williamdes
commented
1 year ago @akrabat This is a security concern, could you have a look please ?
Closed williamdes closed 1 year ago
williamdes
commented
1 year ago @akrabat This is a security concern, could you have a look please ?
l0gicgate
commented
1 year ago @williamdes we cannot do security releases for PHP versions we do not support anymore unfortunately.
We are using typed properties in the codebase which are not supported by either PHP 7.2 or PHP 7.3.
This would be an insane amount of work.
If someone wants to raise the PR for it, I will gladly release it. Otherwise it's not going to happen.
williamdes
commented
1 year ago @williamdes we cannot do security releases for PHP versions we do not support anymore unfortunately.
We are using typed properties in the codebase which are not supported by either PHP 7.2 or PHP 7.3.
This would be an insane amount of work.
If someone wants to raise the PR for it, I will gladly release it. Otherwise it's not going to happen.
We could "easily" make a branch from the last releases I mentioned, pick the security fix and release it It's only a regex change Seems possible, don't you think?
I can do the PRs if you validate that
MauricioFauth
commented
1 year ago @l0gicgate What can be done is to create a branch from the tag, and then git cherry-pick the commit 4fea29e910391b1883de5bf6e84b50f6900355fb, which is the security fix.
I wasn't able to do that because there are no 1.4.x and 1.5.x branches to open PRs to.
williamdes
commented
1 year ago @l0gicgate What can be done is to create a branch from the tag, and then
git cherry-pickthe commit 4fea29e, which is the security fix.I wasn't able to do that because there are no 1.4.x and 1.5.x branches to open PRs to.
Maybe you can create them on a fork and @l0gicgate can push the tags from them Not needing to have a branch on the main repo as a result
l0gicgate
commented
1 year ago @MauricioFauth @williamdes I will create branches for those later today that you can PR against
l0gicgate
commented
1 year ago Here are the branches @MauricioFauth @williamdes feel free to raise PRs and I will release soon as we merge.
https://github.com/slimphp/Slim-Psr7/tree/1.4.x https://github.com/slimphp/Slim-Psr7/tree/1.5.x
williamdes
commented
1 year ago A simple cherry-pick and it worked, tests did run perfectly (for the HeadersTest, others where failing before the PR)
Should I open another PR on 1.4 and 1.5 to fix the currently failing tests (failing before the PR) ?
l0gicgate
commented
1 year ago Here are the releases:
Thank you @MauricioFauth @williamdes for these contributions!
cc: @akrabat
I am closing as resolved now feel free to re-open if there's anything
williamdes
commented
1 year ago Thanks @l0gicgate ! 🎉 🚀
PS: The bot says (https://github.com/github/advisory-database/pull/2233#issuecomment-1541563033) that the advisory needs a manual update here: https://github.com/slimphp/Slim-Psr7/security/advisories/GHSA-q2qj-628g-vhfw
ve3
commented
10 months ago Thanks for the update. I was used version 0.6 due to I would like to widely support many PHP versions in many places.
However, I have to bump up to minimum PHP 7.4 and Slim\PSr7 version 1.6.1 due to this security reason.
The update looks great because it seems to have nothing break since 0.6. So that I can continuous use my code without a lot of fix.
Thank you.
williamdes
commented
10 months ago Only 7.2 is required https://github.com/slimphp/Slim-Psr7/blob/d3cea6539bdd0910a1e3ea2cc2a96c363c2403c3/composer.json#L31
Since 1.4 was fixed
See: https://github.com/phpmyadmin/phpmyadmin/actions/runs/4772858589/jobs/8485603736 Is failing because of https://github.com/Roave/SecurityAdvisories/commit/39006a790754a68b3a476069297b0cb83abb17d2
Ref: CVE-2023-30536
At phpMyAdmin we have to support PHP 7.2 on the 5.2 series. I would be most grateful if you would allow a security release to be done for PHP 7.2 versions. It looks like PHP 7.3 versions would be un-covered since 1.6 dropped them.
That would mean: