Prepare v1.3.16 release

This commit is contained in:
Kamil Kokot 2020-01-27 16:11:16 +01:00
parent 3007ea30c3
commit 53eaa73468
No known key found for this signature in database
GPG key ID: 7BD76F7054D93C89
2 changed files with 26 additions and 1 deletions

View file

@ -1,5 +1,30 @@
# CHANGELOG FOR `1.3.X`
## v1.3.16 (2020-01-27)
#### CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments
*Please refer to [the original security advisory](https://github.com/Sylius/Sylius/security/advisories/GHSA-prg5-hg25-8grq) for the most updated information.*
**Impact:**
This vulnerability gives the ability to switch channels via the `_channel_code` GET parameter in production environments. This was meant to be enabled only when `%kernel.debug%` is set to true.
However, if no `sylius_channel.debug` is set explicitly in the configuration, the default value which is `%kernel.debug%` will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.
**Patches:**
Patch has been provided for Sylius 1.3.x and newer - **1.3.16, 1.4.12, 1.5.9, 1.6.5**. Versions older than 1.3 are not covered by our security support anymore.
**Workarounds:**
Unsupported versions could be patched by adding the following configuration to run in production:
```yaml
sylius_channel:
debug: false
```
## v1.3.14, v1.3.15 (2019-12-03, 2019-12-05)
#### CVE-2019-16768: Internal exception message exposure in login action.

View file

@ -31,7 +31,7 @@ use Webmozart\Assert\Assert;
class Kernel extends HttpKernel
{
public const VERSION = '1.3.16-DEV';
public const VERSION = '1.3.16';
public const VERSION_ID = '10316';
public const MAJOR_VERSION = '1';
public const MINOR_VERSION = '3';