@Murat-06 You need to open a feature request in order for your ideas to be analyzed -> https://github.com/PrestaShop/PrestaShop/issues/new?assignees=&labels=Bug%2CNew&template=1_bug_report.yml

Date update

As we focus on 8.0.0 for now, expected release date has been set for 18th of July

Date update

The QA team focus is autoupgrade module, it is needed to explore whether upgrade from 1.7.x versions to 8.0.0 are OK and register known issues.

Following this exploration 1.7.8.7 build, test and release will be possible.

Is this going to be delayed?

@letwang Yes, as mentioned above we are right now focusing on the autoupgrade testing campaign for 8.0.0 and it requires most of the QA team capacity so it we cannot test the 1.7.8.7 at the same time

Author

The implication is that the current latest stable version 1.7.8.6 will exist for a long time?

It depends what you call a long time. I think 1.7.8.7 will be delivered somewhere in August or September, so 2 months. It's just a guess though.

Scope and version update

Following the discovery of a major security vulnerability, the version 1.7.8.7 will be a security patch release targeting the attack.

This version, initially planned to be 1.7.8.7, will become 1.7.8.8 .

Good Job~

how does update to (SmartyCacheResourceMysql.php)
$content = $this->phpEncryption->decrypt($row['content']);
from
$content = $row['content'];

and
"' . $this->phpEncryption->encrypt($content) . '"
from
"' . pSQL($content, true) . '"

will fix this security vulnerability? is latest update a joke?

Could you elaborate @vavrecan?

can you explain how just changing way how the data is written in SQL query will affect the exploitation? does it mean there is security issue of how pSQL is escaping queries?

We compared 1.7.8.7 and 1.7.8.6 releases - and only relevant differences for major security vulnerability was just this change in SmartyCacheResourceMysql.php. It does not look right

This fixes an attack where there's no access to files from the core and encryption keys. The data from the cache table is now secured, if you try to inject something there without knowing the encryption key, it will fail.

is it safe to trust output of $this->phpEncryption->encrypt?
If attack allowed to write custom content to smarty_cache, it would still go thought the encryption, or was there another point of how data were stored to ps_smarty_cache table?

i am just having a hard time to understanding the vulnerability - i though smarty_cache table is only accessed from SmartyCacheResourceMysql.php file

The other way is with a SQL injection.
Now if you modify the content with a SQL injection the decryption don't wortk

Most important thing you need to know: It is a valid fix for a vulnerability that the team found :)

@ismartfridge are you using MySQL cache for Smarty? You can check that in the Preferences -> Performance tab

I use file system cache type since always.

The 1.7.8.7 has some serious performance issue, updated from 1.7.8.5 and site loads even 10 seconds. I reverted to 1.7.8.5 and issue is gone.

Search api-addons.prestashop.com and api.addons.prestashop.com all over the site, but we’ve already found it for you, 3 places in total.

• 1./app/config/config.yml (api-addons.prestashop.com)
• 2./classes/Tools.php (api.addons.prestashop.com)
• 3./controllers/admin/AdminSearchController.php (api-addons.prestashop.com)

Replace all the above URLs with local(127.0.0.1) virtual addresses.

Here, if necessary, it is best to clear the cache file again.

sudo rm -rf /var/cache/

Hi @letwang
made correction in the 3 suggested files, I confirm they seem correct as corrections, the site seems to me more responsive

@matks
can you add these fix to the next version? however, I believe that there are no warnings of new versions of modules and the like. If anything, it would be useful to check that it is less invasive
thanks

What are the current plans for this version release? Still keeping the 6 weeks release cycle?

What are the current plans for this version release? Still keeping the 6 weeks release cycle?

As mentioned here priority is given to PrestaShop 8.0.0 for now. The project team does not have the capability to test both 8.0.0 and 1.7.8.8 so 1.7.8.8 is being delayed until the workload goes down.

We hope to be able to build, test and deliver 1.7.8.8 in September but this will happen only if all goes right with 8.0.0 . Unexpected issues found while testing 8.0.0 could delay this further.

The 6 weeks release cycle is consequently not applicable to PrestaShop 1.7.8.8

Just found this article I wrote 2 years ago
https://build.prestashop.com/news/ps17-patch-release-lifecycle/

If you read the section Why six weeks, and not eight or two ? you'll find what it is so expensive to build, test and deliver 1.7.8.8 and why we cannot do it at the same time as 8.0.0

Thank you for the clarification.

It depends what you call a long time. I think 1.7.8.7 will be delivered somewhere in August or September, so 2 months. It's just a guess though.

Status update

PrestaShop 8.0.0 delivering and testing is taking longer than expected so PrestaShop 1.7.8.8 can be expected to be delivered in October.

It's been for 10 months now since I discovered a major core error which was reported 6 months ago (#28688), which seems to be fit now, but the release isn't available even now. Really a mess. My shop doesn't work and I have got a lot of worries with my customers since variation handling in combination with individualization produces lots of errors.
I'm considering swapping to another shopware, thinking shopify has got shorter update cycles.

Hello @molsondry

PrestaShop is an open source, community project. If you find that any issue is critical for you, and it's important to have it fixed ASAP, then you can invest into having it done. You can hire a developer to fix it, or if you are a developer yourself, you can try doing it on your own. The most important thing is to share that fix with everyone by submitting a Pull Request -- that's what the open source spirit is all about.

It's been for 10 months now since I discovered a major core error which was reported 6 months ago (#28688), which seems to be fit now, but the release isn't available even now. Really a mess. My shop doesn't work and I have got a lot of worries with my customers since variation handling in combination with individualization produces lots of errors. I'm considering swapping to another shopware, thinking shopify has got shorter update cycles.

I'm a developer and you can pay me to solve problems in the future.

2022-11-23 Status update

Scope of 1.7.8.8 should not change anymore, we're going to build a 1.7.8.8 ZIP soon (this week or next week) and deliver it to QA team for testing

When will the patch version 8.0 be released?

2022-11-25 Status update

Hi, the build has been delivered to QA team

The 1.7.8.7 has some serious performance issue, updated from 1.7.8.5 and site loads even 10 seconds. I reverted to 1.7.8.5 and issue is gone.

Search api-addons.prestashop.com and api.addons.prestashop.com all over the site, but we’ve already found it for you, 3 places in total.

• 1./app/config/config.yml (api-addons.prestashop.com)
• 2./classes/Tools.php (api.addons.prestashop.com)
• 3./controllers/admin/AdminSearchController.php (api-addons.prestashop.com)

Replace all the above URLs with local(127.0.0.1) virtual addresses.

Here, if necessary, it is best to clear the cache file again.

sudo rm -rf /var/cache/

These fix for performance will hit in some way the addons functionalities?
thanks

The 1.7.8.7 has some serious performance issue, updated from 1.7.8.5 and site loads even 10 seconds. I reverted to 1.7.8.5 and issue is gone.
These fix for performance will hit in some way the addons functionalities? thanks

Probably the modules update tab stops to work.

Hello everyone,

Final report of QA Team of the 1.7.8.8 build1 :

• The functional test campaign is done: OK
• The exploratory test campaign is done: OK

Summary of the issues detected during the test:

Minor :
#30438
#30431
#30446
#30430
#30422

Trivial :
#30424
#30423

Feature :
#30425

It's a GO for the release!
A big Thanks for all those who contributed from near or far for this release!

Will we have to wait until 1.7.8.9 to fix bug #30478?

🚀 ✅ STATUS UPDATE

1.7.8.8 is released !

• on GitHub
• on prestashop.com
• the release note is published https://build.prestashop.com/news/prestashop-1-7-8-8-maintenance-release/

Will we have to wait until 1.7.8.9 to fix bug #30478?

@Fera No 1.7.8.9 is planned. 1.7.8.8 will be the last regular 1.7.8.x patch version, as the branch now enters security-only maintenance phase. Next regular patches will now target 8.0.x branch.

If you find that #30478 is critical for you, and it's important to have it fixed ASAP, then you can invest into having it done. Do not wait for someone else to fix it. You can hire a developer to fix it, or if you are a developer yourself, you can try doing it on your own. The most important thing is to share that fix with everyone by submitting a Pull Request -- that's what the open source spirit is all about.