search

zecure / shadowd_ui

The Shadow Daemon user interface
GNU General Public License v2.0
20 stars 9 forks source link

update symfony to next LTS version #49

Open markuman opened 3 years ago

markuman commented 3 years ago 
trivy fs .
2021-08-03T20:34:55.131+0200    INFO    Number of language-specific files: 1
2021-08-03T20:34:55.131+0200    INFO    Detecting composer vulnerabilities...

composer.lock (composer)
========================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

+-----------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
|     LIBRARY     | VULNERABILITY ID | SEVERITY | INSTALLED VERSION |         FIXED VERSION          |                 TITLE                 |
+-----------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+
| symfony/symfony | CVE-2021-21424   | MEDIUM   | v2.8.52           | 4.2.0, 4.4.24, 5.1.0, 5.2.0,   | CVE-2021-21424: Prevent user          |
|                 |                  |          |                   | 3.1.0, 3.3.0, 3.4.0, 3.4.49,   | enumeration via response content      |
|                 |                  |          |                   | 5.2.9, 3.0.0, 3.2.0, 4.1.0,    | in authentication mechanisms          |
|                 |                  |          |                   | 4.3.0, 4.4.0                   | -->avd.aquasec.com/nvd/cve-2021-21424 |
+-----------------+------------------+----------+-------------------+--------------------------------+---------------------------------------+

waf or not :) upgrade symfony to the next supported LTS version would be nice.
by the way, nice app design.

ref: trivy vulnerable scanner

zit-hb commented 3 years ago

Thanks for the report! For some reason no issue was raised by the GitHub CVE check. Luckily not a dramatic security issue but I will of course still fix it soon. If possible I will try to stay on the same major Symfony version though since otherwise more refactoring is necessary (e.g., not all dependencies might exist for a newer version).

Upgrading to the latest LTS would be nice and I plan to do it. In the last months I have started to improve shadowd and shadowd_php, shadowd_ui is still to be done. I would like to combine the LTS upgrade with a complete refactoring of the application. And maybe even some new features.

zit-hb commented 3 years ago

I have started to upgrade to Symfony 4 since there is no fixed version for 2.8. This will also resolve issue #48. It will take some days since there is a lot of code to rewrite, so that it works properly with Symfony 4.