CIVI-SA-2020-17: Harden Per-Session Private Key

Gepubliceerd
2020-08-19 09:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

For each session, CiviCRM stores a private session key. This patch addresses multiple issues which could compromise the strength or security of the key.

Security Risk
Critical
Vulnerability
Other
Affected Versions

CiviCRM version 5.28.0 and earlier

Fixed Versions

CiviCRM version 5.28.1 and 5.27.5 ESR

Publication Date
Solutions

Upgrade to the latest version of CiviCRM

Credits

Cure53 and Mozilla Open Source Support (MOSS) for reporting the issue
Tim Otten of CiviCRM Core for further analysis and fixing the issue

References

CIV-01-022