From 793e8358fbd37015f8dae4f9ca8aa0a37c951613 Mon Sep 17 00:00:00 2001 From: Fabien Potencier Date: Wed, 6 Nov 2024 18:45:40 +0100 Subject: [PATCH] Update CHANGELOG --- CHANGELOG | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG b/CHANGELOG index 44c79b13325..2068f4899bb 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,3 +1,10 @@ +# 3.14.1 (2024-11-06) + + * [BC BREAK] Fix a security issue in the sandbox mode allowing an attacker to call attributes on Array-like objects + They are now checked via the property policy + * Fix a security issue in the sandbox mode allowing an attacker to be able to call `toString()` + under some circumstances on an object even if the `__toString()` method is not allowed by the security policy + # 3.14.0 (2024-09-09) * Fix a security issue when an included sandboxed template has been loaded before without the sandbox context