eZ Community » Blogs » Core Development team » Security updates for eZ Publish &...

By

Security updates for eZ Publish & extensions

Wednesday 07 May 2014 3:38:43 pm

  • Currently 3 out of 5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Getting ready for new release means also pushing out security updates we have had recently for enterprise subscribers, and this time there is quite some updates thanks among other to some of our clients doing deep audits finding missing output escaping, and a notable regression in session handling.

Note: This blog post will be updated on at a later time ( late this, or next week) to include links for the security advisories where additional information will be available for logged in users.

Issue

All issues affect all community versions, they also affected enterprise versions from 4.2 to 5.2 before they were fixed in security updates:

 

For all patches affecting eZ Publish in one, you can also apply them as one big patch (so this does not include patches marked with "Extensions"):
https://github.com/ezsystems/ezpublish-legacy/commit/96e866933e5130789e381bcfeefd4b6e5e38f349.diff

As you might have noticed all issues only affect "legacy stack" (aka "4.x stack"), and a large chunk of the fixes involve output escaping. We will come back with a blog post later this year on how we are avoiding those in the eZ "Platform" (aka "new" or "Symfony") stack, and some suggestions for how we are and can strengthening other security aspects as well.

Finally a big thanks to all involved customers, partners and ecosystem members that have reported these issues helping us keeping eZ Publish as one of the more secure content platforms out there.

Proudly Developed with from