its expired.
I don’t understand, why you make such a big thing out of this update, when you then don’t allow me to run the program (I am not starting a 30-days-try-out-time now and I am pretty sure, that the company won’t pay again at the moment…).
Is this just “marketing” or how can I get it to work?
Cheers,
Torsten
… and now I am pretty much confused. I stopped PhpStorm, and started the old version (as I was not able to put in the key for the new one). Now I see, that the name is now “PhpStorm 10.0.4”! I checked: it is really code inside the old folder that is running, I see that the old config files are updated. The program still runs if I rename the folder of the new download and the new created settings (so not a mix between old and new config and installation). Now I also checked inside the old folder, the application and some subfolders are updated (at least they have a datestamp from today).
So basically you give a new version to download, that can’t be installed, but patches secretly the old version in the background?
Ok – I am thankful, that I can get a free patch and security update, but why can’t it be communicated that way? At least you should tell, that you instead of installing a new version in a new folder you (also) update and overwrite old code and not just do that in the background.
An extremely odd experience. I hope it did not crush anything in that confusing “setup” and the title is showing a successful patch and not just
a half way overwritten config file.
Cheers,
Torsten
Torsten
Not sure I understand what exactly has happened, but you should have received any update free if they were within the versions we provided support for. It should have also applied to the version you had installed.
In any case we apologise for the issues. Is it all sorted now or can we help in any way?
Please add an option to disable the internal webserver, with documentation explaining what impact this exactly has.
I pay annually for this product and I expect nothing less. If this is an unreasonable request I’ll take my business elsewhere.
Please see http://blog.jetbrains.com/blog/2016/05/11/security-update-for-intellij-based-ides-v2016-1-and-older-versions/#comment-254401
Updated PyCharm with this update and now it’s telling me I’m unlicensed
Not good. Gotta dig through old emails to hopefully find my license code.
To anyone who has ssl handshake_refused errors after this update, try downloading java8 from the java website.
I was previously using java6 mac, svn worked on commandline but not phpstorm.
Hey.. uh… the links on the download page (https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases) that PyCharm sent me to when I used “Check for Updates” are pointing to a plain HTTP URL and there are no hashes posted or gpg signatures.
But if I tweak the download URLs to be https instead of http, I can still download. Please just update the URL schemes… not exactly awesome to post a security update in a way that can be MITMed.
Just would like to leave a positive comment here, in appreciation of what the JetBrains team appears to have done right on this.
– Jumping ahead, I have the new PHPStorm EAP 145.970 installed — and it says it was built on 3 May This indicates, I belleve, that the team did indeed do substantial testing before releasing the new software. Remember also that they did not do it on Monday, either.
– Does it work? It appears to work fine. All my history is present, settings and so forth, even the certificate signon for a vagrant ubuntu vm just installed. PhpStorm opened on my last work, just as it had before taking the upgrade.
– On what platform am I reporting this? Windows 10, all latest upgrades Tuesday and today.
– What precautions were taken? After reading above, I copied .idea folders from each project that had them, and I copied the various .WebIde* and .WebStorm* folders from my Users folder on W10. None of these appear to be altered, which is as it should be, before I have changed anything in the projects with the new release. Webstorm* exists because I ran the EAP for it until the improved JavaScript debugging made it into the PhpStorm EAP.
– would also like to compliment the team on the eager reply and early solutions they are providing for the cases where things haven’t gone perfectly. I think it’s expected to find some of that when you make substantial changes to a complex architecture — especially when it involves security permissions. But other things about build environments can slip through also, as we should all know.
A big thank you to JetBrains for taking on and executing this challenge. I had thought something big was in the works, as the always appreciated developing upgrades had gone silent for a little while.
Kind regards,
Clive
Thank you Clive.
Hi Eugene, We have shipped a product based on version 12.1.7. Does the patched version 12.1.8 contain changes other than the security fix that would require additional testing?
Thanks
Hi Tom,
It only contains security fixes.
I’m running PyCharm 5.0.3, Pro edition (for Django and Flask support) on Windows 7 Pro 64bit. My subscription expired Jan 30, 2016. I can’t afford to renew right now. Is the best I can do to keep running 5.0.3? Should I run PyCharm-professional-5.0.5.exe from https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases
?
Apologize for asking for help with old versions. I don’t begrudge you guys the fees, it was totally worth it. I just wonder if this security update is possible for me. The about screen says I have perpetual fallback license for this version (5.0.3) but not sure what that means. Thanks!
Hi Bob,
you had an old-style licensing subscription, that implies you have perpetual license for any major PyCharm Professional Edition versions(releases) within your subscription period. Given the fact your subscription expired on Jan 30, 2016 you have perpetual license for PyCharm 5 AND for all bug update versions of PyCharm 5 regardless of their release dates. Effectively that means you can upgrade to PyCharm 5.0.5 for free.
We strongly encourage you to update to PyCharm 5.0.5 as it contains very important security bug fixes. In your case, please download the full installation distribution from https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases and run the installer. It will suggest you to remove the previous installation, keeping all your settings.
I hope my answer helps.
Thanks very much, Dmitry, for the multiple clarifications! All set running 5.0.5 on laptop and desktop.
+1 same situation here
I hope you managed to upgrade successfully.
Pingback: Emergency Patch Issued For Android Studio And IntelliJ-Based IDEs To Close Up Two Serious Security Vulnerabilities – my android
Can we disable the anti-CSRF authorization of built-in server?
Thanks
Unfortunately it is currently not possible.
Pre-update:
http://localhost:63342/********/index.html#/login
Post-update:
http://localhost:63342/*******/index.html?_ijt=o7vnqa59dvtjo34204as5bdssp#/login
+
Page ‘http://localhost:63342/in…/login’ requested without authorisation,
you can copy URL and open it in browser to trust it.
Why is this happening and what’s the fix?? Pages are not loading properly since the update
App: Webstorm 2016 on Mac OSX
Edit:
App: Webstorm 2016.1.2
Is any fixes found, or any option to get rid of it, it breaks the protractor test from running..?
Thanks
This _ijt= is also breaking our dev/test flows. We load resources from a Chrome extension and can’t pass that parameter there conveniently. Need a way to disable this!
I want disable the authorization of the built-in server, how can I do that?
Currently this is not possible.
I went back to Webstorm 2016.1.1 and wait for a configure to disable or white list to achieve anti-CSRF flaw.
I was using reverse proxy with built-in server. but now, it’s too difficult to config the proxy rule. Of course, I have tried append the authorized cookie to every request session, but not all files success.
Can I temporarily disable the configure by change some file content( like source code)?
Hi,
I have WebStorm 11.0.1 and I’m not able to update it.
The error I recieve is:
“Connection failed (connect timed out). Please check network connection and try again.”
Is this still occurring? Have you tried to download directly?
Where is the updated version for 10.5.4 located ? On the old versions dowload page there is still the version 10.5.4, not 10.5.5.
Thanks!
All provided versions are here
https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases
I want a patch fo 14.1.5 no the full IntelliJ IDE, can you provide a patch for the version? Thankyou
Currently the only thing we provide is what’s available for the current release and for older versions on this page:
https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases
Unfortunately we can’t offer patches for all versions.
After update I get “Page ‘http://localhost:63342/m…jar/resources/inherit.gif’ requested without authorization, you can copy URL and open it in a browser to trust it.” while browsing javadoc for a class. After this IntelliJ just hangs
This probably resolves CORS issue, but I don’t think this is how it’s supposed to work
IntelliJ IDEA 2016.1.2, build IU-145.971.21
We will fix the issue shortly.
There is work around https://youtrack.jetbrains.com/issue/IDEA-155871#comment=27-1432449
Hi guys. Just updated; the only bugs I’ve discovered so far are that Presentation Mode and code zooming no longer work. It’s a good job I’m not doing a presentation today!
Hi Michael,
Is this with IntelliJ IDEA?
Hi Hadi. No, it was with PhpStorm and WebStorm. I don’t know what’s happening, because Presentation mode has started working again, though not the feature where I can pinch to zoom in on code.
After installing the security patch javadoc doesn’t work in IDEA (version 2016.1.2). All I get after pressing CTRL-Q on a method is dialogue saying “Page ‘http://localhost:63342/…./Awaiting.html’ requested without authorization, you can copy URL and open it browser to trust it.” where Awaiting is the Java class I wanted to view the documentation for.
So after the update it’s not possible to view Javadoc inside IDEA any longer.
How do I fix this or work around it?
We will fix the issue shortly.
There is work around https://youtrack.jetbrains.com/issue/IDEA-155871#comment=27-1432449
Is there any report from the license server that can show the version each developer is using?
Yes, it is possible. For more information please see:
https://www.jetbrains.com/help/license_server/detailed_server_usage_statistics.html
Thanks for the link.
Unfortunately, it doesn’t seem that our license server version reacts to this configure command, so the reportApi endpoint simply returns a 404.
Is there any way to determine what license server version we are running, and if we need to upgrade it to get this reportApi endpoint?
The version should be available at the bottom of the license server page. Reports are supported as of version 9309.
That explains it, thanks Hadi – we are on version 7844
In principle you should be able to upgrade. Have you pinged Sales?
I’m having a problem with error 404 when using localhost to view my site. I’ll try and send details but for now can you give me a link to download 11.0.3 please because I need to get on with my work and I’m hindered by the update.
Thanks
Bryan
Please try to use
open in browseraction or debug — does it work? Do you see notifications in the Event Log (https://www.jetbrains.com/help/idea/2016.1/event-log.html?origin=old_help)?Do I need to pay to get the security update?
No, an update for any version that you currently have license for is free
If you have an active subscription, no. If you do not and your version is under some of the ones we cover (which we go back up to 3 years), then also no, it’s free. If you could tell me what product and version you have then I could tell you for sure.
Hey, in drupal *.install extension are not working
After the update I can’t use my license key. The system tells me the key is already in use.
Same here.. im pissed! the last updates messed up my configuration here and there and altered things i dont like. Its a pain to find the right option because there are thousands of them.. AAAAAAAAAAAAAAARGH 😀 I hate this red border around function pararmeters i see everytime i use the autocomplete function.. thank you for this one! More colors.. the people need colors !!!!
I dont need help.. i just needet to let some steam out of my head!
I feel better now, Have a nice day everybody.
It would be fantastic if you made a launcher / updating platform like Adobe does for Creative Could. Then you could just push the updates out to all the IDEs at once. It would save a lot of time for people like me who have almost the whole suite installed on multiple PCs.
Zachery, please check in the end of this blog post: http://blog.jetbrains.com/blog/2016/04/28/jetbrains-toolbox-2016-1-release-is-complete/ and expect news soon. Thank you for your feedback!
Open files via ajax gone on open in browser preview
I am getting the same error around terminals (http://cmder.net/) cmder.
command line is: cmd.exe /K “c:\dev\cmder\vendor\init.bat”
error: java.io.IOException: Couldn’t create PTY
Was working 5 minutes before applying the upgrade…
it need quotes, this will work: “cmd.exe” /K “c:\dev\cmder\vendor\init.bat”
I am on a Linux Mint machine. I tried to update pycharm from 2016.1.2 to 2016.1.3 but nothing happened after the restart. Still on 2016.1.2. Is there a fix being worked on to allow the 2016.1.3 update on Linux Mint machines?
We have one patch for all Linux distributions. So it should work for Linux Mint as well. What happens if you check for updates once again via Help | Check for updates? If there’s an update still available please try again. If not, you can download the full installation from the download page: https://www.jetbrains.com/pycharm/download/#section=linux
please install 2016.1.3 along with your current installation, and only after that delete the old version. All IDE and project settings will be preserved in this case.
We haven’t got any complains about linux patch updates until now, if you see there’s a problem still existing, please fill this form to contact the tech support: https://intellij-support.jetbrains.com/hc/en-us/requests/new?ticket_form_id=66731
They’ll be able to debug your problem.
Hello,
What would be the major impact on the application developed for Android client ?
Thanks!!
Shouldn’t have any impact.
Getting
Refused to execute script from ” because its MIME type (‘application/octet-stream’) is not executable, and strict MIME type checking is enabled.
after the update.
Any detailed informations what has changed with the update?
Or suggestion where I can start tracking down the error?
We set header “X-Content-Type-Options: nosniff”. Please ensure that your web server set correct Content-Type for script files.
Couldn’t you just make webserver bind only to loopback interface? No need for it being accessible over any other interface present I reckon? That is, if I undrestood correctly that those vulnerabilities can be exploited remotely while running intellij IDE?
Just in case, webserver is bound only to loopback interface.
Pingback: How I Fixed: PHPStorm 2016.1.1 Weird Graphical Glitch | Code Review Videos
I am using IntelliJIDEA version 14.1.4
From where can I download the security patch?
The version with the security patch that you can update to is 14.1.7. It is available from https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases
I am trying to find out more about the CSRF vulnerability.
According to the description if I understand correctly it looks like a Local File Inclusion (LFI). Where can I find more info about this vulnerability?
Thank you in advance,
Bill
/abc.html
/abc.js
http://localhost:63342/abc.html (Success)
http://localhost:63342/abc.js (404 Not Found)
How to visit the file(abc.js) now?
Beside all the negative comments here I wanted to say thank you to the Jetbrains team for the communication in this case. Also providing an update down to IntelliJ 12.1 is very nice of you guys!
Keep up the good work!
Thank you Franziskus!
Hadi,
Tell the guys and gals I said Thank You! I’ve the entire suite of toolsets from JetBrains, licenced under your Education program, and the updates went flawlessly. I was actually expecting a bunch of issues as I also run Windows Insider Preview Build 14342.rs1_release.160506-1708 of Windows 10 on that machine. Zero issues here.
I’ve had cause to have issues with you guys before (using RubyMine). Not a single one the last 2 rounds since installing the 2016 releases. Much improved, much appreciated, and good job!
Thank you very much for the feedback!
Hi,
2 quick questions:
1.- If i don’t start the IDE, there are no vulnerabilities. Is that correct? Does the webserver starts when windows starts? Or only when i open Android Studio?
2.- If we have a very old version of android studio, is that vulnerability in those old versions? (like Android Studio 1.0.2 for example).
Thank you.
Peter,
1. Yes, that is correct. Webserver is running only when the IDE is open
2. I think yes, AS 1.0.2 has some of these vulnerabilities. On http://tools.android.com/recent/androidstudio102released it says the build number us 135.1653844 which means it uses IntelliJ Platform branch number 135. We have updated products starting with branch 129.
Any plan to make updates work again on Ubuntu?
Updates should work on Ubuntu. Do you experience any issues?
Please note that we were unable to provide patch-updates for all combinations and in some cases it is necessary to download a full installer. Sorry for the inconvenience, if this is the case for you.
The IDE doesn’t even start after the security update. Good job guys, please continue. As a paying customer, I absolutely enjoy doing alpha testing.
Mark, if you’re running on OS X and the IDE doesn’t start after installing the update, please refer to https://intellij-support.jetbrains.com/hc/en-us/articles/208516145 for workarounds. Sorry for the inconveience
I’ve just installed Mac OS X v15.0.6 of IntelliJ Ultimate, downloaded from
https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases
But on clicking ‘About IntelliJ IDEA’ I see
IntelliJ IDEA 15.0.6
Build #IU-143.2370, built on April 28, 2016
That’s a long ways before the announcement of this vulnerability on May 11th.
Could you please confirm that Mac OS X v15.0.6 of IntelliJ Ultimate from https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases contains the fix for this vulnerability?
Today I installed the Mac OS X v15.0.6 version of IntelliJ Ultimate, downloaded from
https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases
But on clicking ‘About IntelliJ IDEA’ I see the date of the build comes before this announcement. I really would just like confirmation that the Mac OS X v15.0.6 of IntelliJ Ultimate from https://confluence.jetbrains.com/display/IntelliJIDEA/Previous+IntelliJ+IDEA+Releases contains the fix for this vulnerability?
There are widespread concerns here that 15.0.6 does not contain the fix due to this date discrepancy.
Thank you!
Sean, thank you for the feedback.
The build date is earlier than the announcement date because it was really built earlier. We had to prepare and test updates for many versions of many products and therefore some were built earlier and were waiting for the announcement and were being tested internally. The v15.0.6 published at the Previous Releases page does contain the security vulnerabilities fix.
-Eugene
Is it possible that the update affected the Upsource Plugin ‘Test Connection’ feature? When it takes me to the Chrome to authenticate, it fails to return to Upsource after I authenticate. It instead directs Chrome to URL like so: https://localhost:3100/?code=XXXX . And Chrome shows ERR_SSL_PROTOCOL_ERROR, “This site can’t provide a secure connection”.
Hi Eric,
Redirect to localhost is an expected behavior, so the security update shouldn’t be a cause here.
The most interesting thing that redirect should go to http://localhost… but not to https://..
Perhaps you have some proxy configuration (like http_redirect) that causes this behavior?
Copy authorization url to clipboard popup is annoying in WebStorm. Each time when you refresh the browser with clear cache we need to copy new generated url and then paste it to address bar and so on so force. I think this is not fix but just workaround to resolve an issue.
Hi,
In WebStorm 2016.1.3 (released yesterday) we’ve added an option to accept unsigned requests which should disable the popup.
You can find more details at https://youtrack.jetbrains.com/issue/IDEA-155917
i updated to the latest version and then all my previously compiled programs start giving error messages,pls how do i fix it
Please contact our support team with details about the error: https://intellij-support.jetbrains.com/
Thymeleaf still not working when using spring boot is any fix are going to came soon ?
Please contact our support team with details about the problem: https://intellij-support.jetbrains.com/
Can you summarize any open issues with this update so we can decide if it’s ok to upgrade?
Eric, do you mean if there are any issues related to update installation?
Please let me know which version and which product.
I can also recommend to check with our support team (https://intellij-support.jetbrains.com), they should be able to give you a qualified answer.
Eugene,
Right, will I hit one of the issues people have run into above when I update to avoid this security issue.
I’m using Webstorm 11.0.1. Build #WS-143.382 for Windows
Thanks,
Eric
Every time I dare update my IDE, the new version says it will uninstall the old version. But it never says if all my setting will be preserved (subversion, etc.) so I exit out. Will updating IDEA from 14.1.3 to 14.1.7 cause a disruption in my work, as I am in the middle of major code changes, but I keep getting warned about having to update.
Bart, the uninstall of the old version is optional. Also, the settings are stored separately in a system folder, so uninstallation should not delete them too.
To be safe you can back up your IDE settings using File->Export Settings from the IDE.
You are welcome to contact our support team at https://intellij-support.jetbrains.com/ if you have more questions.
I want JetBrains for learning!
It’s not a problem. Please check https://www.jetbrains.com/student/
Hello.
I’m using Rubymine v2016.1 Build #RM-145.597 on Linux and I got a update notice.
Tried to update, the patch is downloaded, but after the restart the version is not updated. Strange.
If I check for updates, there they are again. It was not applied.
I’m running as administrator every time I tried to update.
Thanks!
The most likely reason of this problem is running the application with parameter from the command line. A similar problem was described here: https://youtrack.jetbrains.com/issue/IDEA-155904#comment=27-1467510. If so, try running the IDE without parameters to update, and then you will be able to use your way to run. If not, please describe more detail and steps to reproduce in this ticket (idea.log would be very useful), thanks!
This version is totally broken for me.
UI locks ups immediately upon reaching a breakpoint.
UI locks after about 1.5 hours of editor use with no server running.
Sorry to hear this Steven.
Please contact our support team with more details so they could try to help resolve the issues.
When trying to run using a custom Run/Debug configuration I’m constantly getting the “Page ” requested without authorization,
you can copy URL and open it in browser to trust it.”
My run configuration has some custom URL params that are required so I have to copy the authorization URL from the prompt, get the auth param, and append it to my original URL. Is there not an easier way to do this? It’s really annoying. Can the param not be auto appended when using a Run configuration?
Zachary,
Which version and what product you are using?
In WebStorm 2016.1.3 we’ve added an option to accept unsigned requests which should disable the popup.
You can find more details at https://youtrack.jetbrains.com/issue/IDEA-155917
Does it help?
After pressing button “update and restart” phpStorm downloads something (progress bar completes), IDE restarts but IDE version dont changes and it says that need to update again. I pressed “update and restart” 5 times and nothing changes after IDE auto restart.
Hi Sergey,
I’m sorry about the problem and thank you for reporting.
In this case I’d suggest to download the complete installer. Which version are you trying to update, btw?
I`m trying to update:
Build version: PhpStorm 10.0.3 Build #PS-143.1770 January 8, 2016
Java version: 1.8.0_51-b16x86
Operating System: Windows 7 (6.1, x86)
I have a Perpetual fallback license for PyCharm 5.0.5, which is not valid for 2016.2. The post states there are patches for previous versions, but the Pycharm links have the latest Pycharm 5.x line showing an old build I already have:
https://confluence.jetbrains.com/display/PYH/Previous+PyCharm+Releases
Can you please clarify how people on 5.x can patch without upgrading to 2016.2.x?
Hi!
PyCharm 5.0.5 released on May 11th, 2016 contains the security fix so you have nothing to worry about if you are using it already.
If you have any other questions, please contact PyCharm support at https://intellij-support.jetbrains.com