Skip to content

Latest commit

 

History

History
310 lines (250 loc) · 31.1 KB

CHANGELOG-1.4.md

File metadata and controls

310 lines (250 loc) · 31.1 KB

CHANGELOG FOR 1.4.X

v1.4.12 (2020-01-27)

CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments

Please refer to the original security advisory for the most updated information.

Impact:

This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

Patches:

Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

Workarounds:

Unsupported versions could be patched by adding the following configuration to run in production:

sylius_channel:
    debug: false

v1.4.10, v1.4.11 (2019-12-03, 2019-12-05)

CVE-2019-16768: Internal exception message exposure in login action.

Details:

Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer.

A validation message with the exception details will be presented to the user when one will try to log into the shop.

Solution:

This release patches the reported vulnerability. The src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig file from Sylius should be overridden and {{ messages.error(last_error.message) }} changed to {{ messages.error(last_error.messageKey) }}.

v1.4.9 (2019-10-09)

The last bugfix release for v1.4.x.

Details

v1.4.8 (2019-08-27)

Details

v1.4.7 (2019-07-25)

Details

v1.4.6 (2019-06-20)

Details

v1.4.5 (2019-05-29)

Details

v1.4.4 (2019-05-07)

TL;DR

Details

v1.4.3 (2019-04-15)

Details

v1.4.2 (2019-04-01)

Details

v1.4.1 (2019-03-05)

TL;DR

Details

v1.4.0 (2019-02-04)

TL;DR

  • PHP 7.3 support (#9914)
  • Don't miss the v1.4.0-BETA.1's changelog below 🎉

Details

v1.4.0-BETA.1 (2019-01-17)

TL;DR

Details

  • #9677 Deprecate passing container to ORMTranslatableListener (@kayneth)
  • #9794 [CoreBundle] First address in the address book should be made default (@kayneth)
  • #9917 Improve taxon fixtures with translations (@loic425)
  • #9962 Added tax category in shipping method fixture (@mamazu)
  • #9962 Deprecated not passing shipping category repository to shipping method fixture (@mamazu)
  • #9964 Making templates deprecated (@mamazu)
  • #9983 Fix #9899 (main taxon autocomplete drop down now contain full taxon name - with all parents) (@igormukhingmailcom)
  • #10008 ShopUser class is now EncoderAware to provide more flexibility for ch… ()
  • #10046 Enable strict validation for email (@fendrychl)
  • #10062 Make possible to autowire services generated by ResourceBundle (@pamil)
  • #10067 Add support for Symfony 4.2 (@pamil)
  • #10079 [Channel] Shop billing data (@Zales0123)
  • #10080 Password hashing - multiple encoders support (@pamil)
  • #10084 Password hashing - update encoder on login (@pamil)
  • #10089 Switch to Symfony's dotenv file handling (@pamil)
  • #10090 Switch to DoctrineMigrationsBundle 2.0 (@Zales0123)
  • #10091 Create aliases for named Sylius services (@pamil)
  • #10102 Use FriendsOfBehat\SymfonyExtension v2 (@pamil)