2.5.12 is here with an important security update


#1

With the introduction of 2.5.11 and the stronger password hashing, I missed one important detail in our code, that sends user passwords to PHP’s error log when passwords get updated and error reporting is activated. This is a bug that should never have happened and I take full responsibility for missing it. I apologize to all of you for the extra work to upgrade Kirby.

PHP error logs should only be accessible to you in a secure server environment and there’s no direct link between the password and the user. It’s still a security issue. We learned about it yesterday evening, instantly patched all 2.5.11 downloads and prepared today’s release. We recommend to all our users to upgrade to 2.5.12 immediately and to delete all your error logs.

There are no further changes in this release.
You can download the latest version from Github or from our download server:
https://download.getkirby.com/kirby-2.5.12.zip

Thank you for your support!
Bastian


#2

#3

Hi Bastian!

As you know, I’m new to Kirby. That was my first Update. Worked fine and the Panel says, that I’m on 2.5.12 for all three lines. :slight_smile: That was easy! :slight_smile:

But Filezilla says: “/kirby/test/etc/site/cache: received failure with description ‘Failure’” :confused: The folder exists, but is empty. So I would leave everything like it is?

Thank you!

Dennis


#4

The site/cache folder must exist on the server and it must be writable by the web server. But the content is not important if you update your site. Actually my update script does remove all files in the cache so everything will be re-generated at the next page load. So I can manually check, if everything works fine after the update.


#5

Well, true, but the message is about a cache folder in the Kirby test folder, and that is not important at all apart from for testing.

And that folder should be empty.

If everything runs smoothly, you can probably ignore it. Or try uploading with another tool and check if the error persists.


#6

@texnixe Sorry, I somehow missed the first part of the file path. So it’s even less of a problem. The /kirby/test/etc/site/cache would only contain a .gitkeep file and I don’t know the behavior of filezilla regarding dot-files.


#7

Is it correct, that all Kirby installations running on 2.5.10 or lower are not affected? It‘s only the “unpatched” 2.5.11 version, right?


#8

That’s true! Before 2.5.11 nothing was logged.


#9

@texnixe @jbeyerstedt
That folder is empty, I checked the zip-file. [1]

I’ve crosschecked the folder on my server. Permission is 755 and it’s empty as well.

.gitkeep is not there.

My side is running, as far as I can see. So it’s okay to me. Thank you for your help.

[1] SHA256: 14a5fa277e855cdff6bda9eea923476590fae754c66c32affccb5aea14d0325f kirby-2.5.12.zip