With the introduction of 2.5.11 and the stronger password hashing, I missed one important detail in our code, that sends user passwords to PHP’s error log when passwords get updated and error reporting is activated. This is a bug that should never have happened and I take full responsibility for missing it. I apologize to all of you for the extra work to upgrade Kirby.
PHP error logs should only be accessible to you in a secure server environment and there’s no direct link between the password and the user. It’s still a security issue. We learned about it yesterday evening, instantly patched all 2.5.11 downloads and prepared today’s release. We recommend to all our users to upgrade to 2.5.12 immediately and to delete all your error logs.
As you know, I’m new to Kirby. That was my first Update. Worked fine and the Panel says, that I’m on 2.5.12 for all three lines. That was easy!
But Filezilla says: “/kirby/test/etc/site/cache: received failure with description ‘Failure’” The folder exists, but is empty. So I would leave everything like it is?
The site/cache folder must exist on the server and it must be writable by the web server. But the content is not important if you update your site. Actually my update script does remove all files in the cache so everything will be re-generated at the next page load. So I can manually check, if everything works fine after the update.
@texnixe Sorry, I somehow missed the first part of the file path. So it’s even less of a problem. The /kirby/test/etc/site/cache would only contain a .gitkeep file and I don’t know the behavior of filezilla regarding dot-files.