search

owncloud / openidconnect

OpenId Connect (OIDC) Integration for ownCloud
GNU General Public License v2.0
6 stars 2 forks source link

chore(deps): bump PHP dependencies #314

Closed phil-davis closed 2 months ago

phil-davis commented 2 months ago 
Updating dependencies
Lock file operations: 0 installs, 2 updates, 0 removals
  - Upgrading paragonie/constant_time_encoding (v2.6.3 => v2.7.0)
  - Upgrading phpseclib/phpseclib (3.0.37 => 3.0.39)
Writing lock file

This might help with the Trivy messages: https://drone.owncloud.com/owncloud-docker/server/1772/2/6

var/www/owncloud/apps/openidconnect/vendor/composer/installed.json (composer-vendor)
====================================================================================
Total: 5 (HIGH: 5, CRITICAL: 0)

┌─────────────────────┬────────────────┬──────────┬────────┬───────────────────┬────────────────────────┬─────────────────────────────────────────────────────────────┐
│       Library       │ Vulnerability  │ Severity │ Status │ Installed Version │     Fixed Version      │                            Title                            │
├─────────────────────┼────────────────┼──────────┼────────┼───────────────────┼────────────────────────┼─────────────────────────────────────────────────────────────┤
│ phpseclib/phpseclib │ CVE-2023-27560 │ HIGH     │ fixed  │ 3.0.16            │ 3.0.19                 │ Math/PrimeField.php in phpseclib 3.x before 3.0.19 has an   │
│                     │                │          │        │                   │                        │ infinite loo ...                                            │
│                     │                │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-27560                  │
│                     ├────────────────┤          │        │                   ├────────────────────────┼─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-49316 │          │        │                   │ 3.0.34                 │ In Math/BinaryField.php in phpseclib 3 before 3.0.34,       │
│                     │                │          │        │                   │                        │ excessively larg ...                                        │
│                     │                │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-49316                  │
│                     ├────────────────┤          │        │                   ├────────────────────────┼─────────────────────────────────────────────────────────────┤
│                     │ CVE-2023-52892 │          │        │                   │ 1.0.22, 2.0.46, 3.0.33 │ In phpseclib before 1.0.22, 2.x before 2.0.46, and 3.x      │
│                     │                │          │        │                   │                        │ before 3.0.33, ...                                          │
│                     │                │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2023-52892                  │
│                     ├────────────────┤          │        │                   ├────────────────────────┼─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-27354 │          │        │                   │ 3.0.36, 2.0.47, 1.0.23 │ An issue was discovered in phpseclib 1.x before 1.0.23, 2.x │
│                     │                │          │        │                   │                        │ before 2.0...                                               │
│                     │                │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2024-27354                  │
│                     ├────────────────┤          │        │                   │                        ├─────────────────────────────────────────────────────────────┤
│                     │ CVE-2024-27355 │          │        │                   │                        │ An issue was discovered in phpseclib 1.x before 1.0.23, 2.x │
│                     │                │          │        │                   │                        │ before 2.0...                                               │
│                     │                │          │        │                   │                        │ https://avd.aquasec.com/nvd/cve-2024-27355                  │
└─────────────────────┴────────────────┴──────────┴────────┴───────────────────┴────────────────────────┴─────────────────────────────────────────────────────────────┘
Exit Code 1

We don't strictly need these latest versions, but it would be nice to have them.

We do need a release that can be bundled with 10.15.0 that has more-recent PHP dependencies.

sonarcloud[bot] commented 2 months ago

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

phil-davis commented 2 months ago

https://github.com/owncloud/openidconnect/blob/v2.2.0/composer.lock has phpseclib 3.0.16 in it. So that is why Trivy complains.