Prepare v1.4.12 release

pamil · pamil · commit 79b2f2a62a5a · 2020-01-27T16:13:38.000+01:00
diff --git a/CHANGELOG-1.4.md b/CHANGELOG-1.4.md
@@ -1,5 +1,30 @@
 # CHANGELOG FOR `1.4.X`
 
+## v1.4.12 (2020-01-27)
+
+#### CVE-2020-5218: Ability to switch channels via GET parameter enabled in production environments
+
+*Please refer to [the original security advisory](https://github.com/Sylius/Sylius/security/advisories/GHSA-prg5-hg25-8grq) for the most updated information.*  
+
+**Impact:**
+
+This vulnerability gives the ability to switch channels via the `_channel_code` GET parameter in production environments. This was meant to be enabled only when `%kernel.debug%` is set to true. 
+
+However, if no `sylius_channel.debug` is set explicitly in the configuration, the default value which is `%kernel.debug%` will be not resolved and cast to boolean, enabling this debug feature even if that parameter is set to false.
+
+**Patches:**
+
+Patch has been provided for Sylius 1.3.x and newer - **1.3.16, 1.4.12, 1.5.9, 1.6.5**. Versions older than 1.3 are not covered by our security support anymore.
+
+**Workarounds:**
+
+Unsupported versions could be patched by adding the following configuration to run in production:
+
+```yaml
+sylius_channel:
+    debug: false
+```
+
 ## v1.4.10, v1.4.11 (2019-12-03, 2019-12-05)
 
 #### CVE-2019-16768: Internal exception message exposure in login action.
diff --git a/src/Sylius/Bundle/CoreBundle/Application/Kernel.php b/src/Sylius/Bundle/CoreBundle/Application/Kernel.php
@@ -31,7 +31,7 @@
 
 class Kernel extends HttpKernel
 {
-    public const VERSION = '1.4.12-DEV';
+    public const VERSION = '1.4.12';
 
     public const VERSION_ID = '10412';
 
@@ -41,7 +41,7 @@ class Kernel extends HttpKernel
 
     public const RELEASE_VERSION = '12';
 
-    public const EXTRA_VERSION = 'DEV';
+    public const EXTRA_VERSION = '';
 
     public function __construct(string $environment, bool $debug)
     {

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@`
`31`	`31`
`32`	`32`	`class Kernel extends HttpKernel`
`33`	`33`	`{`
`34`		`- public const VERSION = '1.4.12-DEV';`
	`34`	`+ public const VERSION = '1.4.12';`
`35`	`35`
`36`	`36`	`public const VERSION_ID = '10412';`
`37`	`37`
`@@ -41,7 +41,7 @@ class Kernel extends HttpKernel`
`41`	`41`
`42`	`42`	`public const RELEASE_VERSION = '12';`
`43`	`43`
`44`		`- public const EXTRA_VERSION = 'DEV';`
	`44`	`+ public const EXTRA_VERSION = '';`
`45`	`45`
`46`	`46`	`public function __construct(string $environment, bool $debug)`
`47`	`47`	`{`