(Updated) Flarum beta 15 / Laravel 6.20.14 security release

clarkwinkelmann

On January 13, Laravel released (and re-released) a series of security updates.

On January 27, they released one more update for the same issue. The advisory was publicly published on February 2.

This security incident affects all Flarum installations created before January 28, 2021. We recommend you update the dependency as soon as possible.

In your Flarum folder, run the following command:

composer update illuminate/database --no-dev -a

Composer will show an output similar to the following:

Upgrading illuminate/database (v6.20.10 => v6.20.16)

If the version on the right of the arrow is 6.20.14 or higher, you have the fix.

If Composer says there's nothing to update, you can run composer show illuminate/database to see the currently installed version and confirm it's already above 6.20.14

We have conducted tests to evaluate the impact on Flarum. We have not found any situation in which the vulnerability can be exploited in Flarum and its bundled extensions in a significant way. The only impact found is the ability to discover pairs of restricted discussion IDs and their author IDs through brute-force. We have not found any way to leak content or perform unauthorized actions.

However there is a high chance for some community extensions to be impacted by the vulnerability. The single command above will protect both Flarum and all installed community extensions.

We have not released a Flarum update since the dependency can be updated independently from Flarum and does not require any change to Flarum or extension code.

Extension developers can learn more about the issue here. If your code is impacted, we recommend you add additional validation and/or type casting to future-proof your code again this kind of vulnerabilities.

Laravel security advisory https://github.com/laravel/framework/security/advisories/GHSA-3p32-j457-pg5x
Advisory for the second update https://github.com/laravel/framework/security/advisories/GHSA-x7p5-p2c9-phvg

PS: you might have seen a different Laravel security incident discovered in November and talked about recently. Flarum is not using that particular Laravel component and is thus unaffected.

HD3D

clarkwinkelmann This security incident affects all Flarum installations created before January 13, 2021

Is it necessary for beta 13 too?

peopleinside

Update done, thank you!

MikeJones

Run the update and it looks like there already on 6.20.15

- Upgrading illuminate/database (v6.20.8 => v6.20.15)

clarkwinkelmann

MikeJones yes, they iterate quickly. Luckily, not all of these updates are security updates 😅

clarkwinkelmann

HD3D Flarum beta 13 uses Laravel 5.7, which has not received the security update because it went out of support on September 4th, 2019.

It's not actually clear if Laravel 5.7 is affected by the issue at all, but we should probably assume it is. Only solution is to update to the latest Flarum version which can use the patched Laravel.

We have not conducted tests to evaluate the impact on older unsupported Flarum versions, so I cannot say whether there is any worse impact there compared to the minimal impact on Flarum beta 15.

clarkwinkelmann

New security update, again

Laravel just released an additional security update further patching up the same issue as they discovered a different way to exploit it. The patched version is now 6.20.14 or above.

If you have previously updated, you need to run the same commands again to get the latest version.

I have updated the first post with the new version number.

New security advisory from Laravel https://github.com/laravel/framework/security/advisories/GHSA-x7p5-p2c9-phvg