mirror of
https://github.com/Sylius/Sylius.git
synced 2026-07-05 20:57:12 +00:00
Prepare v1.3.16 release
This commit is contained in:
parent
3007ea30c3
commit
53eaa73468
2 changed files with 26 additions and 1 deletions
|
|
@ -1,5 +1,30 @@
|
|||
# CHANGELOG FOR `1.3.X`
|
||||
|
||||
## v1.3.16 (2020-01-27)
|
||||
|
||||
#### CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments
|
||||
|
||||
*Please refer to [the original security advisory](https://github.com/Sylius/Sylius/security/advisories/GHSA-prg5-hg25-8grq) for the most updated information.*
|
||||
|
||||
**Impact:**
|
||||
|
||||
This vulnerability gives the ability to switch channels via the `_channel_code` GET parameter in production environments. This was meant to be enabled only when `%kernel.debug%` is set to true.
|
||||
|
||||
However, if no `sylius_channel.debug` is set explicitly in the configuration, the default value which is `%kernel.debug%` will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.
|
||||
|
||||
**Patches:**
|
||||
|
||||
Patch has been provided for Sylius 1.3.x and newer - **1.3.16, 1.4.12, 1.5.9, 1.6.5**. Versions older than 1.3 are not covered by our security support anymore.
|
||||
|
||||
**Workarounds:**
|
||||
|
||||
Unsupported versions could be patched by adding the following configuration to run in production:
|
||||
|
||||
```yaml
|
||||
sylius_channel:
|
||||
debug: false
|
||||
```
|
||||
|
||||
## v1.3.14, v1.3.15 (2019-12-03, 2019-12-05)
|
||||
|
||||
#### CVE-2019-16768: Internal exception message exposure in login action.
|
||||
|
|
|
|||
|
|
@ -31,7 +31,7 @@ use Webmozart\Assert\Assert;
|
|||
|
||||
class Kernel extends HttpKernel
|
||||
{
|
||||
public const VERSION = '1.3.16-DEV';
|
||||
public const VERSION = '1.3.16';
|
||||
public const VERSION_ID = '10316';
|
||||
public const MAJOR_VERSION = '1';
|
||||
public const MINOR_VERSION = '3';
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue