daniel
Daniel Rotter
Core Developer – Sulu GmbH
Core developer and support guru. Passionate traveler and soccer player.
@danrot90
2020-07-29

Sulu Release 1.6.35, 2.0.10 & 2.1.1

Today we have released new patch releases (1.6.35, 2.0.10 & 2.1.1) for all currently maintained versions of Sulu. These versions get rid of quite a few bugs and add some typing corrections. They also include a security fix, therefore we highly recommend you update to the latest patch releases, since all previous versions are affected. Let’s run through the fixed security issues first. Afterwards we are going to list the changes introduced in each version, whereby later versions include the fixes from earlier ones.

Security fixes relating to the authentication system

The most critical change is about some security improvements in our login system. The following security vulnerabilities are the reason we encourage you to do this update:

  • The “Forgot Password” functionality leaked information. When the given username existed, it returned the email address to which the email for resetting the password was sent. If the given username didn’t exist, the response revealed this. This allows attackers to brute force a list of existing usernames and email addresses.
  • The response time of the server on a login request differed depending on the existence of the username. It was much faster if the username exists, which would again allow attackers to create a list of existing usernames.
  • The reset password token, which was sent via mail to the user, was stored as plaintext in the database. This information allows someone to change the password, therefore it should be handled with the same security standards, which includes storing it only in the form of a hash.

All of these have been fixed in Sulu 1.6.35, 2.0.10 and 2.1.1, so please update to one of these versions as soon as possible.

Kudos to Synacktiv and Tom Keur for reporting these issues to us in private!

LTS fixes in Sulu 1.6

Since Sulu 1.6 is a LTS version, we are continuing to provide it with the most important bug and security fixes. Unusually, this includes an error, in which the JMS Serializer sometimes needs some additional help to properly recognize the type of an object’s member variables. We have fixed this by adding some more annotations in our code.

Fixing bugs introduced in Sulu 2.1

The deep link feature we introduced in Sulu 2.1 broke our teaser selection. This issue was fixed in Sulu 2.1.1.

Publishing our JavaScript documentation

Alongside the work we have put into our new release, we have also made the effort to publish our JS documentation. It is built using react-styleguidist, which reads markdown files from all of our React components. They are displayed on our new JavaScript documentation, where you can also click through examples of our components and edit some code live to see how they behave.

The information in this documentation is especially useful for frontend developers, who try to build their own custom views or field types.

Conclusion

The latest patch releases of Sulu contain some nice improvements, and, most importantly, a few security fixes. Therefore I cannot stress enough how critical it is that you update to the latest version.

And please give us feedback after you have updated. You can do so on our Slack channel or on GitHub Issues. If the issues you encounter have a security impact, please use Github Security Advisories to report them instead. This will make sure that the information is not leaked to the public before we have released a fix for it.