search

duosecurity / duo_universal_php

Duo OIDC-based two-factor authentication for PHP web applications
https://duo.com/docs/duoweb
BSD 3-Clause "New" or "Revised" License
21 stars 12 forks source link

Depends on version of `firebase/php-jwt` with known issues #4

Closed yakatz closed 2 years ago

yakatz commented 2 years ago

Our automated dependency scanning doesn't like this package because it requires "firebase/php-jwt": "^5.0" which is the subject of CVE-2021-46743.

While this is probably not actually a security issue, it would be great if this could be updated to "firebase/php-jwt": "^6.0" which is not "vulnerable".

AaronAtDuo commented 2 years ago

@yakatz Thanks for bringing this to our attention. It looks like a method signature we use has changed, so this isn't a drop-in switch; we'll need to make some code changes. We'll try to get this updated soon.

AaronAtDuo commented 2 years ago

Ok, it turned out to be a pretty minor change. With any luck we can update this tomorrow.

AaronAtDuo commented 2 years ago

@yakatz Fixed by https://github.com/duosecurity/duo_universal_php/commit/a1e865f807bbfadd37075b285de48a544509a279.

Freemandns commented 2 years ago

Hello. Could you fix this change with a tag so that composer with the value "stable" in the "minimum-stability" parameter could update the version?

Freemandns commented 2 years ago

@AaronAtDuo Please give at least some answer (

AaronAtDuo commented 2 years ago

@Freemandns Sorry for the delay, I'm not a PHP packaging expert and don't fully follow what you're asking for. Do you need us to do a 1.0.1 release? Or do I need to update the composer files?

yakatz commented 2 years ago

You don't need to change the composer.json, just release 1.0.1.

AaronAtDuo commented 2 years ago

I should be able to do that next Tuesday.

Freemandns commented 2 years ago

Yes, yakatz correctly described what needs to be done. Thank you very much.

AaronAtDuo commented 2 years ago

https://github.com/duosecurity/duo_universal_php/releases/tag/1.0.1

Hopefully that's what you needed, please let me know if there's anything more.

Thanks for using Duo!

yakatz commented 2 years ago

The last step - do you have a process for posting the release on packagist? https://packagist.org/packages/duosecurity/duo_universal_php

yakatz commented 2 years ago

Packagist had instructions for automatically updating there when you release on GitHub: https://packagist.org/about#how-to-update-packages

AaronAtDuo commented 2 years ago

Thanks for the heads up. I've triggered the update, looks like it worked. Hopefully you're all set now.