From 5fd16cd7e1b2484b050f66068ab70891a2f6c1db Mon Sep 17 00:00:00 2001 From: Maxime Rainville Date: Mon, 17 Feb 2020 17:47:23 +1300 Subject: [PATCH] Add 4.5.1 changelog --- docs/en/04_Changelogs/4.5.1.md | 53 +++++++++++++++++++++++++++++----- 1 file changed, 46 insertions(+), 7 deletions(-) diff --git a/docs/en/04_Changelogs/4.5.1.md b/docs/en/04_Changelogs/4.5.1.md index ac581ad8e..a7888042f 100644 --- a/docs/en/04_Changelogs/4.5.1.md +++ b/docs/en/04_Changelogs/4.5.1.md @@ -1,4 +1,4 @@ -# 4.4.5 +# 4.5.1 ## Security patches @@ -6,13 +6,52 @@ This release contains security patches ### CVE-2019-1935 (CVSS 7.5) -Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). This can lead to phishing attempts to obtain a user's credentials or other sensitive user input. There is no known attack vector for extracting user-session information or credentials automatically, it required a user to fall for the phishing attempt. XSS can also be used to modify the presentation of content in malicious ways. +Silverstripe Forms allow malicious HTML or JavaScript to be inserted through non-scalar FormField attributes, which allows performing XSS (Cross-Site Scripting) on some forms built with user input (Request data). -The vulnerability is known to apply in at least the following cases: +See [cve-2019-19325](https://www.silverstripe.org/download/security-releases/cve-2019-19325) -The login form provided by Silverstripe. When the login form is used with Multi Factor Authentication (MFA), the attack complexity for phishing increases, and is mitigated by using security keys such as Yubikey as an unphishable token. -Forms which are configured to populate field values based on request parameters. This usually happens via setting the $value on a FormField instance during construction of the form, or by loading request data via Form->loadDataFrom($myRequest->getVars()). -Forms which have form validation applied through RequiredFields, and opt-out of using CSRF tokens via disableSecurityToken(). In this case, the vulnerability is more impactful if the form is also configured to accept GET submissions, rather than the default of POST submissions. -The vulnerability has not identified on forms created through the silverstripe/userforms module. + +## Change Log +### Security + + * 2020-02-12 [d515e5e](https://github.com/silverstripe/silverstripe-admin/commit/d515e5eced1787d99d4ca1520e01513c2031a627) XSS through non-scalar FormField attributes (Serge Latyntcev) - See [cve-2019-19325](https://www.silverstripe.org/download/security-releases/cve-2019-19325) + * 2020-02-03 [ad1b00ec7](https://github.com/silverstripe/silverstripe-framework/commit/ad1b00ec7dc1589a05bfc7f5f8207489797ef714) XSS through non-scalar FormField attributes (Serge Latyntcev) - See [cve-2019-19325](https://www.silverstripe.org/download/security-releases/cve-2019-19325) + +### Features and Enhancements + + * 2020-01-14 [63b24d7](https://github.com/silverstripe/silverstripe-admin/commit/63b24d785cd5e8e53d78bae603f0d5fda9af6d74) Add new block icon set for open source use (Sacha Judd) + +### Bugfixes + + * 2020-02-16 [b1576a8](https://github.com/silverstripe/silverstripe-graphql/commit/b1576a820109e7840093620b52c6a0fcaa597e7f) ensure canView check is run on returned items (#8) (Steve Boyd) + * 2020-02-13 [62a68f4](https://github.com/silverstripe/silverstripe-admin/commit/62a68f480f5383f092155d450fd9279d27694e9c) Add back missing edit-write icon (Sacha Judd) + * 2020-02-11 [f7d09b1](https://github.com/silverstripe/silverstripe-versioned-admin/commit/f7d09b1704ce6f27b9d8a4b125e000a29299bfa5) Update core requirements to 4.5 series (Garion Herman) + * 2020-02-10 [bddb5ad](https://github.com/silverstripe/silverstripe-versioned/commit/bddb5ad97c15034d2fecf120048aecea69404a3d) Update core requirement to 4.5 series (Garion Herman) + * 2020-02-10 [62de5181](https://github.com/silverstripe/silverstripe-siteconfig/commit/62de51815cd2d9142974bfd4d0761ac45847b3c2) Update core requirements to 4.5 series (Garion Herman) + * 2020-02-10 [7436e11d](https://github.com/silverstripe/silverstripe-reports/commit/7436e11d4fb8c057b5fbe6cf482b35ac4a9443b8) Update core requirements to 4.5 series (Garion Herman) + * 2020-02-10 [2742d74](https://github.com/silverstripe/silverstripe-errorpage/commit/2742d74b42e4b77775b63fbb0771924576bed09a) Update CMS requirement to 4.5 series (Garion Herman) + * 2020-02-10 [664e6c99](https://github.com/silverstripe/silverstripe-cms/commit/664e6c99c0c0ac2733245024e461f2454c07ad05) Update core requirements to 4.5 series (Garion Herman) + * 2020-02-10 [ad5858a](https://github.com/silverstripe/silverstripe-campaign-admin/commit/ad5858ae28a8a7f25423b22990d561a6c7dac9e3) Update core requirements to 4.5 series (Garion Herman) + * 2020-02-10 [5053663](https://github.com/silverstripe/silverstripe-asset-admin/commit/50536635359c1fb3d2da06ed558fe07d25757dac) Update core requirements to 4.5 series (Garion Herman) + * 2020-02-10 [93d1acc](https://github.com/silverstripe/silverstripe-assets/commit/93d1acc4d53edb2affcb1d318edb721a6e307f66) Update framework requirement to 4.5 series (Garion Herman) + * 2020-02-05 [5dec950](https://github.com/silverstripe/silverstripe-asset-admin/commit/5dec9505f415f6396c9437a625ae2872e89c8cdd) do not render ImageSizePresentList react component for remote files (Steve Boyd) + * 2020-02-04 [ca36a47bb](https://github.com/silverstripe/silverstripe-framework/commit/ca36a47bb1de577ae8bc2a81ac20eb5f804fc7e1) Update ORM DBField types to use Injector in scaffoldFormField() (mnuguid) + * 2020-01-23 [9750538a](https://github.com/silverstripe/silverstripe-cms/commit/9750538a5a4b65464d43e673403128c34bbbaabe) Update URLSegment field on enter key, rather than saving page (Garion Herman) + * 2020-01-23 [aa31b3d](https://github.com/silverstripe/silverstripe-versioned-admin/commit/aa31b3debbe6e98f9e54fc4fc646eb3df63931d4) Adjust diff styling to improve accessibility (Garion Herman) + * 2020-01-23 [dd8c2ce](https://github.com/silverstripe/silverstripe-assets/commit/dd8c2ce3ca8c6069fbd4ad6fcad156d5f9b150bd) temp images not being deleted if error is thrown (bergice) + * 2020-01-23 [76f1abc](https://github.com/silverstripe/silverstripe-versioned-admin/commit/76f1abc43900d14751a86d7faf57f0ca7f05fde8) Changed revert button title when revert is possible. (bergice) + * 2020-01-22 [82a76b93](https://github.com/silverstripe/silverstripe-cms/commit/82a76b9300d33e388684160ac6255cb36ab4cd75) Fix alert showing for unrelated elements (bergice) + * 2020-01-07 [089053b](https://github.com/silverstripe/silverstripe-admin/commit/089053b42d5561720bdb08203371db1c94cadcf9) Make discard confirmations show up when navigating away from editing files (bergice) + * 2019-12-16 [8edf14d](https://github.com/silverstripe/silverstripe-assets/commit/8edf14dee8deacd2a0bd013344dd26089e8e8b36) VersionedFilesMigrator auto-generated .htaccess directives (Serge Latyntcev) + * 2019-12-15 [fbc37fb](https://github.com/silverstripe/silverstripe-versioned/commit/fbc37fb6e74b90b72c7313fc428beec81b9ee4de) Default WasDraft to true when migrating versioned DataObject (#240) (Maxime Rainville) + * 2019-12-11 [e229a98](https://github.com/silverstripe/silverstripe-assets/commit/e229a98e8e0d2554d7b6ab8408d10cbd54db12c0) Fixes #352 with guard for Folder query result (Russell Michell) + * 2019-12-09 [be5234d](https://github.com/silverstripe/silverstripe-graphql/commit/be5234d089e0835c5d18248dee4ba53f09d539dc) Reference the correct filters for endswith and startswith (Maxime Rainville) + * 2019-11-26 [04c377f](https://github.com/silverstripe/silverstripe-errorpage/commit/04c377f33371b1ec7c8b4e28da7bb766294d62cf) Fix phpcs install, phpunit name (Serge Latyntcev) + * 2019-11-24 [f78b7a5](https://github.com/silverstripe/silverstripe-asset-admin/commit/f78b7a5e1eca2a13caf4b53085a4f8c9a9dd33fa) Update build script to copy images to dist folder (Maxime Rainville) + * 2019-11-22 [af55826](https://github.com/silverstripe/silverstripe-asset-admin/commit/af558265416a1d98648d98341f2236ef05124d3b) Fix missing dist images (Damian Mooyman) + * 2019-11-15 [64654ec](https://github.com/silverstripe/silverstripe-assets/commit/64654ec9f606a96ee02b50606c8f3a5656904efa) Retrieve file by filename (Maxime Rainville) + * 2019-11-14 [4372544](https://github.com/silverstripe/silverstripe-assets/commit/43725448768422448fe96be842ed5c754a654693) Fix linting issue in VersionedFilesMigrationTask and VersionedFilesMigrator (Maxime Rainville) + * 2019-11-04 [d32b280](https://github.com/silverstripe/silverstripe-errorpage/commit/d32b28011c85fe509919cac72a4b314466dc99ae) Resolve issue where dev/build does not refresh static content (Damian Mooyman) +