eZ Community » Blogs » Core Development team » An update on the recent security...

By

An update on the recent security advisories

Tuesday 19 May 2015 3:07:54 pm

  • Currently 3 out of 5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

You may have noticed a sudden rush of new security advisories in recent days, though their names indicate that all are not new. Please read on about how to secure your installation.

It is an unfortunate situation. The simple fact of it is that the handover of responsibilities between different employees some time ago was not fully complete, and the job of ensuring that Enterprise security updates gets communicated to Community users had been left untended. For this, we are sorry and we apologise. We are improving the routines for this. (Note: Only Community is affected by this unintended delay. The Enterprise updates where distributed at the correct times.)

To be specific, the delayed advisories include EZPESU-2013-015 to EZPESU-2013-020, and EZPESU-2014-001 to EZPESU-2014-012. (The last advisory, EZPESU-2015-001, is recent and will be covered in a separate blog post.) The issues that they are fixing are described in each advisory, though it can be said that many of them involve cross site scripting (XSS) vulnerabilities in various parts of the product. As for all security advisories, we strongly recommend that you install the fixes as soon as possible. You will find them here.

The good news is that if you are running eZ Publish Community Project 2014.05 or later (or if you have updated Github code since May 7th, 2014 or later) then you already have these fixes installed. If not, please upgrade. Please remember that EZPESU-2015-001 is new since May 11th, 2015 and will be included in 2015.03 stable when it is released. There is a link to the patch in the advisory, so you can install it now.

We'd like to apologise again for what happened, and promise timely security advisories in the future!

Proudly Developed with from