Spree 0.60.2 Released (Security Fix)

Posted October 05, 2011 by Sean Schofield Comments

We have just released Spree 0.60.2 which contains an important security fix. A vulnerability exists in the ProductScope class that could allow for unauthenticated remote command execution. To put it simply, you should either upgrade immediately or add your own custom fix based on this commit.

Special thanks to joernchen of Phenoelit for discovering and reporting the problem through the appropriate channels(which is a private email to security@railsdog.com.) Roman Smirnov (aka romul) provided the necessary fix.

The edge code has also been updated to include this fix. There are also a few other minor issues addressed in this release. See the Github compare view for the full details.

We are currently working on an improved solution for handling the reporting of security issues. We will be announcing a new initiative on this front in the near future.

security, release

blog comments powered by Disqus
 Subscribe via RSS

Archives

About Spree Commerce

Spree Commerce is an open source e-commerce solution created by Sean Schofield. Spree is supported by the open source community as well as the sale of our commercial products.

Take it for a test drive

You can even create your own personal store.

Try the demo

This project is maintained by a core team of developers and is freely available for commercial use under the terms of the New BSD License.

Spree, Spree Commerce and the Spree logo are all trademarks of Spree Commerce, Inc.