Get the latest Laravel/PHP jobs, events and curated articles straight to your inbox, once a week
Source: blog.laravel.com
Laravel Cookie Security ReleasesCategory: Laravel
Today we released several fixes to address a security vulnerability in the framework that we were notified of during the weekend. Since we have not yet released a security release for the Laravel 5.5 version of the framework, we recommend that all applications running Laravel 5.5 and earlier do not use the "cookie" session driver in their production deployments.
The Passport release is not a security release; however, the library needed updates to be compatible with today's framework changes. Regarding the vulnerability, applications using the "cookie" session driver that were also exposing an encryption oracle via their application were vulnerable to remote code execution.
I would like to personally apologize for the inconvenience of today's security releases since the nature of this fix required us to invalidate existing encrypted cookies issued by Laravel applications.
The Passport release is not a security release; however, the library needed updates to be compatible with today's framework changes. Regarding the vulnerability, applications using the "cookie" session driver that were also exposing an encryption oracle via their application were vulnerable to remote code execution.
I would like to personally apologize for the inconvenience of today's security releases since the nature of this fix required us to invalidate existing encrypted cookies issued by Laravel applications.
Newsletter
Glimpse
Glimpse streamlines Laravel development by seamlessly deploying GitHub pull requests to preview environments with the help of Laravel Forge.
Community Partners
Laravel/PHP Careers