search

Roave / SecurityAdvisories

:closed_lock_with_key: Security advisories as a simple composer exclusion list, updated daily
MIT License
2.7k stars 105 forks source link

Why was ignition 1.x removed from the conflict exception? #86

Closed HenkPoley closed 2 years ago

HenkPoley commented 2 years ago

Change/blame seen here: https://github.com/Roave/SecurityAdvisories/blame/bac54e18ee767f065d88b81c8517fb21cd6414ab/composer.json#L98

Was changed in commit: https://github.com/Roave/SecurityAdvisories/commit/bad3752fd78f4a07acb24e56fec0366aa711f150

I'm not quite seeing any recent change in https://github.com/FriendsOfPHP/security-advisories/tree/master/facade/ignition

Had a little monologue about it here πŸ˜…: https://twitter.com/HenkPoley/status/1460186738689773569

It currently blocks installing Laravel 6.x for me. Which is still in security support for about a year, so I'd be surprised if there actually was an unfix{ed,able} problem.

Ocramius commented 2 years ago

https://github.com/advisories/GHSA-m5v7-pr32-mjx2

HenkPoley commented 2 years ago

Cool, the mentioned patch under that advisory is also applied to facades/ignition 1.16.14

https://github.com/facade/ignition/commit/38e1b180544bfefebe37e0f65980792ea78a534a

Ocramius commented 2 years ago

That needs fixing in the published advisory.

HenkPoley commented 2 years ago

Can I also submit a patch to the composer.json here, or is that just auto-generated ?

Ocramius commented 2 years ago

This is just auto-generated, and is overwritten once an hour.

HenkPoley commented 2 years ago

These GitHub advisories have no issue tracker πŸ˜…

You want me to write to nvd.nist.gov ?

Anyways, for now I'll have to remove roave/security-advisories in my project, and hope I'll remember to add it again later.

Ocramius commented 2 years ago

Most likely need to contact GitHub support then.

I can't (and won't) fix data issues that are outside this repository's pertinence.

HenkPoley commented 2 years ago

Small update, if you look at the block of 'wip' on Jul 13, 2020: https://github.com/facade/ignition/compare/1.16.14...1.16.15

You'll see that after "fixing" the security bug in 2.0.5, in the next version 2.0.6 (and going from 1.16.14 to 1.16.15) they gutted the problematic functionality. So there is no problem anymore in v1 as well.

Now I just need to update the CVE, which I've done before, just mail them. And somehow get GitHub to update their tracker.

HenkPoley commented 2 years ago

Things are moving:

Now onto GitHub πŸ˜…

Ocramius commented 2 years ago

@HenkPoley on our end, we'll try improving the commit messages, but not sure when we'll get to it.

See https://github.com/Roave/SecurityAdvisoriesBuilder/issues/451

HenkPoley commented 2 years ago

πŸ‘€ https://github.com/advisories/GHSA-m5v7-pr32-mjx2

☺️ https://github.com/Roave/SecurityAdvisories/commit/bc2442b478916b4447190c34aece742aa1f988dd