Spree Commerce

Try It Now

Spree 2.2.9 & 2.1.12 Released

Posted on December 23, 2014 by Jeff Dutil


We have just released new Spree versions 2.2.9 & 2.1.12.

The primary focus of these releases was resolving security flaws in the API. While no user or credit card data could be exploited with this flaw, there is the potential to commit fraud by manipulating order prices. It is recommended that all Spree installations running 2.1.x, and 2.2.x upgrade as soon as possible.

Thanks to Jordan Brough for finding the issue, and providing a patch to resolve the issue.

You can review the Github Compare for a complete list of 2.2.x changes.
You can review the Github Compare for a complete list of 2.1.x changes.

Reporting Security Issues

Please do not announce potential security vulnerabilities in public. We have a dedicated email address security@spreecommerce.com. We will work quickly to determine the severity of the issue and provide a fix for the appropriate versions. We will credit you with the discovery of this patch by naming you in a blog post.

If you would like to provide a patch yourself for the security issue do not open a pull request for it. Instead, create a commit on your fork of Spree and run this command:

$ git format-patch HEAD~1..HEAD —stdout > patch.txt

This command will generate a file called `patch.txt` with your changes. Please email a description of the patch along with the patch itself to security@spreecommerce.com.

Older Versions of Spree

If you are using Spree versions 2.0.x and older you should consider upgrading as soon as possible. While this security flaw only affects versions 2.1.x & 2.2.x we have already reached the end of life for official 2.0.x support. Our current Release Policy is to only maintain the latest two versions of Spree along with the current master.

Follow Spree Commerce!