Update from v4.6.x to v4.6.latest¶
Update the application¶
Note which version you actually have before starting.
First, run:
1 2 | |
1 2 | |
1 2 | |
Then execute the instructions below starting from the version you're upgrading from.
v4.6.1¶
No additional steps needed.
v4.6.2¶
Database update¶
Run the following scripts:
1 | |
1 | |
v4.6.3¶
Notification config update¶
The configuration of the package ibexa/notifications has changed.
This package is required by other packages, such as ibexa/connector-actito for Transactional emails, ibexa/payment, or ibexa/user.
If you are customizing the configuration of the ibexa/notifications package, and using SiteAccess aware configuration to change the Notification subscriptions, you have to manually change your configuration by using the new node name notifier instead of the old notifications.
For example, the following v4.6.2 config:
1 2 3 4 5 6 7 8 | |
becomes the following from v4.6.3:
1 2 3 4 5 6 7 8 | |
v4.6.4¶
Database update¶
Run the following scripts:
1 | |
1 | |
v4.6.5¶
No additional steps needed.
v4.6.6¶
No additional steps needed.
v4.6.7¶
No additional steps needed.
v4.6.8¶
To avoid deprecations when updating from an older PHP version to PHP 8.2 or 8.3, run the following commands:
1 2 | |
v4.6.9¶
No additional steps needed.
v4.6.10¶
No additional steps needed.
v4.6.11¶
Ibexa Cloud¶
Update Platform.sh configuration for PHP and Varnish.
Generate new configuration with the following command:
1 | |
Review the changes applied to .platform.app.yaml and .platform/,
merge with your custom settings if needed, and commit them to Git.
v4.6.12¶
If the new bundle ibexa/core-search has not been added by the recipes, enable it by adding the following line in config/bundles.php:
1 | |
v4.6.13¶
This release comes with a command to clean up duplicated entries in the ezcontentobject_attribute table, which were created due to an issue described in IBX-8562.
If you're affected, remove the duplicated entries by running the following command:
1 | |
Caution
Remember about proper database backup before running the command in the production environment.
You can customize the behavior of the command with the following options:
--batch-sizeor-b- number of attributes affected per iteration. Default value = 10000.--max-iterationsor-i- maximum iterations count. Default value = -1 (unlimited).--sleepor-s- wait time between iterations, in milliseconds. Default value = 0.
v4.6.14¶
Security¶
This release contains security fixes. For more information, see the published security advisory. For each of the following fixes, evaluate the vulnerability to determine whether you might have been affected. If so, take appropriate action, for example by revoking passwords for all affected users.
BREACH vulnerability¶
The BREACH attack is a security vulnerability against HTTPS when using HTTP compression.
If you're using Varnish, update the VCL configuration to stop compressing both the Ibexa DXP's REST API and JSON responses from your backend. Fastly users are not affected.
Update Platform.sh configuration and scripts.
Generate new configuration with the following command:
1 | |
Review the changes, merge with your custom settings if needed, and commit them to Git before deployment.
Update your Varnish VCL file to align it with the vendor/ibexa/http-cache/docs/varnish/vcl/varnish6.vcl file.
Update your Varnish VCL file to align it with the vendor/ibexa/http-cache/docs/varnish/vcl/varnish7.vcl file.
```
If you're not using a reverse proxy like Varnish or Fastly, adjust the compressed Content-Type in the web server configuration.
For more information, see the updated Apache and nginx template configuration.
XSS in Content name pattern¶
There are no additional update steps to execute.
Outdated version of jQuery in ibexa/commerce-shop package¶
Only users of the old Commerce solution are affected. There are no additional update steps to execute.
Other changes¶
Disable translations of identifiers in Product Catalog's categories¶
The possibility of translating identifiers and parent information for the Categories in Product Catalog might lead to data consistency issues.
Disable it by running the following migration:
1 2 | |
Update web server configuration¶
Adjust the web server configuration to prevent direct access to the index.php file when using URLs consisting of multiple path segments.
See the updated Apache and nginx template files for more information.
v4.6.15¶
Removed symfony/orm-pack and symfony/serializer-pack dependencies¶
This release no longer directly requires the symfony/orm-pack and symfony/serializer-pack Composer dependencies, which can remove some dependencies from your project during the update process.
If you rely on them in your project, for example by using Symfony's ObjectNormalizer to create your own REST endpoints, run the following command before updating Ibexa packages:
1 | |
Then, verify that Symfony Flex installed the versions you were using before.
v4.6.16¶
No additional steps needed.
v4.6.17¶
Security¶
This release contains security fixes. For more information, see the published security advisory. For each of the following fixes, evaluate the vulnerability to determine whether you might have been affected. If so, take appropriate action.
CartOwner permission limitation exposes carts¶
This release fixes a critical vulnerability in the REST API regarding shopping carts. There are no additional update steps to execute.
Unauthorized user can cancel scheduled publish events¶
This release fixes vulnerability in publish scheduling, ensures that edit/create policies are correctly checked.
There are no additional update steps to execute.
Dependency upgrades¶
This release upgrades the requirements for Twig to v3.19 and PHPSpreadsheet to v1.29.9, resolving several vulnerabilities of varying severity in those dependencies. There are no additional update steps to execute.
v4.6.18¶
No additional steps needed.
v4.6.19¶
Security¶
This release fixes a critical vulnerability in the RichText field type. By entering a maliciously crafted input into the RichText field type's XML, the attacker could perform an attack using XML external entity (XXE) injection. To exploit this vulnerability, an attacker would need to have edit permission to content with RichText fields.
For more information, see the published security advisory IBEXA-SA-2025-002.
Evaluate the vulnerability to determine whether you might have been affected. If so, take appropriate action. There are no additional update steps to execute.
Ibexa Rector¶
The new Ibexa Rector package is now available. It's an optional package based on Rector and comes with additional rules for working with Ibexa code.
You can use it to get rid of PHP code deprecations and start preparing your project for the next major release.
Note
Ibexa Rector requires PHP 8.3 and you must upgrade your codebase first. To do it, you can use Rector and the existing PHP upgrade sets.
To get started with Ibexa Rector, execute the following steps:
-
Add the Composer dependency:
1composer require --dev ibexa/rector:^4.6 -
Adjust the created
rector.phpconfiguration file to match your project structure -
Run Rector in the dry-run mode to preview the changes:
1vendor/bin/rector --dry-run -
Run Rector:
1vendor/bin/rector
Notify support¶
Inform the support team that you have updated your installation. They update your Service portal to match the new version. This ensures that you receive notifications about new maintenance releases and security advisories for the correct version. You can contact the support team at support@ibexa.co or through your Service portal.
With the product updated to the latest version, you can now finish the update process or proceed to updating the LTS Updates packages.
LTS Updates¶
LTS Updates are standalone packages with their own update procedures. To use the latest features added to them, update them separately with the following commands:
1 | |
1 | |