search

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.72k stars 106 forks source link

Symfony/security-http is restricted to >= 4.4.23 but 4.4.22 is latest for symfony 4.4 #71

Closed Zombaya closed 3 years ago

Zombaya commented 3 years ago

The restrictions for symfony 4.4 for CVE-2021-21424 have been removed in https://github.com/FriendsOfPHP/security-advisories/commit/42081fa511d9448f49f90576670da01a67008b25.

These limits do still occur in the generated composer.json from this repo.

I tried running Roave/SecurityAdvisoriesBundle-build-conflicts.php and got the same composer.json as output. I grepped the build-directory but could not find any reason where the restrictions for that library were sourced.

Could this be looked into?

Current status

If you have symfony/security-http installed, you are not able to upgrade to a safe version since that does not exist. Latest available version for symfony 4.4 is 4.4.22, which is lower than the required 4.4.23.

What I tried/found out

$ php build-conflicts.php

$ cd build

$ grep --recursive --line-number security-http .
./composer.json:256:        "symfony/security-http": ">=2.3,<2.3.41|>=2.4,<2.7.51|>=2.8,<3.4.48|>=4,<4.4.23|>=5,<5.2.8",
./roave-security-advisories-original/composer.json:256:        "symfony/security-http": ">=2.3,<2.3.41|>=2.4,<2.7.51|>=2.8,<3.4.48|>=4,<4.4.23|>=5,<5.2.8",
./roave-security-advisories/composer.json:256:        "symfony/security-http": ">=2.3,<2.3.41|>=2.4,<2.7.51|>=2.8,<3.4.48|>=4,<4.4.23|>=5,<5.2.8",
./security-advisories/symfony/security-http/CVE-2021-21424.yaml:11:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2020-5275.yaml:11:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2019-18886.yaml:14:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2019-10911.yaml:35:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2018-19790.yaml:35:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2018-11406.yaml:38:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2018-11385.yaml:38:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2017-16652.yaml:23:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2016-4423.yaml:26:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2015-8125.yaml:17:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2015-8124.yaml:17:reference: composer://symfony/security-http

$ grep --recursive --line-number "4\\.4\\." ./security-advisories/symfony/security-http
./security-advisories/symfony/security-http/CVE-2020-5275.yaml:5:    4.4.x:
./security-advisories/symfony/security-http/CVE-2020-5275.yaml:7:        versions: ['>=4.4.0', '<4.4.7']
Ocramius commented 3 years ago

See https://github.com/advisories/GHSA-5pv8-ppvj-4h68 - the advisory there still contains >=4.0.0,<4.4.23

Zombaya commented 3 years ago

OK, thanks for pointing me in the right direction. I'll try to ask some assistance from the symfony-team to see if they can either release a new version or update the CVE in github.

Ocramius commented 3 years ago

Be aware that to update a CVE in github, github support needs to be contacted.

Zombaya commented 3 years ago

There was already an issue about it on the symfony-project. Fabien Potencier updated the original github CVE and created a new one as well.

I guess now we only need to wait for this to get automatically resolved.