May Security Release

Hey everyone,

as announced last week, today we are releasing our security release(s) for May.

• Release 5.4.1 · getkirby/kirby · GitHub
• Release 4.9.1 · getkirby/kirby · GitHub

You will find all the details about the security issues and fixes in the release notes for 5.4.1, and they will also apply to the 4.9.1 backport. We recommend this update to all users.

We’ve talked plenty about the situation in the past weeks and, as suggested by @nilshoerrmann and @johannahoerrmann, followed up with an article about the security situation on our blog: Kirby & Security | Kirby CMS. This will hopefully help provide a better picture for your clients and manage their expectations and concerns.

If there will be more AI or human assisted security reports until then, the next security release will follow on June 17th.

As always, let us know if you have any questions!

If you’ve tried to update via composer today you’ve probably already realised that the symfony/yaml package had a security release a couple hours after our release. Perfect timing We don’t consider this an immediate threat for our users, because we are not using the yaml parser to parse user input directly. But you won’t be able to update via composer without some nasty temporary hacks and that’s reason enough to already release two more patch releases:

• Release 5.4.2 · getkirby/kirby · GitHub
• Release 4.9.2 · getkirby/kirby · GitHub