From b31b064f220d4a2c1561af9bfa4096e4a0433275 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 11:03:36 +0100 Subject: [PATCH 01/15] Updated 3.3 and 4.6 release variables --- mkdocs.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/mkdocs.yml b/mkdocs.yml index fdd7f11f50..b9bc73c660 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -923,14 +923,14 @@ extra: # Global variables - latest tag versions latest_tag_2_5: '2.5.32' - latest_tag_3_3: '3.3.40' + latest_tag_3_3: '3.3.41' latest_tag_4_0: '4.0.8' latest_tag_4_1: '4.1.5' latest_tag_4_2: '4.2.4' latest_tag_4_3: '4.3.5' latest_tag_4_4: '4.4.4' latest_tag_4_5: '4.5.7' - latest_tag_4_6: '4.6.13' + latest_tag_4_6: '4.6.14' symfony_doc: 'https://symfony.com/doc/5.4' user_doc: 'https://doc.ibexa.co/projects/userguide/en/master' From 6359d7ef616720ce94556f3db28c702b71653a2a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 13:28:25 +0100 Subject: [PATCH 02/15] Added update instructions --- .../from_3.3/update_from_3.3.md | 63 ++++++++++++++++++- .../from_4.6/update_from_4.6.md | 62 ++++++++++++++++++ 2 files changed, 124 insertions(+), 1 deletion(-) diff --git a/docs/update_and_migration/from_3.3/update_from_3.3.md b/docs/update_and_migration/from_3.3/update_from_3.3.md index da2f135b8d..d6dfc7f4ac 100644 --- a/docs/update_and_migration/from_3.3/update_from_3.3.md +++ b/docs/update_and_migration/from_3.3/update_from_3.3.md @@ -440,7 +440,68 @@ Run the following scripts: ### v3.3.40 -A command to deal with duplicated database entries, as reported in [IBX-8562](https://issues.ibexa.co/browse/IBX-8562), will be available soon. +No additional steps needed. + +## v3.3.41 + +### Security + +This release contains security changes. +For each of following advisories evaluate the vulnerability to determine whether you might have been affected. +If so, take appropriate action, for example by [revoking passwords](https://doc.ibexa.co/en/latest/users/passwords/#revoking-passwords) for all affected users. + +You can find the two advisories below: + +#### BREACH attack + +If you're using Varnish, update the VCL configuration to stop compressing both the [[= product_name =]]'s REST API and JSON responses from your backend. +Fastly users are not affected. + +=== Varnish on [[= product_name_cloud =]] + + Update the Varnish configuration. + + Generate new configuration with the following command: + + ```bash + composer ibexa:setup --platformsh + ``` + + Review the changes, merge with your custom settings if needed, and commit them to Git before deployment. + +=== Varnish 6 + + Update your Varnish VCL file to align it with the [`vendor/ezsystems/ezplatform-http-cache/docs/varnish/vcl/varnish5.vcl`](https://github.com/ezsystems/ezplatform-http-cache/blob/2.3/docs/varnish/vcl/varnish5.vcl) file. + +=== Varnish 7 + + Update your Varnish VCL file to align it with the [`vendor/ezsystems/ezplatform-http-cache/docs/varnish/vcl/varnish7.vcl`](https://github.com/ezsystems/ezplatform-http-cache/blob/2.3/docs/varnish/vcl/varnish7.vcl) file. + ``` + +For more information, see the security advisory[TODO: insert link]. + +#### Outdated version of jQuery in ibexa/ezcommerce-shop package + +There are no code changes to execute. +For more information, see the security advisory[TODO: insert link]. + +### Remove duplicated entries in `ezcontentobject_attribute` table +This release comes with a command to clean up the duplicated entries in the `ezcontentobject_attribute` table, caused by the issue described in [IBX-8562](https://issues.ibexa.co/browse/IBX-8562). + +If you're affected you can remove the duplicated entries by running the following command: +``` bash +php bin/console ibexa:content:remove-duplicate-fields +``` + +!!! caution + + Remember about [**proper database backup**](backup.md) before running the command in the production environment. + +You can customize the behavior of the command with the following options: + +- `batch-size` or `b` - number of attributes affected per iteration. Default value = 10000. +- `max-iterations` or `i` - max. iterations count (default or -1: unlimited). Default value = -1. +- `sleep` or `s` - wait time between iterations, in milliseconds. Default value = 0. ## Finish the update diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index 6c18eba6da..52abf07126 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -163,3 +163,65 @@ You can customize the behavior of the command with the following options: - `batch-size` or `b` - number of attributes affected per iteration. Default value = 10000. - `max-iterations` or `i` - max. iterations count (default or -1: unlimited). Default value = -1. - `sleep` or `s` - wait time between iterations, in milliseconds. Default value = 0. + +## v4.6.14 + +### Security + +This release contains security changes. +For each of following advisories evaluate the vulnerability to determine whether you might have been affected. +If so, take appropriate action promptly, for example by [revoking passwords](https://doc.ibexa.co/en/latest/users/passwords/#revoking-passwords) for all affected users. + +You can find the three advisories below: + +#### BREACH attack + +If you're using Varnish, update the VCL configuration to stop compressing both the [[= product_name =]]'s REST API and JSON responses from your backend. +Fastly users are not affected. + +=== Varnish on [[= product_name_cloud =]] + + Update Platform.sh configuration and scripts. + + Generate new configuration with the following command: + + ```bash + composer ibexa:setup --platformsh + ``` + + Review the changes, merge with your custom settings if needed, and commit them to Git before deployment. + +=== Varnish 6 + + Update your Varnish VCL file to align it with the [`vendor/ibexa/http-cache/docs/varnish/vcl/varnish5.vcl`](https://github.com/ibexa/http-cache/blob/4.6/docs/varnish/vcl/varnish6.vcl) file. + +=== Varnish 7 + + Update your Varnish VCL file to align it with the [`vendor/ibexa/http-cache/docs/varnish/vcl/varnish7.vcl`](https://github.com/ibexa/http-cache//blob/4.6/docs/varnish/vcl/varnish7.vcl) file. + ``` + +For more information, see the security advisory[TODO: insert link]. + +#### XSS in Content name pattern + +There are no code changes to apply. + +For more information, see the security advisory[TODO: insert link]. + +#### Outdated version of jQuery in ibexa/ezcommerce-shop package + +Only users of the [old Commerce solution](update_from_4.3_old_commerce.md) are affected. +There are no code changes to apply. + +For more information, see the security advisory[TODO: insert link]. + +### Disable translations of identifiers in Product Catalog's categories + +The possibility of translating identifiers and parent information for the Categories in Product Catalog might lead to data consistency issues. + +Disable it by running the following migration: + +``` bash +php bin/console ibexa:migrations:import vendor/ibexa/product-catalog/src/bundle/Resources/migrations/2024_07_25_07_00_non_translatable_product_categories.yaml --name=2024_07_25_07_00_non_translatable_product_categories.yaml +php bin/console ibexa:migrations:migrate --file=2024_07_25_07_00_non_translatable_product_categories.yaml +``` From 4cce92ba24e6b7bba3d5c28cd3d702e545dfa718 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 13:43:59 +0100 Subject: [PATCH 03/15] Fixed headings --- docs/update_and_migration/from_3.3/update_from_3.3.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/docs/update_and_migration/from_3.3/update_from_3.3.md b/docs/update_and_migration/from_3.3/update_from_3.3.md index d6dfc7f4ac..571291386d 100644 --- a/docs/update_and_migration/from_3.3/update_from_3.3.md +++ b/docs/update_and_migration/from_3.3/update_from_3.3.md @@ -442,9 +442,9 @@ Run the following scripts: No additional steps needed. -## v3.3.41 +### v3.3.41 -### Security +#### Security This release contains security changes. For each of following advisories evaluate the vulnerability to determine whether you might have been affected. @@ -452,7 +452,7 @@ If so, take appropriate action, for example by [revoking passwords](https://doc. You can find the two advisories below: -#### BREACH attack +##### BREACH attack If you're using Varnish, update the VCL configuration to stop compressing both the [[= product_name =]]'s REST API and JSON responses from your backend. Fastly users are not affected. @@ -480,12 +480,12 @@ Fastly users are not affected. For more information, see the security advisory[TODO: insert link]. -#### Outdated version of jQuery in ibexa/ezcommerce-shop package +##### Outdated version of jQuery in ibexa/ezcommerce-shop package There are no code changes to execute. For more information, see the security advisory[TODO: insert link]. -### Remove duplicated entries in `ezcontentobject_attribute` table +#### Remove duplicated entries in `ezcontentobject_attribute` table This release comes with a command to clean up the duplicated entries in the `ezcontentobject_attribute` table, caused by the issue described in [IBX-8562](https://issues.ibexa.co/browse/IBX-8562). If you're affected you can remove the duplicated entries by running the following command: From 15ca3e150812fa2eda334c514b3bdd5b87b60735 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 13:48:17 +0100 Subject: [PATCH 04/15] Formatting fixes --- .../from_3.3/update_from_3.3.md | 6 +++--- .../from_4.6/update_from_4.6.md | 16 ++++++---------- 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/docs/update_and_migration/from_3.3/update_from_3.3.md b/docs/update_and_migration/from_3.3/update_from_3.3.md index 571291386d..fc366b8149 100644 --- a/docs/update_and_migration/from_3.3/update_from_3.3.md +++ b/docs/update_and_migration/from_3.3/update_from_3.3.md @@ -457,7 +457,7 @@ You can find the two advisories below: If you're using Varnish, update the VCL configuration to stop compressing both the [[= product_name =]]'s REST API and JSON responses from your backend. Fastly users are not affected. -=== Varnish on [[= product_name_cloud =]] +=== "Varnish on [[= product_name_cloud =]]" Update the Varnish configuration. @@ -469,11 +469,11 @@ Fastly users are not affected. Review the changes, merge with your custom settings if needed, and commit them to Git before deployment. -=== Varnish 6 +=== "Varnish 6" Update your Varnish VCL file to align it with the [`vendor/ezsystems/ezplatform-http-cache/docs/varnish/vcl/varnish5.vcl`](https://github.com/ezsystems/ezplatform-http-cache/blob/2.3/docs/varnish/vcl/varnish5.vcl) file. -=== Varnish 7 +=== "Varnish 7" Update your Varnish VCL file to align it with the [`vendor/ezsystems/ezplatform-http-cache/docs/varnish/vcl/varnish7.vcl`](https://github.com/ezsystems/ezplatform-http-cache/blob/2.3/docs/varnish/vcl/varnish7.vcl) file. ``` diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index 52abf07126..8c0aa14f10 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -170,7 +170,7 @@ You can customize the behavior of the command with the following options: This release contains security changes. For each of following advisories evaluate the vulnerability to determine whether you might have been affected. -If so, take appropriate action promptly, for example by [revoking passwords](https://doc.ibexa.co/en/latest/users/passwords/#revoking-passwords) for all affected users. +If so, take appropriate action, for example by [revoking passwords](https://doc.ibexa.co/en/latest/users/passwords/#revoking-passwords) for all affected users. You can find the three advisories below: @@ -179,7 +179,7 @@ You can find the three advisories below: If you're using Varnish, update the VCL configuration to stop compressing both the [[= product_name =]]'s REST API and JSON responses from your backend. Fastly users are not affected. -=== Varnish on [[= product_name_cloud =]] +=== "Varnish on [[= product_name_cloud =]]" Update Platform.sh configuration and scripts. @@ -191,11 +191,11 @@ Fastly users are not affected. Review the changes, merge with your custom settings if needed, and commit them to Git before deployment. -=== Varnish 6 +=== "Varnish 6" Update your Varnish VCL file to align it with the [`vendor/ibexa/http-cache/docs/varnish/vcl/varnish5.vcl`](https://github.com/ibexa/http-cache/blob/4.6/docs/varnish/vcl/varnish6.vcl) file. -=== Varnish 7 +=== "Varnish 7" Update your Varnish VCL file to align it with the [`vendor/ibexa/http-cache/docs/varnish/vcl/varnish7.vcl`](https://github.com/ibexa/http-cache//blob/4.6/docs/varnish/vcl/varnish7.vcl) file. ``` @@ -204,16 +204,12 @@ For more information, see the security advisory[TODO: insert link]. #### XSS in Content name pattern -There are no code changes to apply. - -For more information, see the security advisory[TODO: insert link]. +There are no code changes to apply. For more information, see the security advisory[TODO: insert link]. #### Outdated version of jQuery in ibexa/ezcommerce-shop package Only users of the [old Commerce solution](update_from_4.3_old_commerce.md) are affected. -There are no code changes to apply. - -For more information, see the security advisory[TODO: insert link]. +There are no code changes to apply. For more information, see the security advisory[TODO: insert link]. ### Disable translations of identifiers in Product Catalog's categories From 644f138574244192c0ee57eadea58041d88a0734 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 13:58:50 +0100 Subject: [PATCH 05/15] Added mention about Apache and Nginx --- docs/update_and_migration/from_3.3/update_from_3.3.md | 5 ++++- docs/update_and_migration/from_4.6/update_from_4.6.md | 3 +++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/update_and_migration/from_3.3/update_from_3.3.md b/docs/update_and_migration/from_3.3/update_from_3.3.md index fc366b8149..d7c16e806c 100644 --- a/docs/update_and_migration/from_3.3/update_from_3.3.md +++ b/docs/update_and_migration/from_3.3/update_from_3.3.md @@ -478,7 +478,10 @@ Fastly users are not affected. Update your Varnish VCL file to align it with the [`vendor/ezsystems/ezplatform-http-cache/docs/varnish/vcl/varnish7.vcl`](https://github.com/ezsystems/ezplatform-http-cache/blob/2.3/docs/varnish/vcl/varnish7.vcl) file. ``` -For more information, see the security advisory[TODO: insert link]. +If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed Content Type in the webserver configuration. +For more information. see the [updated Apache and nginx template configuration](https://github.com/ibexa/post-install/pull/86/files). + +For more information about the vulnerability, see the security advisory[TODO: insert link]. ##### Outdated version of jQuery in ibexa/ezcommerce-shop package diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index 8c0aa14f10..735dfea080 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -200,6 +200,9 @@ Fastly users are not affected. Update your Varnish VCL file to align it with the [`vendor/ibexa/http-cache/docs/varnish/vcl/varnish7.vcl`](https://github.com/ibexa/http-cache//blob/4.6/docs/varnish/vcl/varnish7.vcl) file. ``` +If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed Content Type in the webserver configuration. +For more information. see the [updated Apache and nginx template configuration](https://github.com/ibexa/post-install/pull/86/files). + For more information, see the security advisory[TODO: insert link]. #### XSS in Content name pattern From b523302cc7ee0f1ec968a138cc64c0c1ecd75ee7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 14:00:45 +0100 Subject: [PATCH 06/15] Heading changes --- docs/update_and_migration/from_3.3/update_from_3.3.md | 4 +++- docs/update_and_migration/from_4.6/update_from_4.6.md | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/docs/update_and_migration/from_3.3/update_from_3.3.md b/docs/update_and_migration/from_3.3/update_from_3.3.md index d7c16e806c..b9fcd70444 100644 --- a/docs/update_and_migration/from_3.3/update_from_3.3.md +++ b/docs/update_and_migration/from_3.3/update_from_3.3.md @@ -488,7 +488,9 @@ For more information about the vulnerability, see the security advisory[TODO: in There are no code changes to execute. For more information, see the security advisory[TODO: insert link]. -#### Remove duplicated entries in `ezcontentobject_attribute` table +#### Other changes + +##### Remove duplicated entries in `ezcontentobject_attribute` table This release comes with a command to clean up the duplicated entries in the `ezcontentobject_attribute` table, caused by the issue described in [IBX-8562](https://issues.ibexa.co/browse/IBX-8562). If you're affected you can remove the duplicated entries by running the following command: diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index 735dfea080..3e8f6038cd 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -214,7 +214,9 @@ There are no code changes to apply. For more information, see the security advis Only users of the [old Commerce solution](update_from_4.3_old_commerce.md) are affected. There are no code changes to apply. For more information, see the security advisory[TODO: insert link]. -### Disable translations of identifiers in Product Catalog's categories +#### Other changes + +#### Disable translations of identifiers in Product Catalog's categories The possibility of translating identifiers and parent information for the Categories in Product Catalog might lead to data consistency issues. From d75f69ce2019c5af21c5b74a2c4dbc1f86653af2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 14:02:18 +0100 Subject: [PATCH 07/15] Fixed Varnish link --- docs/update_and_migration/from_4.6/update_from_4.6.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index 3e8f6038cd..e8eac96ce4 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -193,7 +193,7 @@ Fastly users are not affected. === "Varnish 6" - Update your Varnish VCL file to align it with the [`vendor/ibexa/http-cache/docs/varnish/vcl/varnish5.vcl`](https://github.com/ibexa/http-cache/blob/4.6/docs/varnish/vcl/varnish6.vcl) file. + Update your Varnish VCL file to align it with the [`vendor/ibexa/http-cache/docs/varnish/vcl/varnish6.vcl`](https://github.com/ibexa/http-cache/blob/4.6/docs/varnish/vcl/varnish6.vcl) file. === "Varnish 7" From 9fd8e842672ea1517c4fd8289a1a65a2ef524405 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 14:27:58 +0100 Subject: [PATCH 08/15] Reworded lack of update steps --- docs/update_and_migration/from_3.3/update_from_3.3.md | 2 +- docs/update_and_migration/from_4.6/update_from_4.6.md | 6 ++++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/update_and_migration/from_3.3/update_from_3.3.md b/docs/update_and_migration/from_3.3/update_from_3.3.md index b9fcd70444..cd65a5dbfb 100644 --- a/docs/update_and_migration/from_3.3/update_from_3.3.md +++ b/docs/update_and_migration/from_3.3/update_from_3.3.md @@ -485,7 +485,7 @@ For more information about the vulnerability, see the security advisory[TODO: in ##### Outdated version of jQuery in ibexa/ezcommerce-shop package -There are no code changes to execute. +There are no additional update steps to execute. For more information, see the security advisory[TODO: insert link]. #### Other changes diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index e8eac96ce4..33363c58c6 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -207,12 +207,14 @@ For more information, see the security advisory[TODO: insert link]. #### XSS in Content name pattern -There are no code changes to apply. For more information, see the security advisory[TODO: insert link]. +There are no additional update steps to execute. +For more information, see the security advisory[TODO: insert link]. #### Outdated version of jQuery in ibexa/ezcommerce-shop package Only users of the [old Commerce solution](update_from_4.3_old_commerce.md) are affected. -There are no code changes to apply. For more information, see the security advisory[TODO: insert link]. +There are no additional update steps to execute. +For more information, see the security advisory[TODO: insert link]. #### Other changes From d4a5fb9dec654b9a55c2741cd7b9755cb2c1b191 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 15:20:56 +0100 Subject: [PATCH 09/15] Update docs/update_and_migration/from_3.3/update_from_3.3.md Co-authored-by: Adrien Dupuis <61695653+adriendupuis@users.noreply.github.com> --- docs/update_and_migration/from_3.3/update_from_3.3.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/update_and_migration/from_3.3/update_from_3.3.md b/docs/update_and_migration/from_3.3/update_from_3.3.md index cd65a5dbfb..6c7790796b 100644 --- a/docs/update_and_migration/from_3.3/update_from_3.3.md +++ b/docs/update_and_migration/from_3.3/update_from_3.3.md @@ -504,9 +504,9 @@ php bin/console ibexa:content:remove-duplicate-fields You can customize the behavior of the command with the following options: -- `batch-size` or `b` - number of attributes affected per iteration. Default value = 10000. -- `max-iterations` or `i` - max. iterations count (default or -1: unlimited). Default value = -1. -- `sleep` or `s` - wait time between iterations, in milliseconds. Default value = 0. +- `--batch-size` or `-b` - number of attributes affected per iteration. Default value = 10000. +- `--max-iterations` or `-i` - max. iterations count (default or -1: unlimited). Default value = -1. +- `--sleep` or `-s` - wait time between iterations, in milliseconds. Default value = 0. ## Finish the update From 0322d98ef3c2b695cb446a530e27a5de653d0519 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 16:08:28 +0100 Subject: [PATCH 10/15] Review: added BREACH explanantion and mentioned another webserver template change --- .../update_and_migration/from_3.3/update_from_3.3.md | 11 ++++++++++- .../update_and_migration/from_4.6/update_from_4.6.md | 12 ++++++++++-- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/docs/update_and_migration/from_3.3/update_from_3.3.md b/docs/update_and_migration/from_3.3/update_from_3.3.md index 6c7790796b..ab1cd42997 100644 --- a/docs/update_and_migration/from_3.3/update_from_3.3.md +++ b/docs/update_and_migration/from_3.3/update_from_3.3.md @@ -452,7 +452,9 @@ If so, take appropriate action, for example by [revoking passwords](https://doc. You can find the two advisories below: -##### BREACH attack +##### BREACH vulnerability + +[The BREACH attack](https://www.breachattack.com/) is a security vulnerability against HTTPS when using HTTP compression. If you're using Varnish, update the VCL configuration to stop compressing both the [[= product_name =]]'s REST API and JSON responses from your backend. Fastly users are not affected. @@ -508,6 +510,13 @@ You can customize the behavior of the command with the following options: - `--max-iterations` or `-i` - max. iterations count (default or -1: unlimited). Default value = -1. - `--sleep` or `-s` - wait time between iterations, in milliseconds. Default value = 0. +##### Update webserver configuration + +Adjust the webserver configuration to prevent direct access to the `index.php` file when using URLs consisting of multiple path segments. + +See [the updated Apache and nginx template files](https://github.com/ibexa/post-install/pull/70/files) for more information. + + ## Finish the update [[% include 'snippets/update/finish_the_update.md' %]] diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index 33363c58c6..61b07c03f2 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -174,7 +174,9 @@ If so, take appropriate action, for example by [revoking passwords](https://doc. You can find the three advisories below: -#### BREACH attack +#### BREACH vulnerability + +[The BREACH attack](https://www.breachattack.com/) is a security vulnerability against HTTPS when using HTTP compression. If you're using Varnish, update the VCL configuration to stop compressing both the [[= product_name =]]'s REST API and JSON responses from your backend. Fastly users are not affected. @@ -216,7 +218,7 @@ Only users of the [old Commerce solution](update_from_4.3_old_commerce.md) are a There are no additional update steps to execute. For more information, see the security advisory[TODO: insert link]. -#### Other changes +### Other changes #### Disable translations of identifiers in Product Catalog's categories @@ -228,3 +230,9 @@ Disable it by running the following migration: php bin/console ibexa:migrations:import vendor/ibexa/product-catalog/src/bundle/Resources/migrations/2024_07_25_07_00_non_translatable_product_categories.yaml --name=2024_07_25_07_00_non_translatable_product_categories.yaml php bin/console ibexa:migrations:migrate --file=2024_07_25_07_00_non_translatable_product_categories.yaml ``` + +#### Update webserver configuration + +Adjust the webserver configuration to prevent direct access to the `index.php` file when using URLs consisting of multiple path segments. + +See [the updated Apache and nginx template files](https://github.com/ibexa/post-install/pull/70/files) for more information. From d8823ffe555d68992c1d530688b309ae8c6e92d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 16:31:59 +0100 Subject: [PATCH 11/15] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Tomasz DÄ…browski <64841871+dabrt@users.noreply.github.com> --- .../from_3.3/update_from_3.3.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/docs/update_and_migration/from_3.3/update_from_3.3.md b/docs/update_and_migration/from_3.3/update_from_3.3.md index ab1cd42997..f61b9d112e 100644 --- a/docs/update_and_migration/from_3.3/update_from_3.3.md +++ b/docs/update_and_migration/from_3.3/update_from_3.3.md @@ -447,11 +447,9 @@ No additional steps needed. #### Security This release contains security changes. -For each of following advisories evaluate the vulnerability to determine whether you might have been affected. +For each of the following advisories, evaluate the vulnerability to determine whether you might have been affected. If so, take appropriate action, for example by [revoking passwords](https://doc.ibexa.co/en/latest/users/passwords/#revoking-passwords) for all affected users. -You can find the two advisories below: - ##### BREACH vulnerability [The BREACH attack](https://www.breachattack.com/) is a security vulnerability against HTTPS when using HTTP compression. @@ -480,7 +478,7 @@ Fastly users are not affected. Update your Varnish VCL file to align it with the [`vendor/ezsystems/ezplatform-http-cache/docs/varnish/vcl/varnish7.vcl`](https://github.com/ezsystems/ezplatform-http-cache/blob/2.3/docs/varnish/vcl/varnish7.vcl) file. ``` -If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed Content Type in the webserver configuration. +If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed Content Type in the web server configuration. For more information. see the [updated Apache and nginx template configuration](https://github.com/ibexa/post-install/pull/86/files). For more information about the vulnerability, see the security advisory[TODO: insert link]. @@ -493,9 +491,10 @@ For more information, see the security advisory[TODO: insert link]. #### Other changes ##### Remove duplicated entries in `ezcontentobject_attribute` table -This release comes with a command to clean up the duplicated entries in the `ezcontentobject_attribute` table, caused by the issue described in [IBX-8562](https://issues.ibexa.co/browse/IBX-8562). -If you're affected you can remove the duplicated entries by running the following command: +This release comes with a command to clean up duplicated entries in the `ezcontentobject_attribute` table, which were created due to an issue described in [IBX-8562](https://issues.ibexa.co/browse/IBX-8562). + +If you're affected, remove the duplicated entries by running the following command: ``` bash php bin/console ibexa:content:remove-duplicate-fields ``` @@ -507,7 +506,7 @@ php bin/console ibexa:content:remove-duplicate-fields You can customize the behavior of the command with the following options: - `--batch-size` or `-b` - number of attributes affected per iteration. Default value = 10000. -- `--max-iterations` or `-i` - max. iterations count (default or -1: unlimited). Default value = -1. +- `--max-iterations` or `-i` - maximum iterations count. Default value = -1 (unlimited). - `--sleep` or `-s` - wait time between iterations, in milliseconds. Default value = 0. ##### Update webserver configuration From 49ca0b2786bb79367b534034f736ed4790e478c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 16:43:29 +0100 Subject: [PATCH 12/15] Applied review suggestions and added advisory links --- .../from_3.3/update_from_3.3.md | 14 ++++++-------- .../from_4.6/update_from_4.6.md | 19 +++++++------------ 2 files changed, 13 insertions(+), 20 deletions(-) diff --git a/docs/update_and_migration/from_3.3/update_from_3.3.md b/docs/update_and_migration/from_3.3/update_from_3.3.md index f61b9d112e..71f028dc97 100644 --- a/docs/update_and_migration/from_3.3/update_from_3.3.md +++ b/docs/update_and_migration/from_3.3/update_from_3.3.md @@ -446,13 +446,14 @@ No additional steps needed. #### Security -This release contains security changes. -For each of the following advisories, evaluate the vulnerability to determine whether you might have been affected. +This release contains security fixes. +For more information, see [the published security advisory](https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates). +For each of the following fixes, evaluate the vulnerability to determine whether you might have been affected. If so, take appropriate action, for example by [revoking passwords](https://doc.ibexa.co/en/latest/users/passwords/#revoking-passwords) for all affected users. ##### BREACH vulnerability -[The BREACH attack](https://www.breachattack.com/) is a security vulnerability against HTTPS when using HTTP compression. +The [BREACH](https://www.breachattack.com/) attack is a security vulnerability against HTTPS when using HTTP compression. If you're using Varnish, update the VCL configuration to stop compressing both the [[= product_name =]]'s REST API and JSON responses from your backend. Fastly users are not affected. @@ -481,12 +482,9 @@ Fastly users are not affected. If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed Content Type in the web server configuration. For more information. see the [updated Apache and nginx template configuration](https://github.com/ibexa/post-install/pull/86/files). -For more information about the vulnerability, see the security advisory[TODO: insert link]. - ##### Outdated version of jQuery in ibexa/ezcommerce-shop package There are no additional update steps to execute. -For more information, see the security advisory[TODO: insert link]. #### Other changes @@ -509,9 +507,9 @@ You can customize the behavior of the command with the following options: - `--max-iterations` or `-i` - maximum iterations count. Default value = -1 (unlimited). - `--sleep` or `-s` - wait time between iterations, in milliseconds. Default value = 0. -##### Update webserver configuration +##### Update web server configuration -Adjust the webserver configuration to prevent direct access to the `index.php` file when using URLs consisting of multiple path segments. +Adjust the web server configuration to prevent direct access to the `index.php` file when using URLs consisting of multiple path segments. See [the updated Apache and nginx template files](https://github.com/ibexa/post-install/pull/70/files) for more information. diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index 61b07c03f2..a84cc7e260 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -168,15 +168,14 @@ You can customize the behavior of the command with the following options: ### Security -This release contains security changes. -For each of following advisories evaluate the vulnerability to determine whether you might have been affected. +This release contains security fixes. +For more information, see [the published security advisory](https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates). +For each of the following fixes, evaluate the vulnerability to determine whether you might have been affected. If so, take appropriate action, for example by [revoking passwords](https://doc.ibexa.co/en/latest/users/passwords/#revoking-passwords) for all affected users. -You can find the three advisories below: - #### BREACH vulnerability -[The BREACH attack](https://www.breachattack.com/) is a security vulnerability against HTTPS when using HTTP compression. +The [BREACH](https://www.breachattack.com/) attack is a security vulnerability against HTTPS when using HTTP compression. If you're using Varnish, update the VCL configuration to stop compressing both the [[= product_name =]]'s REST API and JSON responses from your backend. Fastly users are not affected. @@ -202,21 +201,17 @@ Fastly users are not affected. Update your Varnish VCL file to align it with the [`vendor/ibexa/http-cache/docs/varnish/vcl/varnish7.vcl`](https://github.com/ibexa/http-cache//blob/4.6/docs/varnish/vcl/varnish7.vcl) file. ``` -If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed Content Type in the webserver configuration. +If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed Content Type in the web server configuration. For more information. see the [updated Apache and nginx template configuration](https://github.com/ibexa/post-install/pull/86/files). -For more information, see the security advisory[TODO: insert link]. - #### XSS in Content name pattern There are no additional update steps to execute. -For more information, see the security advisory[TODO: insert link]. #### Outdated version of jQuery in ibexa/ezcommerce-shop package Only users of the [old Commerce solution](update_from_4.3_old_commerce.md) are affected. There are no additional update steps to execute. -For more information, see the security advisory[TODO: insert link]. ### Other changes @@ -231,8 +226,8 @@ php bin/console ibexa:migrations:import vendor/ibexa/product-catalog/src/bundle/ php bin/console ibexa:migrations:migrate --file=2024_07_25_07_00_non_translatable_product_categories.yaml ``` -#### Update webserver configuration +#### Update web server configuration -Adjust the webserver configuration to prevent direct access to the `index.php` file when using URLs consisting of multiple path segments. +Adjust the web server configuration to prevent direct access to the `index.php` file when using URLs consisting of multiple path segments. See [the updated Apache and nginx template files](https://github.com/ibexa/post-install/pull/70/files) for more information. From be62073bf71b583346cbae0a132d72ab5db4c719 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 16:48:32 +0100 Subject: [PATCH 13/15] Fixed typo --- docs/update_and_migration/from_3.3/update_from_3.3.md | 2 +- docs/update_and_migration/from_4.6/update_from_4.6.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/update_and_migration/from_3.3/update_from_3.3.md b/docs/update_and_migration/from_3.3/update_from_3.3.md index 71f028dc97..8c67e4fc59 100644 --- a/docs/update_and_migration/from_3.3/update_from_3.3.md +++ b/docs/update_and_migration/from_3.3/update_from_3.3.md @@ -480,7 +480,7 @@ Fastly users are not affected. ``` If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed Content Type in the web server configuration. -For more information. see the [updated Apache and nginx template configuration](https://github.com/ibexa/post-install/pull/86/files). +For more information, see the [updated Apache and nginx template configuration](https://github.com/ibexa/post-install/pull/86/files). ##### Outdated version of jQuery in ibexa/ezcommerce-shop package diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index a84cc7e260..13b0459b14 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -202,7 +202,7 @@ Fastly users are not affected. ``` If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed Content Type in the web server configuration. -For more information. see the [updated Apache and nginx template configuration](https://github.com/ibexa/post-install/pull/86/files). +For more information, see the [updated Apache and nginx template configuration](https://github.com/ibexa/post-install/pull/86/files). #### XSS in Content name pattern From ae87fa8706f236dfdd066cc17bd274494c311cff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 17:00:33 +0100 Subject: [PATCH 14/15] Review fixes - Content-Type, EOL space, command descripition fixed for 4.6 --- docs/update_and_migration/from_3.3/update_from_3.3.md | 2 +- docs/update_and_migration/from_4.6/update_from_4.6.md | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/update_and_migration/from_3.3/update_from_3.3.md b/docs/update_and_migration/from_3.3/update_from_3.3.md index 8c67e4fc59..2361488297 100644 --- a/docs/update_and_migration/from_3.3/update_from_3.3.md +++ b/docs/update_and_migration/from_3.3/update_from_3.3.md @@ -479,7 +479,7 @@ Fastly users are not affected. Update your Varnish VCL file to align it with the [`vendor/ezsystems/ezplatform-http-cache/docs/varnish/vcl/varnish7.vcl`](https://github.com/ezsystems/ezplatform-http-cache/blob/2.3/docs/varnish/vcl/varnish7.vcl) file. ``` -If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed Content Type in the web server configuration. +If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed `Content-Type` in the web server configuration. For more information, see the [updated Apache and nginx template configuration](https://github.com/ibexa/post-install/pull/86/files). ##### Outdated version of jQuery in ibexa/ezcommerce-shop package diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index 13b0459b14..366bec99ed 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -147,9 +147,9 @@ If the new bundle `ibexa/core-search` has not been added by the recipes, enable ## v4.6.13 -This release comes with a command to clean up the duplicated entries in the `ezcontentobject_attribute` table, caused by the issue described in [IBX-8562](https://issues.ibexa.co/browse/IBX-8562). +This release comes with a command to clean up duplicated entries in the `ezcontentobject_attribute` table, which were created due to an issue described in [IBX-8562](https://issues.ibexa.co/browse/IBX-8562). -If you're affected you can remove the duplicated entries by running the following command: +If you're affected, remove the duplicated entries by running the following command: ``` bash php bin/console ibexa:content:remove-duplicate-fields ``` @@ -161,7 +161,7 @@ php bin/console ibexa:content:remove-duplicate-fields You can customize the behavior of the command with the following options: - `batch-size` or `b` - number of attributes affected per iteration. Default value = 10000. -- `max-iterations` or `i` - max. iterations count (default or -1: unlimited). Default value = -1. +- `--max-iterations` or `-i` - maximum iterations count. Default value = -1 (unlimited). - `sleep` or `s` - wait time between iterations, in milliseconds. Default value = 0. ## v4.6.14 @@ -170,7 +170,7 @@ You can customize the behavior of the command with the following options: This release contains security fixes. For more information, see [the published security advisory](https://developers.ibexa.co/security-advisories/ibexa-sa-2024-006-vulnerabilities-in-content-name-pattern-commerce-shop-and-varnish-vhost-templates). -For each of the following fixes, evaluate the vulnerability to determine whether you might have been affected. +For each of the following fixes, evaluate the vulnerability to determine whether you might have been affected. If so, take appropriate action, for example by [revoking passwords](https://doc.ibexa.co/en/latest/users/passwords/#revoking-passwords) for all affected users. #### BREACH vulnerability @@ -201,7 +201,7 @@ Fastly users are not affected. Update your Varnish VCL file to align it with the [`vendor/ibexa/http-cache/docs/varnish/vcl/varnish7.vcl`](https://github.com/ibexa/http-cache//blob/4.6/docs/varnish/vcl/varnish7.vcl) file. ``` -If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed Content Type in the web server configuration. +If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed `Content-Type` in the web server configuration. For more information, see the [updated Apache and nginx template configuration](https://github.com/ibexa/post-install/pull/86/files). #### XSS in Content name pattern From 6fa5318bc5fd5c9af4631beff47440ccbe2f347a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Noco=C5=84?= Date: Thu, 28 Nov 2024 17:01:30 +0100 Subject: [PATCH 15/15] Command fixes --- docs/update_and_migration/from_4.6/update_from_4.6.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index 366bec99ed..a75ecceee4 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -160,9 +160,9 @@ php bin/console ibexa:content:remove-duplicate-fields You can customize the behavior of the command with the following options: -- `batch-size` or `b` - number of attributes affected per iteration. Default value = 10000. +- `--batch-size` or `-b` - number of attributes affected per iteration. Default value = 10000. - `--max-iterations` or `-i` - maximum iterations count. Default value = -1 (unlimited). -- `sleep` or `s` - wait time between iterations, in milliseconds. Default value = 0. +- `--sleep` or `-s` - wait time between iterations, in milliseconds. Default value = 0. ## v4.6.14