Advice regarding Laravel 6 (LTS) security ending in September 6, 2022

Updates and Announcements
#1

Hello everyone,

Laravel 6 (LTS) is ending support for security fixes in September 6, 2022. Since the stable October CMS version (2.0) uses version 6 of Laravel, you may be affected by this. We offer the following recommendations.

What does this mean?

This means that after this date, if Laravel is notified of a security vulnerability in Laravel 6, they will not implement the fix and will leave the framework vulnerable. However, Laravel has been known to backport fixes for high severity problems.

So October CMS 2.0 is vulnerable?

October CMS is different from other platforms because it is not a Laravel package. Instead, October CMS overrides the Laravel kernel, so it does not appeal to Laravel for its architecture and design decisions.

This gives October CMS complete access to the underlying framework, and if October CMS is notified of a security vulnerability in October CMS 2.0 due to Laravel 6, we will fix it.

More on the architecture can be found here: How to Install October CMS to an existing Laravel application

What about October CMS 3.0? When will it be stable?

October CMS 3.0 was announced in May 2022 and is currently stable, having passed quality assurance, and all breaking changes are complete. However, it is missing the multisite features that will arrive in v3.1 in the coming months.

If you use the RainLab.Translate plugin, it is best to wait for 3.1. If your website does not use multilignual features, then upgrading to v3 is safe to do now.

I want to use 3.0 and RainLab Translate now…

It is possible if you upgrade twice, one solution we recommend is locking the platform to version 3.0.*, so it does not receive 3.1 automatically when it is released.


"require": {
    "php": "^8.0.2",
    "october/all": "3.0.*",
    "october/rain": "3.0.*",
    "laravel/framework": "^9.0"
},

When 3.1 is released, changing these values to ~3.0 will require another upgrade since the Translate plugin has been upgraded for 3.1. This is why we suggest it is best to wait.

Thanks for your support and for using October CMS. We are happy to answer questions via this forum or email support.

4 Likes
#2