cancel
Showing results for 
Search instead for 
Did you mean: 

Security patches for Hybris versions higher than 5.3?

Former Member
0 Kudos
173

All information that I have found regarding security patches leads me to this website: https://wiki.hybris.com/display/downloads/Security+Patch+Downloads

In this website only appear patches until Hybris 5.3. Do not exists security patches for later versions?

I know that there are many patches for Hybris versions higher than 5.3 in their respective pages, but I'm looking specifically for security Patches. Are security issues now included in normal patches?

For example, looking at this website: https://wiki.hybris.com/display/downloads/Archived+5.7.0+Release

Since I can't find any specific security patch for Hybris 5.7. Should I be concern for Hybris security if I have Hybris version 5.7.0.1?

Thanks, Rafael

Accepted Solutions (1)

Accepted Solutions (1)

VinayKumarS
Active Contributor
0 Kudos

Hi Rafael,

Any patch either it is security patch or product patch earlier hybris product support team used to give them explicitly. But from hybris 5.5 I believe they are giving the entire package for these patches. They are not providing the patches explicitly.

Product support team always suggest us to take the latest .dot version for the specific hybris version.

Hope this helps.

Thank you.

Answers (2)

Answers (2)

Former Member
0 Kudos

When using 5.7 we found an issue on the XSS security filter which, in its ootb form, would remove # from any password set using that special character, so a customer may think the password set was Some#Password, but in fact, what was being persisted was SomePassword, making the password weaker

0 Kudos

Hi!

hybrid does not distinguish between security patches and "normal" patches for features.

You can find the latest available 5.3.0 patch here (currently 5.3.0.12): https://wiki.hybris.com/display/downloads/Archived+5.3.0+Release

The latest 5.7.0 patch (currently 5.7.0.28): https://wiki.hybris.com/display/downloads/Archived+5.7.0+Release

The latest patch release does always include all previous patches!

You can find links to JIRA. The patches are documented there. For example: https://jira.hybris.com/browse/PATCH-3555

And yes, you should be concerned about security if you are still running 5.7.0.1. As mentioned before, hybrid does not distinguish between security patches and "normal" patches. You should also consider to update the embedded Tomcat with the latest patch.