Does anyone know any details on the recent security release notifications?
News and General
All our EE2 sites are displaying:
“An ExpressionEngine version 2.11.6, build 20170207 has been released as a security release”
Does anyone have any details about what security vulnerabilities are being addressed? Are they specific to version 2.11 or a general security vulnerability in all EE2 sites?
The changelog specified:
-Fixed a security bug where some path names were not properly sanitized.
-Fixed a security bug involving PHP object injection.
Thanks Jeremy.
What I’m trying to find out is how far back does the system vulnerability go. We’ve built 200+ EE2 sites, and we’re trying to see how many of them are affected.
Like, do all of them have the security bug or just the ones running EE2.8+?
I believe this will affect all 2.x versions of EE. And also it goes beyond EE…
The security fixes in the latest release do affect older versions, not just 2.11. This issue was introduced from CodeIgniter, undiscovered until now, so it affects all versions of ExpressionEngine 2.0.0+. While most security patches you see throughout the software world are not highly exploitable, they are always recommended updates for all users.
Security is top priority in ExpressionEngine. If you skim the changelog you’ll see a steady stream of security enhancements. Keeping clients current is in their best interests.
Thank you, Robin!