Security fixes for Flow (2.3.8, 3.0.2) and Neos (1.2.13, 2.0.4) released

The new releases of Flow and Neos fix security issues. Users should update to the latest versions.

See also news on

Flow 2.3.8 and 3.0.2

Two potential security issues have been discovered in the Flow framework (see the related advisory Flow-SA-2015-001 for details). Versions 2.3.8 and 3.0.2 fix the issues and users are encouraged to update immediately. The patch level releases can be fetched via composer and contain no breaking changes.

The releases 2.3.7 and 3.0.1 originally fixed the issues, but contained minor regressions that have been discovered and fixed quickly.

Neos 1.2.13 and 2.0.4

Several XSS vulnerabilities have been discovered in Neos (see the related advisory Neos-SA-2015-002). Neos versions 1.2.13 and 2.0.4 fix the issues and users are encouraged to update immediately.


Thanks to Mickael Dorigny (Synetis) and Wouter Wolters for reporting the issues. Thanks to Flownative and networkteam for sponsoring the fixes. Thanks to the Neos security team members for reviewing the fixes.

Does such news come with the newsletter or what is the best way to be informed about security issues?

No, the newsletter is mostly unrelated to releases. The releases are announced:

Services like VersionEye do not only watch releases, but also pick up the latter and can warn you about anything that needs to be fixed.

And last (but probably not least) you can subscribe to Packagist via RSS. For Neos this would be (because typo3 is the vendor name).