Place for security update infos

Hi everybody,
I’d like to know if there is an official place with a list of security relevant updates for pimcore.

I sometimes get pushed from github for our repositorys (like https://github.com/advisories/GHSA-fpff-384j-vxq7 ) that some pimcore version contains a security fix. We also found some vulnerabilities here: https://www.cvedetails.com/vulnerability-list/vendor_id-13251/Pimcore.html
And there are blog posts for other possible security issues like this one: https://blog.ripstech.com/2019/driveby-rce-exploit-pimcore/

What I am missing is some information which we can rely on to know if we have to update all of our instances because of a security relevant topic or if this is just a bug-fix release. Some sort of page like https://docs.shopware.com/de/shopware-5-de/sicherheitsupdates or a hint on the releases page https://github.com/pimcore/pimcore/releases would be great.

Thanks!

Don’t know any explicit one, but that’s where I read: https://pimcore.com/docs/6.x/Development_Documentation/Installation_and_Upgrade/Upgrade_Notes/index.html

Hi, yes that’s the total upgrading changelog. But it does not display wether a release is security relevant (like 6.3.0 for example).

We’d like to “never change a running system” and stick to a pimcore version if there are no bugs which do bother us and if we do not require new features from the release. But we’d definately install any security related updates. At the moment we update every minor version if we’re unsure about the security impact.

That is currently actually a huge problem, Pimcore does not properly follow Semver. They only fix bugs and security issues for the next release, that might be a minor or patch release. But: with these releases, they also introduce BC breaks. So, you can’t really say if a release is just a bug/securty fix release (patch-release) without BC breaks, or a minor release with fixes/features/security fixes. You sort of have to follow the releases and carefully check if it works for your installation or not.