Security release 1.4.0 of the CWP Basic Recipe has been released on the 7th June 2016.
This release includes some medium level security fixes to cms and framework.
When do you need to perform this upgrade?
This upgrade is not mandatory. This upgrade fixes several security flaws. SilverStripe has determined that the severity and breadth of applicability of the flaws does not constitute a need for a CWP-wide emergency upgrade.
Because it includes security fixes, all Agencies using Recipe 1.3.0 or below should strongly consider upgrading to Recipe 1.4.0. Agencies should make their own determination on whether these issues present sufficient threat to their site to require an upgrade. If you are unsure, it is safest to upgrade.
If you would like SilverStripe to carry out this upgrade for you, please let us know and we will arrange this with you.
Agencies are expected to regularly carry out upgrades, because as time passes we end support for old versions. Please read our release management guide and CWP Versions and Support Deadlines and technical upgrade instructions for more information.
What is in release 1.4.0?
This upgrade includes CMS and Framework version 3.4.0, which introduces general API improvements and enhancements. However, these changes are much less significant than those introduced in version 3.3.0, and the risk of regressions in this upgrade is minimal.
The recipe includes two enhancements funded by the CWP co-fund pool:
- Better CMS password protection when resetting password
- Increased encryption strength on Active Directory module to 256 bits
Other enhancements include:
- Improvement to ArrayList API
- Improved permission checking
- Improvements to Image manipulation API
- Improved support for versioned and subsite content in fulltextsearch
- Improvements in spam protection for userforms module
This release also includes the following security fixes:
- SS-2016-006: Missing CSRF protection in login form
- SS-2016-005: Brute force bypass on default admin
- SS-2016-004: XSS in CMS Edit Page
- SS-2016-001: XSS in CMSController BackURL
- SS-2015-029: CSRF vulnerability in savetreenodes
Please see the full CWP Recipe 1.4.0 changelog for more details.
Why isn’t there a 1.3.1 release?
This release includes some security improvements that we recommend for all CWP users. We have labelled this recipe release “1.4.0” rather than “1.3.1” because one of the security improvements—asking for the old password when changing to a new one—introduces a new feature that is visible to users, as opposed to being an “invisible” bug-fix.
Technical Upgrade Guide
A description for technical staff on how to carry out an upgrade is found here.