Hey everyone,
we’ve been running a security release survey last week on Discord. Thanks to all participants for the votes and for the comments and ideas you shared with us.
We have listened and want to give you an update on our plans:
- From the survey it has become very clear that the majority of you prefers monthly security releases (unless they contain critical or zero-day vulnerabilities). We have decided to schedule security releases in the middle of the month, middle of the week as we expect that your workload at this time is lower on average. If the situation around vulnerability reports changes, we might change this later.
- We want to provide you with an early notice before the release day so you can prepare and schedule your patches. We aim to set and announce the release day roughly one week in advance.
- We will publish all information via our usual community channels (Discord, forum and social media). If you want to follow along via RSS, you can subscribe to our releases via this link: Release notes from kirby
The next security release with six more vulnerability fixes is coming up. We plan to release Kirby 5.4.1 and 4.9.1 next Tuesday, May 19th. Kirby 5.4.1 will also include additional bug fixes some of you have been waiting for. The fixed vulnerabilities have again all been reported to us responsibly and we are not aware of any exploits in the wild. While we cannot share detailed information about the vulnerabilities before the release to prevent exploitation, we want to give you a heads up on the class of vulnerabilities:
- One of the vulnerabilities can be exploited without authentication and therefore affects all Kirby sites. The CVSS severity is high, however the impact is usually limited to reconnaissance of the server or site setup and does not result in a take-over or similar critical results. This vulnerability only affects Kirby 5 specifically.
- One of the vulnerabilities can only be exploited by authenticated users but poses a high real-world impact that includes the risk of privilege escalation.
- There are two more high-severity vulnerabilities that can only be exploited by authenticated users with a cross-site scripting (XSS) impact that is limited to the site frontend.
- Two more vulnerabilities are of moderate severity and are not expected to lead to an immediate attack.
Let us know if you have any questions.