Thread

Does anyone know any details on the recent security release notifications?

February 09, 2017 5:36pm

Subscribe [1]
  • #1 / Feb 09, 2017 5:36pm

    All our EE2 sites are displaying:

    “An ExpressionEngine version 2.11.6, build 20170207 has been released as a security release”

    Does anyone have any details about what security vulnerabilities are being addressed? Are they specific to version 2.11 or a general security vulnerability in all EE2 sites?

  • #2 / Feb 09, 2017 11:16pm

    Jeremy S.'s avatar

    Jeremy S.

    324 posts

    The changelog specified:

    -Fixed a security bug where some path names were not properly sanitized.

    -Fixed a security bug involving PHP object injection.

  • #3 / Feb 10, 2017 8:27am

    Thanks Jeremy.

    What I’m trying to find out is how far back does the system vulnerability go. We’ve built 200+ EE2 sites, and we’re trying to see how many of them are affected.

    Like, do all of them have the security bug or just the ones running EE2.8+?

  • #4 / Feb 10, 2017 11:52am

    Pedro Guimaraes's avatar

    Pedro Guimaraes

    163 posts

    I believe this will affect all 2.x versions of EE. And also it goes beyond EE…

  • #5 / Feb 14, 2017 1:11pm

    Robin Sowell's avatar

    Robin Sowell

    12730 posts

    The security fixes in the latest release do affect older versions, not just 2.11. This issue was introduced from CodeIgniter, undiscovered until now, so it affects all versions of ExpressionEngine 2.0.0+. While most security patches you see throughout the software world are not highly exploitable, they are always recommended updates for all users.

    Security is top priority in ExpressionEngine. If you skim the changelog you’ll see a steady stream of security enhancements. Keeping clients current is in their best interests.

  • #6 / Feb 14, 2017 1:33pm

    Thank you, Robin!

ExpressionEngine News

#eecms, #events, #releases