Do I really have to renew my DB/SMTP/Redis passwords after the update to 4.2.8?

The 4.2.8 release notes recommend to renew service passwords stored in the configuration.php, especially DB, SMTP, Redis and HTTP Proxy passwords.

Errors reported[edit]

Renewing these passwords requires a lot of work, is this really necessary?

Versions affected[edit]

How to fix[edit]

The vulnerability fixed with 4.2.8 could be exploited to expose configuration.php credentials to unauthorized users. If you are 100% sure that the issue hasn't been exploited on your site, it's not necessary to renew these passwords.

In order to verify that your site is unaffected, check your access log file for the following regex:

api/(.*)(\?|&)public=

Important note: We have no evidence of any exploitation attempts prior to the release, however we can't guarantee that there have been no exploitatations in the past. So, even if your recent log files might be clear, it's unlikely but possible that an earlier exploit has happend.