Sulu Release 1.6.35, 2.0.10 & 2.1.1

The most critical change is about some security improvements in our login system. The following security vulnerabilities are the reason we encourage you to do this update:

• The “Forgot Password” functionality leaked information. When the given username existed, it returned the email address to which the email for resetting the password was sent. If the given username didn’t exist, the response revealed this. This allows attackers to brute force a list of existing usernames and email addresses.
• The response time of the server on a login request differed depending on the existence of the username. It was much faster if the username exists, which would again allow attackers to create a list of existing usernames.
• The reset password token, which was sent via mail to the user, was stored as plaintext in the database. This information allows someone to change the password, therefore it should be handled with the same security standards, which includes storing it only in the form of a hash.

All of these have been fixed in Sulu 1.6.35, 2.0.10 and 2.1.1, so please update to one of these versions as soon as possible.

Kudos to Synacktiv and Tom Keur for reporting these issues to us in private!

Since Sulu 1.6 is a LTS version, we are continuing to provide it with the most important bug and security fixes. Unusually, this includes an error, in which the JMS Serializer sometimes needs some additional help to properly recognize the type of an object’s member variables. We have fixed this by adding some more annotations in our code.

In Sulu 2.0.10 we had to fix a few bugs we had introduced in our new major release. The following list is not exhaustive:

• The name of the position of a contact is now included in its serialization
• We fixed the matching of search keywords on the website
• The type written in the dropdown of a block is not truncated anymore, unless absolutely necessary
• We added the configuration for the missing contact_selection and account_selection content types (as you can see in the PR, no JavaScript is required)
• The focus point selection now adjusts when the window is resized
• The image cropping should now behave correctly in all cases
• From now on, Sulu also includes the port when generating URLs
• The content of a selection can now also be scrolled if it is disabled
• The location field type did not accept zero as a valid value

The deep link feature we introduced in Sulu 2.1 broke our teaser selection. This issue was fixed in Sulu 2.1.1.

Alongside the work we have put into our new release, we have also made the effort to publish our JS documentation. It is built using react-styleguidist, which reads markdown files from all of our React components. They are displayed on our new JavaScript documentation, where you can also click through examples of our components and edit some code live to see how they behave.

The information in this documentation is especially useful for frontend developers, who try to build their own custom views or field types.

The latest patch releases of Sulu contain some nice improvements, and, most importantly, a few security fixes. Therefore I cannot stress enough how critical it is that you update to the latest version.

And please give us feedback after you have updated. You can do so on our Slack channel or on GitHub Issues. If the issues you encounter have a security impact, please use Github Security Advisories to report them instead. This will make sure that the information is not leaked to the public before we have released a fix for it.