search

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.72k stars 106 forks source link

Incorrect version constraint for Craft CMS? #103

Closed qrazi closed 2 years ago

qrazi commented 2 years ago

In 4ed8a24bbb14c02aae12f8ec386e3e2804f58198 the constraint was changed: "craftcms/cms": "<3.7.36", -> "craftcms/cms": "<4.2.1",.

In 896c4de20871e62dc1a88268df5ffa19db40337e it was updated: "craftcms/cms": "<4.2.1", -> "craftcms/cms": ">= 4.0.0-RC1, < 4.2.1|<4.2.1",

The original commit refers to a Smarty vulnerability. I did find vulnerability reports on GH Advisories, such as: https://github.com/advisories/GHSA-8r89-x93x-mjq2

So, the 3.x branch of Craft CMS is still actively supported, therefor I think the current version constraint is wrong (it doesn't allow 3.x versions). Not sure about what the constraint should be though

Ocramius commented 2 years ago

This says that anything below 4.2.1 is affected: https://github.com/advisories/GHSA-mw37-wx8p-gp45

Closing here meanwhile.

Related: https://github.com/Roave/SecurityAdvisoriesBuilder/issues/451

qrazi commented 2 years ago

Just leaving a related issue here in case anyone else finds this issue: https://github.com/craftcms/cms/issues/11983

TLDR; should be solved by updating the source advisories (PRs already opened by Craft CMS team), after which it should be picked up automatically by this project ':)