Security fixes relating to the authentication system
The most critical change is about some security improvements in our login system. The following security vulnerabilities are the reason we encourage you to do this update:
- The “Forgot Password” functionality leaked information. When the given username existed, it returned the email address to which the email for resetting the password was sent. If the given username didn’t exist, the response revealed this. This allows attackers to brute force a list of existing usernames and email addresses.
- The response time of the server on a login request differed depending on the existence of the username. It was much faster if the username exists, which would again allow attackers to create a list of existing usernames.
- The reset password token, which was sent via mail to the user, was stored as plaintext in the database. This information allows someone to change the password, therefore it should be handled with the same security standards, which includes storing it only in the form of a hash.
All of these have been fixed in Sulu 1.6.35, 2.0.10 and 2.1.1, so please update to one of these versions as soon as possible.
LTS fixes in Sulu 1.6
Since Sulu 1.6 is a LTS version, we are continuing to provide it with the most important bug and security fixes. Unusually, this includes an error, in which the JMS Serializer sometimes needs some additional help to properly recognize the type of an object’s member variables. We have fixed this by adding some more annotations in our code.
Fixing bugs and adding lost features in Sulu 2.0
In Sulu 2.0.10 we had to fix a few bugs we had introduced in our new major release. The following list is not exhaustive:
- The name of the position of a contact is now included in its serialization
- We fixed the matching of search keywords on the website
- The type written in the dropdown of a block is not truncated anymore, unless absolutely necessary
- The focus point selection now adjusts when the window is resized
- The image cropping should now behave correctly in all cases
- From now on, Sulu also includes the port when generating URLs
- The content of a selection can now also be scrolled if it is disabled
- The location field type did not accept zero as a valid value
Fixing bugs introduced in Sulu 2.1
The deep link feature we introduced in Sulu 2.1 broke our teaser selection. This issue was fixed in Sulu 2.1.1.
The information in this documentation is especially useful for frontend developers, who try to build their own custom views or field types.
The latest patch releases of Sulu contain some nice improvements, and, most importantly, a few security fixes. Therefore I cannot stress enough how critical it is that you update to the latest version.
And please give us feedback after you have updated. You can do so on our Slack channel or on GitHub Issues. If the issues you encounter have a security impact, please use Github Security Advisories to report them instead. This will make sure that the information is not leaked to the public before we have released a fix for it.