eZecosystem / Mirror / Security Advisories

Note: This blog has become inactive. New content may not be posted in the future.

This security advisory fixes a vulnerability in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy via the LegacyBridge.

Installations where all modules are disabled may be vulnerable to XSS injection in the module name. This is a rare configuration, but we still recommend installing the update, which adds the necessary input washing.

To install, use Composer to update to one of the "Resolving versions" mentioned above, or apply this patch manually:
https://github.com/ezsystems/ezpublish-legacy/commit/4697bff700e8cf95d5847ea19dad3479a77b02d9

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ez.no/Security

11/01/2018 05:21 am   Security Advisories   Mirror   Link  

This security advisory fixes a vulnerability in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy.

Installations that are using the legacy LDAP login handler or the TextFile login handler in combination with the standard legacy login handler, may in rare cases be vulnerable to a failure of the standard login handler to verify passwords correctly, allowing unauthorised access.

If your installation has never used the LDAP or TextFile login handlers, or never used legacy login at all, then it is not affected. Still, we recommend installing the update, to be on the safe side.

To install, use Composer to update to one of the "Resolving versions" mentioned above, or apply this patch manually:
https://github.com/ezsystems/ezpublish-legacy/commit/13f03a2be6c0ee4d0caaafaef05904ea9b0c4d9d

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ez.no/Security

10/31/2018 07:31 am   Security Advisories   Mirror   Link  

This is to warn you about 5 security advisories recently released by Symfony:

  • CVE-2018-11406: CSRF Token Fixation
  • CVE-2018-11407: Unauthorized access on a misconfigured LDAP server when using an empty password
  • CVE-2018-11385: Session Fixation Issue for Guard Authentication
  • CVE-2018-11386: Denial of service when using PDOSessionHandler
  • CVE-2018-11408: Open redirect vulnerability on security handlers

You can read more about them here: http://symfony.com/blog/category/security-advisories

We recommend that you install them as soon as possible. They are distribute via Composer. You can update Symfony with the following command:

composer update symfony/symfony

Depending on your version of eZ Platform, you will be on the 2.7, 2.8, or 3.4 branch of Symfony. The issues are fixed in Symfony 2.7.48, 2.8.41, and 3.4.11. Please make sure you are updated to one of these versions, or higher.

If you come across a security issue in our products, here is how you can report it to us: https://doc.ez.no/Security

05/31/2018 04:05 am   Security Advisories   Mirror   Link  

This security advisory affects installations using MySQL or MariaDB, and installations using eZ Publish Legacy, either stand-alone, or as part of eZ Platform 5.x, or in eZ Platform 1.11 and newer using LegacyBridge, or in a corresponding Community release. If you are not using Legacy in any way, and not using MySQL/MariaDB, you are not affected.

Summary

We recommend to change the character set and collation of your database tables to one supporting 4-byte UTF-8, if you're not already using this. This change may require some downtime, depending on your installation and size of your database.
If you cannot make this change (yet) we recommend to block the use of 4-byte characters in usernames in Legacy. This is a quick and simple change.

Change character set and collation

The MySQL/MariaDB character set 'utf8' supports only 1-3 byte UTF-8 characters, not 4-byte. The 4-byte characters are used for some languages, like Chinese, and emoticons (emoji). Depending on your database type and settings, and on your site configuration, this may lead to undesired consequences, crashes, or even security issues, because the database may truncate (cut off) strings where they contain 4-byte characters. The 'utf8mb4' character set solves this problem by offering full 4-byte support. It was introduced in MySQL 5.5.3, and MariaDB 5.5. It is the default character set in eZ Platform 2.2 and newer.

When changing the character set you must also use a compatible collation (collation rules are used when comparing strings). If you use MySQL 5.5, you can use the 'utf8mb4_unicode_ci' collation. This has the limitation that it cannot tell the difference between emoticon characters, so an SQL query for one emoticon may return matches for all emoticons. If you use MySQL 5.6 or newer, you can use 'utf8mb4_unicode_520_ci' which collates emoticons properly.

Beware that InnoDB has a 767 bytes limit on indexes. This means that when VARCHAR columns longer than 191 are indexed, then either the column or the index must be shortened to 191 characters BEFORE the charset can be changed. We recommend to replace the index with a new, shortened index. Here's how you can do that:

ALTER TABLE `ezbasket` DROP KEY `ezbasket_session_id`;
ALTER TABLE `ezbasket` ADD KEY `ezbasket_session_id` (`session_id` (191));

ALTER TABLE `ezcollab_group` DROP KEY `ezcollab_group_path`;
ALTER TABLE `ezcollab_group` ADD KEY `ezcollab_group_path` (`path_string` (191));

ALTER TABLE `ezcontent_language` DROP KEY `ezcontent_language_name`;
ALTER TABLE `ezcontent_language` ADD KEY `ezcontent_language_name` (`name` (191));

ALTER TABLE `ezcontentobject_attribute` DROP KEY `sort_key_string`;
ALTER TABLE `ezcontentobject_attribute` ADD KEY `sort_key_string` (`sort_key_string` (191));

ALTER TABLE `ezcontentobject_name` DROP KEY `ezcontentobject_name_name`;
ALTER TABLE `ezcontentobject_name` ADD KEY `ezcontentobject_name_name` (`name` (191));

ALTER TABLE `ezcontentobject_trash` DROP KEY `ezcobj_trash_path`;
ALTER TABLE `ezcontentobject_trash` ADD KEY `ezcobj_trash_path` (`path_string` (191));

ALTER TABLE `ezcontentobject_tree` DROP KEY `ezcontentobject_tree_path`;
ALTER TABLE `ezcontentobject_tree` ADD KEY `ezcontentobject_tree_path` (`path_string` (191));

ALTER TABLE `ezimagefile` DROP KEY `ezimagefile_file`;
ALTER TABLE `ezimagefile` ADD KEY `ezimagefile_file` (`filepath` (191));

ALTER TABLE `ezkeyword` DROP KEY `ezkeyword_keyword`;
ALTER TABLE `ezkeyword` ADD KEY `ezkeyword_keyword` (`keyword` (191));

ALTER TABLE `ezorder_status` DROP KEY `ezorder_status_name`;
ALTER TABLE `ezorder_status` ADD KEY `ezorder_status_name` (`name` (191));

ALTER TABLE `ezpolicy_limitation_value` DROP KEY `ezpolicy_limitation_value_val`;
ALTER TABLE `ezpolicy_limitation_value` ADD KEY `ezpolicy_limitation_value_val` (`value` (191));

ALTER TABLE `ezprest_authcode` DROP PRIMARY KEY;
ALTER TABLE `ezprest_authcode` ADD PRIMARY KEY (`id` (191));

ALTER TABLE `ezprest_authcode` DROP KEY `authcode_client_id`;
ALTER TABLE `ezprest_authcode` ADD KEY `authcode_client_id` (`client_id` (191));

ALTER TABLE `ezprest_clients` DROP KEY `client_id_unique`;
ALTER TABLE `ezprest_clients` ADD UNIQUE KEY `client_id_unique` (`client_id` (191),`version`);

ALTER TABLE `ezprest_token` DROP PRIMARY KEY;
ALTER TABLE `ezprest_token` ADD PRIMARY KEY (`id` (191));

ALTER TABLE `ezprest_token` DROP KEY `token_client_id`;
ALTER TABLE `ezprest_token` ADD KEY `token_client_id` (`client_id` (191));

ALTER TABLE `ezsearch_object_word_link` DROP KEY `ezsearch_object_word_link_identifier`;
ALTER TABLE `ezsearch_object_word_link` ADD KEY `ezsearch_object_word_link_identifier` (`identifier` (191));

ALTER TABLE `ezsearch_search_phrase` DROP KEY `ezsearch_search_phrase_phrase`;
ALTER TABLE `ezsearch_search_phrase` ADD UNIQUE KEY `ezsearch_search_phrase_phrase` (`phrase` (191));

ALTER TABLE `ezurl` DROP KEY `ezurl_url`;
ALTER TABLE `ezurl` ADD KEY `ezurl_url` (`url` (191));

ALTER TABLE `ezurlalias` DROP KEY `ezurlalias_desturl`;
ALTER TABLE `ezurlalias` ADD KEY `ezurlalias_desturl` (`destination_url` (191));

ALTER TABLE `ezurlalias` DROP KEY `ezurlalias_source_url`;
ALTER TABLE `ezurlalias` ADD KEY `ezurlalias_source_url` (`source_url` (191));

If you use DFS, then also the following script should be run:

ALTER TABLE `ezdfsfile` DROP KEY `ezdfsfile_name`;
ALTER TABLE `ezdfsfile` ADD KEY `ezdfsfile_name` (`name` (191));

ALTER TABLE `ezdfsfile` DROP KEY `ezdfsfile_name_trunk`;
ALTER TABLE `ezdfsfile` ADD KEY `ezdfsfile_name_trunk` (`name_trunk` (191));

ALTER TABLE `ezdfsfile` DROP KEY `ezdfsfile_expired_name`;
ALTER TABLE `ezdfsfile` ADD KEY `ezdfsfile_expired_name` (`expired`, `name` (191));

ALTER TABLE `ezdfsfile_cache` DROP KEY `ezdfsfile_name`;
ALTER TABLE `ezdfsfile_cache` ADD KEY `ezdfsfile_name` (`name` (191));

ALTER TABLE `ezdfsfile_cache` DROP KEY `ezdfsfile_name_trunk`;
ALTER TABLE `ezdfsfile_cache` ADD KEY `ezdfsfile_name_trunk` (`name_trunk` (191));

ALTER TABLE `ezdfsfile_cache` DROP KEY `ezdfsfile_expired_name`;
ALTER TABLE `ezdfsfile_cache` ADD KEY `ezdfsfile_expired_name` (`expired`, `name` (191));

Beware also that these upgrade statements may fail due to index collisions. This is because the indexes have been shortened, so duplicates may occur. If that happens, you must remove the duplicates manually, and then repeat the statements that failed.

After successfully shortening the indexes, you should change the table character set, and update your platform/legacy settings accordingly. The 7.2 kernel upgrade documentation describes the steps.
Please see: https://github.com/ezsystems/ezpublish-kernel/blob/5f2a94517267298fba58e066420107d112721bd3/doc/upgrade/7.2.md#mysqlmariadb-database-tables-character-set-change

For legacy, if you encounter errors of this kind:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '???????????????'
...then you will also need to apply the following fix:
https://github.com/ezsystems/ezpublish-legacy/commit/c1d42f751663af3d8731587363856a9868aa7723

Block 4-byte usernames in legacy

If you cannot (yet) change your character set to 'utf8mb4', and you use legacy, we strongly recommend to block the use of 4-byte usernames. An attacker could use 4-byte characters to bypass username validation in certain ways, which can result in usernames that are otherwise not allowed. This change can be made by adding the following in your site.ini configuration file:

[UserSettings]
# Enable these two lines if your MySQL database is not using the utf8mb4 character set.
UserNameValidationRegex[utf8mb4]=%(?:\xF0[\x90-\xBF][\x80-\xBF]{2}|[\xF1-\xF3][\x80-\xBF]{3}|\xF4[\x80-\x8F][\x80-\xBF]{2})%xs
UserNameValidationErrorText[utf8mb4]=The username cannot contain 4-byte characters.

If you come across a security issue in our products, here is how you can report it to us: https://doc.ez.no/Security

05/24/2018 09:14 am   Security Advisories   Mirror   Link  

This issue affects installations using eZ Publish Legacy, either stand-alone, or as part of eZ Platform 5.x, or in eZ Platform 1.11 and newer using LegacyBridge. If you are not using Legacy in any way, you are not affected.
 
The package system, by design, allows you to package an extension into a file, and export/import such packages. Extensions can of course contain PHP scripts, and they usually do. Such scripts can be used in an attack on the server. This problem is fundamental and cannot be fixed by any other means than by removing the feature.
 
By default, only the Administrator has the permissions to use the package system. It follows that the Administrator role, and any others granted packaging permissions, can only be held by users who already have access to the server, and/or can be trusted not to exploit this access.
 
As a consequence eZ Publish legacy should not be used in the type of shared hosting installation where Administrators are not supposed to have access to the underlying operating system, or to other eZ Publish installations on the same server. The package system is an old part of eZ Publish legacy, and it was not designed for that kind of installation. Currently this is not considered best practice anyway - setups using e.g. Docker and Platform.sh allow you to completely separate installations from each other. This is a better way to keep things secure than relying on PHP scripts being read-only even for administrators. (The package system does not exist in eZ Platform and will not be added there, since extensions are not used there.)
 
IN SUMMARY:
If you are responsible for legacy installations where administrators cannot be fully trusted not to exploit their privileges, make sure to properly lock down the package system and/or fully separate web sites from each other. As always, make sure that the administrator password(s) are secure, and not using the default administrator password.
 
We will add this information to our public documentation soon.
 
PROPOSED QUICK SOLUTION FOR THOSE AFFECTED:
If you are administrating a shared hosting solution of this kind, it may take a while to change the setup. Meanwhile, one quick way to lock down the package system is to use rewrite rules to block all access to package URLs. Apache example:
RewriteRule ^/package/.* - [R=403,L]
or with URL-based SiteAccess:
RewriteRule ^/my_site_access/package/.* - [R=403,L]
or supporting both cases, and multiple SiteAccesses:
RewriteRule ^(/my_site_access|/my_site_access_admin)?/package/.* - [R=403,L]
This can be placed before other rules.
 
To be absolutely certain you can also (or instead of this) delete the /kernel/package directory in the eZ Publish web root. Please note that this will break the legacy installation wizard, since it relies on the package system to install the demo design.
 
Once the situation is resolved these measures should be reversed, to bring back the package features. You may want to do a review of whether the issue may have been exploited on your server(s).

02/26/2018 09:40 am   Security Advisories   Mirror   Link   @4

This security advisory fixes 4 separate vulnerabilities in eZ Publish Legacy, and we recommend that you install it as soon as possible if you are using Legacy by itself or via the LegacyBridge.
 
First, it increases the randomness, and thus the security, of the pseudo-random bytes used to generate a hash for the "forgot password" feature. This protects accounts against being taken over through attacks trying to predict the hash. If the increased randomness is not available in your PHP installation, it will now log a warning.
 
Second, it improves security of the information collector feature, by ensuring no collection emails will be sent from invalid manipulated forms.
 
Third, it stops the possible leaking of the names of content objects that should not be readable for certain users, on installations where these users can create or edit XML text.
 
Fourth, it protects against cross-site scripting (XSS) in the Matrix data type, on installations where users are allowed to edit content classes / content types.

We recommend that you install the security update as soon as possible.

To install, use Composer to update to one of the "Resolving versions" mentioned above, or apply these patches manually:
https://github.com/ezsystems/ezpublish-legacy/commit/917711eb7ffe2b52a3e9fe12505f6810a63696f7
https://github.com/ezsystems/ezpublish-legacy/commit/6db0e6b7739481f27d954548388bd3f0ed2c6fdd
https://github.com/ezsystems/ezpublish-legacy/commit/efcd2b61b15eaaf74e0ff28d6c723cf28e655dab
https://github.com/ezsystems/ezpublish-legacy/commit/f9ffaf590b63b4f552142cfd4441afbbfb3f19b1

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ez.no/Security

02/26/2018 08:52 am   Security Advisories   Mirror   Link   @4

This security advisory fixes an information disclosure vulnerability in the legacy admin content tree menu. If a view has been disabled in site.ini [SiteAccessRules] Rules, and an attacker accesses the backend with the URL to this module, then the tree menu may be displayed. Since the tree menu may contain hidden items, this may lead to information disclosure. We recommend that you install this Security Update as soon as possible.

To install, use Composer to update to one of the "Resolving versions" mentioned above, or apply this patch manually: https://github.com/ezsystems/ezpublish-legacy/commit/a4a0470f8d80f012fe14e4f8ab11c7d14375986c

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ez.no/Security

09/07/2017 06:48 am   Security Advisories   Mirror   Link   @299

This security advisory is to fix a cross-site scripting (XSS) vulnerability in the content/search module in eZ Publish legacy, which allows javascript to be injected. We strongly recommend that you install this Security Update as soon as possible.

Patch for eZ Publish (legacy): https://github.com/ezsystems/ezpublish-legacy/commit/c7174295fa0b9bd81bd4af908082464b0b80f278

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ez.no/Security

08/22/2017 10:05 am   Security Advisories   Mirror   Link   @321

This security advisory is to fix a vulnerability where binary file content can be downloaded despite having been moved to trash, if you know the URL or are able to guess or reconstruct it. The severity is fairly low, but we still recommend installing it.

Patch for eZ Publish (legacy): https://github.com/ezsystems/ezpublish-legacy/commit/c6e34b5b5105dd2f1718deb52ebe2055b09681b5

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ez.no/Security

03/07/2017 07:32 am   Security Advisories   Mirror   Link   @2214

This security advisory is to fix cross-site scripting (XSS) vulnerability CVE-2013-6780 in eZ Multiupload. This affects the Flash-based uploader.swf file in YUI, and allows javascript to be injected. YUI has removed the Flash file they hosted from YUI 2.x. The issue is solved by upgrading our use of YUI from 2.x to 3.x, and replace Flash upload functionality with HTML5. If you use the multiupload functionality we strongly recommend that you install this Security Update as soon as possible. If you don't use multiupload, please install the update and/or disable the extension. To be fully certain that the vulnerability in the Flash-based uploader.swf cannot be exploited, it should be deleted.

To clarify, there are 3 steps to this:
1. Upgrade YUI from 2 to 3
2. Replace the Flash multiuploader with HTML5
3. Remove the old uploader.swf Flash file

If your installation is up to date, then steps 1 and 2 are already done, and only step 3 remains. Below are the patches for all situations, including for 4.x sites where eZ JS Core had it's own separate repository. 5.x sites can disregard patches for that repository.

Patch for removing uploader.swf from eZ Publish (legacy): https://github.com/ezsystems/ezpublish-legacy/commit/93d52cf625f4c510b8ee6c2759ce38c9fe1d266e

Patch for replacing Flash with HTML5 in eZ Multiupload: https://github.com/ezsystems/ezmultiupload/commit/d48400f4f3d02fb5fd4a795223ea1bc0fa139130
and https://github.com/ezsystems/ezmultiupload/commit/2ae76eda70b3a71608d74b814531c7e9015a065e

Patch for upgrading YUI 2 to 3 in eZ JS Core (very large patch): https://github.com/ezsystems/ezjscore/commit/509829e2bcd0ad67992b197b224311fc46366c87
Patch for removing uploader.swf from eZ JS Core: https://github.com/ezsystems/ezjscore/commit/954ee25cc6852ea126c6450b71f2c315b551734e

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ez.no/Security

03/07/2017 07:19 am   Security Advisories   Mirror   Link   @2401

It was found that image upload was not well enough protected against malicious file uploads. The legacy package creation handler also lacked similar protection, allowing attacks through code injection. By its nature, such a vulnerability is severe, and we strongly recommend that you patch your systems as soon as possible.

We thank Markus Wulftange of Code White for bringing this important issue to our attention in a professional and responsible manner.

Patch for eZ Publish (legacy): https://github.com/ezsystems/ezpublish-legacy/commit/31dbbe1f99146bc163c90fd26be0e1a384312392
Patch for eZ Platform kernel: https://github.com/ezsystems/ezpublish-kernel/commit/1bdc6d29523d3d16bf81d68af64c15080c7dde9a

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ez.no/Security

03/07/2017 04:16 am   Security Advisories   Mirror   Link   @2258

It was found that the previous fix EZSA-2016-007 for an SQL injection security breach in the "ezsearchengine" search plugin, was not complete. There were circumstances where escaping could be breached, and injection would still be possible. By its nature, such a vulnerability is potentially severe, and we strongly recommend that you patch your systems as soon as possible.

We thank Markus Wulftange of Code White for bringing this important issue to our attention in a professional and responsible manner.

Patch for eZ Publish (legacy): https://github.com/ezsystems/ezpublish-legacy/commit/874d7c0e739f7094671205dbf57335e670d97f3f

Have you found a security bug in eZ Publish or eZ Platform? See how to report it responsibly here: https://doc.ez.no/Security

03/07/2017 03:38 am   Security Advisories   Mirror   Link   @2358

An SQL injection security breach has been detected in the "ezsearchengine" search plugin, which is the default if you are not using the Solr-based eZ Find extension. By its nature, such a vulnerability is potentially severe, and we strongly recommend that you patch your systems as soon as possible.

We thank Markus Wulftange of Code White for bringing this important issue to our attention in a professional and responsible manner.

Patch for eZ Publish (legacy): https://github.com/ezsystems/ezpublish-legacy/commit/6d926593fd5c00028b8d379c7273898b3055beed

11/17/2016 03:35 am   Security Advisories   Mirror   Link   @2562

The eZ JS Core subtree method does not impose a maximum limit on nodes to fetch. Since the result is not cached, calling this function with extremely high limits could potentially lead sites with large content databases to be overloaded. The patch adds a setting in ezjscore.ini [ezjscServer_ezjscnode] HardLimit where you can specify an upper limit. This is not set by default, you could for example set it to 100, if your site doesn't require more than this. We recommend that you install this Security Update as soon as possible.

Patch for eZ Publish (eZ JS Core): https://github.com/ezsystems/ezpublish-legacy/commit/d76ce9824dabaceeefa77530c8c611e447d1b109

09/13/2016 07:55 am   Security Advisories   Mirror   Link   @2544

An SQL injection security breach has been detected, which allows SQL statements to be executed after language view parameters. We strongly recommend that you install this Security Update as soon as possible.

Patch for eZ Publish (legacy): https://github.com/ezsystems/ezpublish-legacy/commit/2d4a7bcffd96e472972fbd0a78185b1adf81f17c

09/13/2016 06:47 am   Security Advisories   Mirror   Link   @2569

In legacy mode, user session data is migrated to the new session on login as expected, but also on logout. This can lead to local information disclosure and potential privilege escalation vulnerabilities. We strongly recommend that you install this Security Update as soon as possible.

Patch for eZ Platform (LegacyBridge): https://github.com/ezsystems/LegacyBridge/commit/7a2d05b266afa3901139ff2decaa178e08ff46d2

09/13/2016 06:22 am   Security Advisories   Mirror   Link   @2557

Wrongly placed (and not actually handled) view parameters may result in disk space exhaustion since cache is stored for the generated content. We strongly recommend that you install this Security Update as soon as possible.

Patch for eZ Platform (LegacyBridge): https://github.com/ezsystems/LegacyBridge/commit/afd59b7740653a60eacd52acf20cd584c8d5154c

09/13/2016 02:41 am   Security Advisories   Mirror   Link   @2538

This Security Update fixes a possible disclosure to unintended recipients of information collected for objects using the legacy information collection feature. If the session is cleared before accessing the collected info, the first collected info for the object is shown. If you don't use the information collection feature you are not affected, otherwise we strongly recommend that you install this Security Update as soon as possible.

Patch for eZ Publish: https://github.com/ezsystems/ezpublish-legacy/commit/39292170a6237c94b8ef624d962909e43d4c851b

07/28/2016 03:11 am   Security Advisories   Mirror   Link   @2535

This Security Update is about a vulnerability related to the "HTTP_PROXY" environment variable and the "Proxy" HTTP header. The vulnerability can let an attacker proxy the outgoing requests of your web applicaton, and direct the requests to a server and port of their choosing. It should be taken very seriously. You can read more about this issue here:

https://httpoxy.org/

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5385

This does not affect eZ Platform directly, so there is no patch for it, but it may affect one of our dependencies: GuzzleHttp. It may also affect your custom code, if you are using GuzzleHttp or the "HTTP_PROXY" environment variable. Please make sure that you are running a version of GuzzleHttp older than 4.0, or newer than 6.2.0. If this is not the case, update your installation using Composer, like this:

php -d memory_limit=-1 composer.phar update

07/20/2016 06:49 am   Security Advisories   Mirror   Link   @2572

This Security Advisory is about a vulnerability in Symfony: "CVE-2015-4050 ESI unauthorized access". Applications with ESI or SSI support enabled, that use the FragmentListener, are vulnerable to unauthorized access. Meaning, your application is affected if ESI/SSI is enabled in your config.yml, but you haven't disabled the FragmentListener (framework -> fragments -> enabled: false). We strongly recommend that you install this Security Update as soon as possible.

To install, please execute this command from your eZ Publish directory:
php -d memory_limit=-1 composer.phar update --no-dev --prefer-dist --with-dependencies symfony/symfony

Further reading on the Symfony update: http://symfony.com/blog/cve-2015-4050-esi-unauthorized-access

For documentation on use of Composer see: https://doc.ez.no/display/EZP/Using+Composer

05/27/2015 06:32 am   Security Advisories   Mirror   Link   @2694

This Security Update fixes a vulnerability in the eZ Publish password recovery function. You need to have the PHP OpenSSL extension (ext-openssl) installed to take full advantage of the improved security, but even without it security is improved. We strongly recommend that you install this Security Update as soon as possible.

Patch for eZ Publish: https://github.com/ezsystems/ezpublish-legacy/commit/5908d5ee65fec61ce0e321d586530461a210bf2a

05/11/2015 04:17 am   Security Advisories   Mirror   Link   @2607

This patch was bundled in EZSA-2014-005. It got an entry here only for internal systems reasons. There is nothing more to install.

05/11/2015 03:16 am   Security Advisories   Mirror   Link   @2604

This patch was bundled in EZSA-2014-005. It got an entry here only for internal systems reasons. There is nothing more to install.

05/11/2015 03:16 am   Security Advisories   Mirror   Link   @2603

This patch was bundled in EZSA-2014-005. It got an entry here only for internal systems reasons. There is nothing more to install.

05/11/2015 03:16 am   Security Advisories   Mirror   Link   @2618

This patch was bundled in EZSA-2014-005. It got an entry here only for internal systems reasons. There is nothing more to install.

05/11/2015 03:15 am   Security Advisories   Mirror   Link   @2588

This patch was bundled in EZSA-2014-005. It got an entry here only for internal systems reasons. There is nothing more to install.

05/11/2015 03:15 am   Security Advisories   Mirror   Link   @2616

This patch was bundled in EZSA-2014-005. It got an entry here only for internal systems reasons. There is nothing more to install.

05/11/2015 03:15 am   Security Advisories   Mirror   Link   @2619

This patch was bundled in EZSA-2014-005. It got an entry here only for internal systems reasons. There is nothing more to install.

05/11/2015 03:15 am   Security Advisories   Mirror   Link   @2584

This Security Update fixes several cross site scripting (XSS) vulnerabilities in the eZ Publish administration interface. The update ensures that injected code cannot be executed. To fully fix these issues, several extensions must be patched. These are all bundled in this patch, but received separate advisory titles for internal systems reasons.

Please ensure that you install the updates for all of these extensions if you have them. We strongly recommend that you install this Security Update as soon as possible.

Patches for eZ Publish:
https://github.com/ezsystems/ezpublish-legacy/commit/bcb22cf78b3f66536f23e6957a1763684d13b161
https://github.com/ezsystems/ezpublish-legacy/commit/0c1e1ba1fe03d4cb0ebf484ca04bf770ced7bac3
https://github.com/ezsystems/ezpublish-legacy/commit/6df161f3b89cf389b70fddd6627973cf69623f61
https://github.com/ezsystems/ezpublish-legacy/commit/058aa09dde82efee24ac702bf1afb0078ecb04d3
https://github.com/ezsystems/ezsurvey/commit/da64f3353a91b04219189db46426d566682ca70f
https://github.com/ezsystems/ezwebin/commit/4afc8926d0842523c865abd673e8ab6e47508a15
https://github.com/ezsystems/ezmbpaex/commit/4e9d952a5652ef2d84558cb45af63c0f59a809b3
https://github.com/ezsystems/ezcomments/commit/fcfe2db56cb79e162e2fcef7ca074afad4cb092a
https://github.com/ezsystems/ezfind/commit/a4d6ab3883f1439f9e2e38e621d7b2f23f2297e7
https://github.com/ezsystems/ezdemo/commit/b7d75bd55fb2b36d965c1b4ac0f808de273d3708

Related to:
EZSA-2014-006 (eZ Online Editor): No patch, bundled here.
EZSA-2014-007 (eZ Find): No patch, bundled here.
EZSA-2014-008 (eZ Webin): No patch, bundled here.
EZSA-2014-009 (eZ Survey): No patch, bundled here.
EZSA-2014-010 (eZ Comments): No patch, bundled here.
EZSA-2014-011 (eZ MB Paex): No patch, bundled here.
EZSA-2014-012 (eZ Demo): No patch, bundled here.

05/11/2015 02:35 am   Security Advisories   Mirror   Link   @2611

This Security Update fixes a vulnerability in user authentication. A user who had been logged in correctly and then logged out, could login again, to the same user account, without authenticating with the server. We strongly recommend that you install this Security Update as soon as possible.

Patch for eZ Publish:
https://github.com/ezsystems/ezpublish-legacy/commit/9bbdead9e0ce18ec6d0396903126e6e1bd5561e2

05/08/2015 09:38 am   Security Advisories   Mirror   Link   @2606