Security Release: Laravel v5.6.30 and v5.5.42 have been released

Security Release: Laravel v5.6.30 and v5.5.42 have been released

Laravel 5.6.30 and Laravel 5.5.42 have both been released to fix a security issue and is recommended that all users upgrade as soon as possible. According to the upgrade docs:

This vulnerability may only be exploited if your application encryption key (APP_KEY environment variable) has been accessed by a malicious user. Typically, it is not possible for users of your application to gain access to this value. However, ex-employees that had access to the encryption key may be able to use the key to attack your applications. If you have any reason to believe your encryption key is in the hands of a malicious party, you should always rotate the key to a new value.

Laravel 5.6.30 also contains a breaking change to cookie encryption and serialization logic, so please read the upgrade notes carefully before performing an upgrade.

It’s also worth pointing out again that this is only exploitable if a bad person has your APP_KEY and this shouldn’t ever happen unless a disgruntled ex-employee has it or you’ve left it open in a public git repo or something.

The upgrade guide includes everything you need to know on this release and the security impact, so please read it.


Filed in: News / Releases


Newsletter

Join the weekly newsletter and never miss out on new tips, tutorials, and more.

Laravel News Partners

Laravel Jobs

Software Engineer Lead (PHP)
Remote
CivicPlus, LLC
Full-time Senior Web Developer
Detroit, MI
Wayne State University
Senior Software Engineer
Sydney, Australia
FoodByUs
Full Stack Engineer
Remote or Medford, Oregon
Empire Medical
Laravel Developer (fulltime - Dutch only)
Netherlands
Qbixx | Webservices
Full Stack or Back-End Developer
Alexandria, VA; Tallahassee, FL; Orlando, FL
Marketing for Change
Senior Quality Assurance Engineer
Remote
Bisnow Media