Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.72k stars 105 forks source link

CVE-2023-27560's affected versions are wrong #108

Closed terrafrost closed 1 year ago

terrafrost commented 1 year ago

Check out the description at https://github.com/advisories/GHSA-hm7p-r324-hhf3 :

Math/PrimeField.php in phpseclib through 2.0.41 has an infinite loop with composite primefields.

That file does not exist in 2.0.41 nor has it ever existed in any tag created off of the 2.0 branch:

https://github.com/phpseclib/phpseclib/tree/2.0.41/phpseclib/Math https://github.com/phpseclib/phpseclib/tree/2.0/phpseclib/Math

That file, however, does exist in the 3.0 branch:

https://github.com/phpseclib/phpseclib/blob/3.0/phpseclib/Math/PrimeField.php

The recent 3.0.19 release fixed this:

https://github.com/phpseclib/phpseclib/releases/tag/3.0.19

Ocramius commented 1 year ago

This project only contains a composer.json from upstream reported advisories, generated every hour: you will need to contact the author of the upstream advisory instead, and get it adjusted.