Security fixes for Flow and Neos released

New releases of Flow and Neos fix security issues. Users should update to the latest versions.

– Written by


Flow 2.3.8 and 3.0.2

Two potential security issues have been discovered in the Flow framework (see the related advisory Flow-SA-2015-001 for details). Versions 2.3.8 and 3.0.2 fix the issues and users are encouraged to update immediately. The patch level releases can be fetched via composer and contain no breaking changes.

The releases 2.3.7 and 3.0.1 originally fixed the issues, but contained minor regressions that have been discovered and fixed quickly.

Neos 1.2.13 and 2.0.4

Several XSS vulnerabilities have been discovered in Neos (see the related advisory Neos-SA-2015-002). Neos versions 1.2.13 and 2.0.4 fix the issues and users are encouraged to update immediately.

Credits

Thanks to Mickael Dorigny (Synetis) and Wouter Wolters for reporting the issues. Thanks to Flownative and networkteam for sponsoring the fixes. Thanks to the Neos security team members for reviewing the fixes.