dependabot[bot]
commented
4 years ago OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.
If you change your mind, just re-open this PR and I'll resolve any conflicts on it.
Bumps sylius/sylius from 1.4.3 to 1.4.12.
Release notes
*Sourced from [sylius/sylius's releases](https://github.com/Sylius/Sylius/releases).* > ## v1.4.12 > #### CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments > > *Please refer to [the original security advisory](https://github.com/Sylius/Sylius/security/advisories/GHSA-prg5-hg25-8grq) for the most updated information.* > > **Impact:** > > This vulnerability gives the ability to switch channels via the `_channel_code` GET parameter in production environments. This was meant to be enabled only when `%kernel.debug%` is set to true. > > However, if no `sylius_channel.debug` is set explicitly in the configuration, the default value which is `%kernel.debug%` will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false. > > **Patches:** > > Patch has been provided for Sylius 1.3.x and newer - **1.3.16, 1.4.12, 1.5.9, 1.6.5**. Versions older than 1.3 are not covered by our security support anymore. > > **Workarounds:** > > Unsupported versions could be patched by adding the following configuration to run in production: > > ```yaml > sylius_channel: > debug: false > ``` > > ## v1.4.11 > #### CVE-2019-16768: Internal exception message exposure in login action. > > **Details:** > > Exception messages from internal exceptions (like database exception) are wrapped by > `\Symfony\Component\Security\Core\Exception\AuthenticationServiceException` and propagated through the system to UI. > Therefore, some internal system information may leak and be visible to the customer. > > A validation message with the exception details will be presented to the user when one will try to log into the shop. > > **Solution:** > > This release patches the reported vulnerability. The `src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig` > file from Sylius should be overridden and `{{ messages.error(last_error.message) }}` changed to `{{ messages.error(last_error.messageKey) }}`. > > ## v1.4.9 > - [#10641](https://github-redirect.dependabot.com/Sylius/Sylius/issues/10641) [Documentation] Fixtures customization guides - fixes ([@CoderMaggie](https://github.com/CoderMaggie), [@Zales0123](https://github.com/Zales0123)) > - [#10645](https://github-redirect.dependabot.com/Sylius/Sylius/issues/10645) [Docs] Fix Blackfire Ad ([@Tomanhez](https://github.com/Tomanhez)) > - [#10646](https://github-redirect.dependabot.com/Sylius/Sylius/issues/10646) [Docs] Fix Ad ([@Tomanhez](https://github.com/Tomanhez)) > - [#10649](https://github-redirect.dependabot.com/Sylius/Sylius/issues/10649) Update online course ad ([@kulczy](https://github.com/kulczy)) > - [#10652](https://github-redirect.dependabot.com/Sylius/Sylius/issues/10652) Add Sylius 1.6 banner to the docs ([@kulczy](https://github.com/kulczy)) > - [#10680](https://github-redirect.dependabot.com/Sylius/Sylius/issues/10680) Fix ChannelCollector related serialization issue in Symfony profiler ([@ostrolucky](https://github.com/ostrolucky)) > - [#10701](https://github-redirect.dependabot.com/Sylius/Sylius/issues/10701) [Maintenance] Update docs with v1.6 ([@lchrusciel](https://github.com/lchrusciel)) > - [#10710](https://github-redirect.dependabot.com/Sylius/Sylius/issues/10710) [Address book] Extensibility improvements ([@cyrosy](https://github.com/cyrosy)) > - [#10713](https://github-redirect.dependabot.com/Sylius/Sylius/issues/10713) [Behat] Improve dashboard page extensibility ([@loic425](https://github.com/loic425)) > ... (truncated)Changelog
*Sourced from [sylius/sylius's changelog](https://github.com/Sylius/Sylius/blob/master/CHANGELOG-1.4.md).* > ## v1.4.12 (2020-01-27) > > #### CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments > > *Please refer to [the original security advisory](https://github.com/Sylius/Sylius/security/advisories/GHSA-prg5-hg25-8grq) for the most updated information.* > > **Impact:** > > This vulnerability gives the ability to switch channels via the `_channel_code` GET parameter in production environments. This was meant to be enabled only when `%kernel.debug%` is set to true. > > However, if no `sylius_channel.debug` is set explicitly in the configuration, the default value which is `%kernel.debug%` will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false. > > **Patches:** > > Patch has been provided for Sylius 1.3.x and newer - **1.3.16, 1.4.12, 1.5.9, 1.6.5**. Versions older than 1.3 are not covered by our security support anymore. > > **Workarounds:** > > Unsupported versions could be patched by adding the following configuration to run in production: > > ```yaml > sylius_channel: > debug: false > ``` > > ## v1.4.10, v1.4.11 (2019-12-03, 2019-12-05) > > #### CVE-2019-16768: Internal exception message exposure in login action. > > **Details:** > > Exception messages from internal exceptions (like database exception) are wrapped by > `\Symfony\Component\Security\Core\Exception\AuthenticationServiceException` and propagated through the system to UI. > Therefore, some internal system information may leak and be visible to the customer. > > A validation message with the exception details will be presented to the user when one will try to log into the shop. > > **Solution:** > > This release patches the reported vulnerability. The `src/Sylius/Bundle/UiBundle/Resources/views/Security/_login.html.twig` > file from Sylius should be overridden and `{{ messages.error(last_error.message) }}` changed to `{{ messages.error(last_error.messageKey) }}`. > > ## v1.4.9 (2019-10-09) > > The last bugfix release for v1.4.x. > > #### Details > > - [#10641](https://github-redirect.dependabot.com/Sylius/Sylius/issues/10641) [Documentation] Fixtures customization guides - fixes ([@CoderMaggie](https://github.com/CoderMaggie), [@Zales0123](https://github.com/Zales0123)) > - [#10645](https://github-redirect.dependabot.com/Sylius/Sylius/issues/10645) [Docs] Fix Blackfire Ad ([@Tomanhez](https://github.com/Tomanhez)) > ... (truncated)Commits
- [`79b2f2a`](https://github.com/Sylius/Sylius/commit/79b2f2a62a5a4b58465c40f171c4aa8baacb4e89) Prepare v1.4.12 release - [`aea8ec1`](https://github.com/Sylius/Sylius/commit/aea8ec122a7b453f7b64845adb5faf65889fe00d) Merge branch '1.3' into 1.4 - [`4c44a50`](https://github.com/Sylius/Sylius/commit/4c44a50d610251c9f35441d103cbf44f40c00d24) Change application's version to v1.3.17-DEV - [`53eaa73`](https://github.com/Sylius/Sylius/commit/53eaa73468f174cee47e0b93cf0f53a832c98bf7) Prepare v1.3.16 release - [`3007ea3`](https://github.com/Sylius/Sylius/commit/3007ea30c380fe64f6dc75555193b493383eaba2) Merge pull request from GHSA-prg5-hg25-8grq - [`197084f`](https://github.com/Sylius/Sylius/commit/197084f3cf19d9cc7b07686684a64b4237e5d90d) Security fix for "Ability to switch channels via GET parameter enabled in pro... - [`9b2259d`](https://github.com/Sylius/Sylius/commit/9b2259d26fa46011a362c8147c976607bad1d80e) Change application's version to v1.4.12-DEV - [`f74d48f`](https://github.com/Sylius/Sylius/commit/f74d48fc227acde0e9980bb74b33e3afb83aca08) Generate changelog for v1.4.11 - [`b50b627`](https://github.com/Sylius/Sylius/commit/b50b6279b8256f40a84e68786d4fd90db28fabcd) Change application's version to v1.4.11 - [`4d6997e`](https://github.com/Sylius/Sylius/commit/4d6997e3353b822bec10dd47a408f04a0e866027) Merge branch '1.3' into 1.4 - Additional commits viewable in [compare view](https://github.com/Sylius/Sylius/compare/v1.4.3...v1.4.12)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/SplashSync/Sylius-Bundle/network/alerts).