Release for SA-CORE-2021-004

yes, agreed, that would be great!

When could the update for SA-CORE-2021-004 be ready?

Just to clarify, I'm agreeing that it would be a great idea - not that I can do it...

Is commerce kickstart abandoned?

I updated with "drush up" and had no adverse issues. No database updates were required.

I don't know why there is the statement that one should only update using commerce kickstart profile instead of individual modules or just updating core.

I tweeted Ryan Szarama re the lack of a new release and he replied:

Yeah, we’ll get ‘em in ASAP. In the meantime, the mitigation is to not permit untrusted users to use CKEditor if I read the SA right.

Updating core to Drupal 7.82 as with the 1.x branch.

Committed. Tagging the release.

Not sure if I'm missing something, but the releases for 2.x versions are both still dated May 11th

@mlecha It looks like the release that contains Drupal 7.82 is

commerce-kickstart-7.x-1.68 Stable release covered by the Drupal Security Team released 3 September 2021

which appears below 7.x-2.71 on the project page.

Details at https://www.drupal.org/project/commerce_kickstart/releases/7.x-1.68

Yes, I see that .68 is a lower number than .71, but when I look in the tar file for the .68 release, I see the .82 drupal-core updates in the CHANGELOG.txt file.

Edit: I'm wrong. Confused KIckstart 1 vs Kickstart 2

There are 2 separate versions of kickstart, version 1 and version 2... 7.x-1.68 is version 1

Echoing the above comments, thanks for patching this and a new release would be great.