Laravel 5.6.30 has been released which is basically a Security release and all users of the laravel must upgrade there laravel version and is recommended as an immediate upgrade for all users. Here what’s in the upgrade doc of the laravel 5.6
This vulnerability may only be exploited if your application encryption key (
APP_KEYenvironment variable) has been accessed by a malicious user. Typically, it is not possible for users of your application to gain access to this value. However, ex-employees that had access to the encryption key may be able to use the key to attack your applications. If you have any reason to believe your encryption key is in the hands of a malicious party, you should always rotate the key to a new value.
Laravel 5.6.30 [Security Release] Here’s What New !
Laravel 5.6.30 also contains some ground breaking changes in the cookie encryption and serialisation. Cookies in the Laravel are considered to be very safe and user client can not change much of the things in the cookies. But according to the official docs of the laravel here what they have to say about the cookie encryption
if your application’s encryption key is in the hands of a malicious party, that party could craft cookie values using the encryption key and exploit vulnerabilities inherit to PHP object serialization / unserialization, such as calling arbitary class methods within your application.
On thing to note here is that this security release is only concerned about the APP_KEY environment variable which can be used against your application and your application can be threatened by the exploit of the APP_KEY. Here what Taylor Otwell has to say
A common misconception I see online is that the APP_KEY is related to password hashing. It’s not. It has *nothing* to do with password hashing at all. It’s only used for encryption.
— Taylor Otwell 👨🚀 (@taylorotwell) August 8, 2018
The official Upgrade guide contains everything that you need to know about this release and the security impact that it has. Please have a look at it. You can also have a look at the new release of the PHP 7.3 Beta release.
Cheers! Happy Coding..