koobas.hobune.stream
Security Update - If I install latest udpate of Unity, do I need to intall the security patch too?
I see there are some Remote Code Execution vulnerabilities that Unity just tweeted. If I install latest update, do I need to download & install the patch too?
I got confused because it said:
Additionally, you can download and install the corresponding patch for your version of the Unity Editor. The download links are available in the Patch Versions of the Vulnerabilities Details section and in the References section.
And there is a patch for latest version of Unity (2018.3.7f1),
References - [3] 2018.3.7f1 (Win)
If the latest version already contains the patch, why they still put the patch file for latest version there.
But If the latest version doesn't contains the patch, is it too risky for the community, not everyone check the Unity Security page, shouldn't the security patch be easily noticed & installed via Unity Editor Updater?
As you can see int 2018.3.7 patch notes the security patch is already there, so no need for any updating. Also 2018.3.8 is already out and it (obviously) also contains that security update
Unity said: "All future versions of the Unity Editor will include this update moving forward."
I guess if we update to 2018.3.7f1, we still need to manually install the patch for 2018.3.7f1. So I choose to wait for the newer version come out so that I don't have to manually install the patch (yeah, I know I'm lazy too)
I posted more in this forum thread.
This was very confusing! I think that the instructions for the March 2019 Security Update Advisory (CVE-2019-9197) refer only to updating a non-latest version (unpatched) to a latest patched version.
The confusing part seems to be in the using of the word "Additionally" in the instructions. I believe it would be more appropriate to use "alternatively". i.e. either update through File menu Help -> Check for Updates (and get the patched version), or alternatively (not additionally) "you can download and install the corresponding patch...".
This was really confusing! In order to make sure, I had to actually check that the patched version file in the Security Update Advisory link was actually the same file as the corresponding one in the Unity download archive (MD5 check), which is already patched as @Casiell mentioned.
