We have just released new versions of all the currently supported Spree versions. The Spree 2.4.2, 2.3.6, 2.2.8, 2.1.11 releases are out now!
The primary focus of these releases was resolving a security flaw in the API. While no user or credit card data could be exploited with this flaw, there is the potential to commit fraud by manipulating an item’s price. It is recommended that all Spree installations running a 2.1.x, 2.2.x, 2.3.x, and 2.4.x upgrade as soon as possible.
Thanks to Leandro Julian for finding the issue, and providing a patch to resolve the issue.
You can review the Github Compare for a complete list of 2.4.x changes.
You can review the Github Compare for a complete list of 2.3.x changes.
You can review the Github Compare for a complete list of 2.2.x changes.
You can review the Github Compare for a complete list of 2.1.x changes.
Reporting Security Issues
Please do not announce potential security vulnerabilities in public. We have a dedicated email address email@example.com. We will work quickly to determine the severity of the issue and provide a fix for the appropriate versions. We will credit you with the discovery of this patch by naming you in a blog post.
If you would like to provide a patch yourself for the security issue do not open a pull request for it. Instead, create a commit on your fork of Spree and run this command:
$ git format-patch HEAD~1..HEAD —stdout > patch.txt
This command will generate a file called `patch.txt` with your changes. Please email a description of the patch along with the patch itself to firstname.lastname@example.org.
Older Versions of Spree
If you are using Spree versions 2.0.x and older you should consider upgrading as soon as possible. While this security flaw only affects versions 2.1.x+ we have already reached the end of life for official 2.0.x support. Our current Release Policy is to only maintain the latest two versions of Spree along with the current master.