CakePHP 3.7.7, 3.6.15 and 3.5.18 released

The CakePHP core team is happy to announce the immediate availability of CakePHP 3.7.7, 3.6.15 and 3.5.18. These releases contain a security related fix for CVE-2019-11458. The vulnerability affects applications that open serialized content from user input. When doing so the SmtpTransport can be used to overwrite any file the webserver has write access to. We’d like to thank Edgaras Janušauskas for notifying us of this issue and confirming the fix.

Bugfixes In addition to the security fix, you can expect the following changes in 3.7.7 See the changelog for every commit. Add getName() to View. This method was suggested in a deprecation warning but did not exist.

to View. This method was suggested in a deprecation warning but did not exist. Cake\Http\Response::withModified() is now compatible with DateTimeImmutable objects.

is now compatible with objects. Improved API documentation.

Fixed accidental return type change in Cache::deleteMany() .

. FileEngine no longer emits warnings when cache files are written to during shutdown when the previous write is for the same key.

CommandRunner now gracefully handles StopException now.

now gracefully handles now. Fixed side-effect in SmtpTransport destructor.