This update is not a security update per se. However, it contains a check in case of a missing or incorrect application secret and can thus protect a potentially vulnerable installation. The attack would be conceivable for any Symfony application independent of Contao. Therefore, it was decided to release another Contao 4.9 version.
Changelog of the fixed issues in Contao 4.9.41:
- Auto-generate and dump the APP_SECRET during the setup (fritzmg)
About Contao 4.9 LTS
The first stable version of Contao 4.9 has been released on February 18, 2020, replacing Contao 4.4 as the long term support version. As an LTS version, 4.9 has been be provided with bug fixes until February 14, 2023 and security-related updates until February 14, 2024. Contao 4.13 was the next LTS version of Contao and has been released in February 2022, ensuring a stress-free transition.