HomeContent Toolkit Logo

Content Toolkit

Home

>

Tools

>

Ghost

>

Releases

>

1.25.7

Ghost Release: 1.25.7

Tag Name: 1.25.7

Release Date: 2/7/2019

View Release
Ghost LogoGhost

Open-source publishing platform specifically designed for professional bloggers and publications. Focuses on clean, minimalist writing and publishing experience.

Open SourceBloggingStatic Site

TL;DR

Ghost 1.25.7 is a security-focused maintenance release that updates the express-hbs dependency to protect against a potential Remote Code Execution (RCE) vulnerability. While Ghost itself was not vulnerable due to existing protections in gscan, this update ensures all dependencies are secure. The release also includes an update to Ghost-Admin.

Highlight of the Release

    • Updated express-hbs dependency to use [email protected] which protects against a potential Remote Code Execution (RCE) vulnerability
    • Ghost-Admin updated to version 1.25.7
    • No major user-facing changes in this release

Migration Guide

No migration steps are required for this update. This is a drop-in replacement that can be installed using your normal update process.

Upgrade Recommendations

We recommend all Ghost installations be updated to version 1.25.7 as soon as possible to ensure all dependencies are secure. While Ghost itself was protected against the potential RCE vulnerability through gscan, keeping dependencies updated is a security best practice.

This is a minor security-focused release with no breaking changes, so the upgrade should be straightforward with minimal risk.

Bug Fixes

No specific bug fixes were mentioned in this release. The update was focused on security improvements through dependency updates.

New Features

No new features were introduced in this release. This is primarily a security maintenance update focusing on dependency updates.

Security Updates

Security Improvements

  • Updated express-hbs dependency to use [email protected] which protects against a potential Remote Code Execution (RCE) vulnerability
  • It's worth noting that Ghost itself was not vulnerable to this RCE due to protection by gscan, which prevents themes using unknown helpers from being installed or activated
  • This update ensures that all dependencies are secure, following security best practices

Performance Improvements

No specific performance improvements were mentioned in this release.

Impact Summary

This is a minor security maintenance release that updates the express-hbs dependency to protect against a potential Remote Code Execution (RCE) vulnerability in handlebars. While Ghost was already protected against this vulnerability through gscan's security features, this update ensures all dependencies are using secure versions.

The release has minimal impact on users as there are no user-facing changes, API modifications, or breaking changes. Administrators should update to this version as part of regular security maintenance, but no workflow or functionality changes will be experienced by end users.

Full Release Notes

No major user-facing changes in this release.

You can see the full change log for the details of every change included in this release.

Statistics:

File Changed3
Line Additions92
Line Deletions104
Line Changes196
Total Commits3

User Affected:

  • Should update to this version to ensure all dependencies are secure
  • No changes to admin workflows or interfaces

Contributors:

kevinansfield