Closed HenkPoley closed 3 years ago
Cool, the mentioned patch under that advisory is also applied to facades/ignition 1.16.14
https://github.com/facade/ignition/commit/38e1b180544bfefebe37e0f65980792ea78a534a
That needs fixing in the published advisory.
Can I also submit a patch to the composer.json here, or is that just auto-generated ?
This is just auto-generated, and is overwritten once an hour.
These GitHub advisories have no issue tracker π
You want me to write to nvd.nist.gov ?
Anyways, for now I'll have to remove roave/security-advisories in my project, and hope I'll remember to add it again later.
Most likely need to contact GitHub support then.
I can't (and won't) fix data issues that are outside this repository's pertinence.
Small update, if you look at the block of 'wip' on Jul 13, 2020: https://github.com/facade/ignition/compare/1.16.14...1.16.15
You'll see that after "fixing" the security bug in 2.0.5, in the next version 2.0.6 (and going from 1.16.14 to 1.16.15) they gutted the problematic functionality. So there is no problem anymore in v1 as well.
Now I just need to update the CVE, which I've done before, just mail them. And somehow get GitHub to update their tracker.
Things are moving:
Now onto GitHub π
@HenkPoley on our end, we'll try improving the commit messages, but not sure when we'll get to it.
See https://github.com/Roave/SecurityAdvisoriesBuilder/issues/451
Change/blame seen here: https://github.com/Roave/SecurityAdvisories/blame/bac54e18ee767f065d88b81c8517fb21cd6414ab/composer.json#L98
Was changed in commit: https://github.com/Roave/SecurityAdvisories/commit/bad3752fd78f4a07acb24e56fec0366aa711f150
I'm not quite seeing any recent change in https://github.com/FriendsOfPHP/security-advisories/tree/master/facade/ignition
Had a little monologue about it here π : https://twitter.com/HenkPoley/status/1460186738689773569
It currently blocks installing Laravel 6.x for me. Which is still in security support for about a year, so I'd be surprised if there actually was an unfix{ed,able} problem.