All Versions
58
Latest Version
Avg Release Cycle
23 days
Latest Release
1205 days ago

Changelog History
Page 5

  • v1.5.5

    October 09, 2019
  • v1.5.4

    August 27, 2019
  • v1.5.3 Changes

    July 29, 2019
  • v1.5.2 Changes

    June 24, 2019
  • v1.5.1 Changes

    May 30, 2019

    Details

  • v1.5.0 Changes

    May 17, 2019

    TL;DR

    • ๐Ÿ“ฆ Extracted packages from the core (#10325, #10326, #10327)
    • โž• Added order index API endpoint (#10161)
    • โž• Added ability to customise whether coupons should be reusable after canceling an order using them (#10310)
    • โž• Added shipments list view in the admin panel (#10249)
    • โž• Added ability to define locale used by Sylius during the installation (#10240)

    Details

  • v1.4.12 Changes

    January 27, 2020

    CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments

    โšก๏ธ Please refer to the original security advisory for the most updated information.

    Impact:

    This vulnerability gives the ability to switch channels via the _channel_code GET parameter in production environments. This was meant to be enabled only when %kernel.debug% is set to true.

    ๐Ÿ”ง However, if no sylius_channel.debug is set explicitly in the configuration, the default value which is %kernel.debug% will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.

    Patches:

    Patch has been provided for Sylius 1.3.x and newer - 1.3.16, 1.4.12, 1.5.9, 1.6.5. Versions older than 1.3 are not covered by our security support anymore.

    โ†ช Workarounds:

    ๐Ÿ”ง Unsupported versions could be patched by adding the following configuration to run in production:

    sylius\_channel: debug: false
    
  • v1.4.11 Changes

    December 05, 2019

    ๐Ÿ‘ป CVE-2019-16768: Internal exception message exposure in login action.

    Details:

    ๐Ÿ‘ป Exception messages from internal exceptions (like database exception) are wrapped by
    ๐Ÿ”’ \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI.
    Therefore, some internal system information may leak and be visible to the customer.

    ๐ŸŒฒ A validation message with the exception details will be presented to the user when one will try to log into the shop.

    Solution:

    ๐Ÿš€ This release patches the reported vulnerability. The src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig
    file from Sylius should be overridden and {{ messages.error(last_error.message) }} changed to {{ messages.error(last_error.messageKey) }}.

  • v1.4.10

    December 04, 2019
  • v1.4.9

    October 09, 2019