Closed terrafrost closed 9 months ago
Ocramius
commented
9 months ago I think this is what needs to be updated, if relevant: https://github.com/advisories/GHSA-jpr7-q523-hx25
Currently, CI pipeline on this repo is failing due to unrelated issues: https://github.com/Roave/SecurityAdvisoriesBuilder/actions/runs/7067865821/job/19241753344
I think if we fix that (perhaps by pinning the symfony/* version), the advisory should be re-generated here
xabbuh
commented
9 months ago @Ocramius Roave/SecurityAdvisoriesBuilder#743 should be one of the possible solutions to fix the build
Ocramius
commented
9 months ago @xabbuh @terrafrost build just did a re-run, but without any composer.json updates happening.
The version range in https://github.com/advisories/GHSA-jpr7-q523-hx25 needs to be updated, then this should updated automatically within ~1h
terrafrost
commented
9 months ago Thanks for the update!
There is an extant PR to have that repo updated but it has yet to be merged:
https://github.com/github/advisory-database/pull/3012
Not sure what the hold up is but that's neither here nor there. I got the answer I was looking for - thanks!
From #108 I understand that this repo's composer.json is auto built from "from upstream reported advisories, generated every hour".
89f6e236e9317263c8ffa1d7d32cb6828b12aea0 was generated by CVE-2023-49316, however, if you now click on "Show Changes" on https://nvd.nist.gov/vuln/detail/CVE-2023-49316#VulnChangeHistorySection you'll see that on 11/29/2023 11:15:07 PM the description was changed from this:
To this (emphasis mine):
Do additional updates need to be made to the CVE for this repo's composer.json to be auto-updated correctly?