Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix Symfony security issues #1222

Merged
merged 2 commits into from
Nov 15, 2024
Merged

Fix Symfony security issues #1222

merged 2 commits into from
Nov 15, 2024

Conversation

melroy89
Copy link
Member

@melroy89 melroy89 commented Nov 15, 2024

  • Fix Symfony composer audit (first only ran: composer update "symfony/*")
  • Update remaining packages (then also followed the remaining minor/patch releases: composer update)

PHP Production Dependencies (require)

Package Action Old Version New Version
aws/aws-crt-php Upgraded 1.2.6 1.2.7 See details
aws/aws-sdk-php Upgraded 3.324.1 3.327.1 See details
babdev/pagerfanta-bundle Upgraded 4.4.0 4.5.0 See details
bacon/bacon-qr-code Upgraded 3.0.0 3.0.1 See details
composer/ca-bundle Upgraded 1.5.1 1.5.3 See details
doctrine/common Upgraded 3.4.4 3.4.5 See details
doctrine/dbal Upgraded 3.9.1 3.9.3 See details
doctrine/migrations Upgraded 3.8.1 3.8.2 See details
doctrine/orm Upgraded 2.19.7 2.20.0 See details
doctrine/persistence Upgraded 3.3.3 3.4.0 See details
doctrine/sql-formatter Upgraded 1.4.1 1.5.1 See details
guzzlehttp/promises Upgraded 2.0.3 2.0.4 See details
knpuniversity/oauth2-client-bundle Upgraded 2.18.2 2.18.3 See details
lcobucci/clock Upgraded 3.2.0 3.3.1 See details
lcobucci/jwt Upgraded 5.3.0 5.4.2 See details
league/flysystem Upgraded 3.28.0 3.29.1 See details
league/flysystem-aws-s3-v3 Upgraded 3.28.0 3.29.0 See details
league/flysystem-local Upgraded 3.28.0 3.29.0 See details
league/mime-type-detection Upgraded 1.15.0 1.16.0 See details
meteo-concept/hcaptcha-bundle Upgraded 4.1.0 4.2.1 See details
monolog/monolog Upgraded 3.7.0 3.8.0 See details
nelmio/api-doc-bundle Upgraded 4.30.0 4.33.4 See details
nette/schema Upgraded 1.3.0 1.3.2 See details
oneup/flysystem-bundle Upgraded 4.12.2 4.12.3 See details
phpdocumentor/reflection-docblock Upgraded 5.4.1 5.6.0 See details
phpdocumentor/type-resolver Upgraded 1.8.2 1.10.0 See details
scheb/2fa-backup-code Upgraded 7.5.0 7.6.0 See details
scheb/2fa-bundle Upgraded 7.5.0 7.6.0 See details
scheb/2fa-totp Upgraded 7.5.0 7.6.0 See details
scienta/doctrine-json-functions Upgraded 6.1.0 6.3.0 See details
symfony/amqp-messenger Upgraded 7.1.1 7.1.6 See details
symfony/asset Upgraded 7.1.1 7.1.6 See details
symfony/clock Upgraded 7.1.1 7.1.6 See details
symfony/console Upgraded 7.1.5 7.1.8 See details
symfony/dependency-injection Upgraded 7.1.6 7.1.8 See details
symfony/doctrine-bridge Upgraded 7.1.4 7.1.6 See details
symfony/doctrine-messenger Upgraded 7.1.4 7.1.6 See details
symfony/flex Upgraded 2.4.6 2.4.7 See details
symfony/form Upgraded 7.1.4 7.1.6 See details
symfony/framework-bundle Upgraded 7.1.4 7.1.6 See details
symfony/http-client Upgraded 7.1.7 7.1.8 See details
symfony/http-foundation Upgraded 7.1.7 7.1.8 See details
symfony/http-kernel Upgraded 7.1.7 7.1.8 See details
symfony/intl Upgraded 7.1.1 7.1.8 See details
symfony/lock Upgraded 7.1.1 7.1.6 See details
symfony/mailgun-mailer Upgraded 7.1.3 7.1.6 See details
symfony/messenger Upgraded 7.1.5 7.1.8 See details
symfony/monolog-bridge Upgraded 7.1.1 7.1.6 See details
symfony/options-resolver Upgraded 7.1.1 7.1.6 See details
symfony/password-hasher Upgraded 7.1.1 7.1.6 See details
symfony/process Upgraded 7.1.7 7.1.8 See details
symfony/property-info Upgraded 7.1.6 7.1.8 See details
symfony/psr-http-message-bridge Upgraded 7.1.4 7.1.6 See details
symfony/rate-limiter Upgraded 7.1.1 7.1.8 See details
symfony/redis-messenger Upgraded 7.1.4 7.1.6 See details
symfony/scheduler Upgraded 7.1.1 7.1.6 See details
symfony/security-bundle Upgraded 7.1.4 7.1.6 See details
symfony/security-core Upgraded 7.1.4 7.1.6 See details
symfony/security-csrf Upgraded 7.1.1 7.1.6 See details
symfony/security-http Upgraded 7.1.4 7.1.8 See details
symfony/serializer Upgraded 7.1.4 7.1.8 See details
symfony/stopwatch Upgraded 7.1.1 7.1.6 See details
symfony/string Upgraded 7.1.6 7.1.8 See details
symfony/translation Upgraded 7.1.5 7.1.6 See details
symfony/twig-bridge Upgraded 7.1.4 7.1.8 See details
symfony/twig-bundle Upgraded 7.1.1 7.1.6 See details
symfony/type-info Upgraded 7.1.6 7.1.8 See details
symfony/ux-twig-component Upgraded 2.19.2 2.21.0 See details
symfony/validator Upgraded 7.1.4 7.1.8 See details
symfony/var-dumper Upgraded 7.1.7 7.1.8 See details
symfony/web-link Upgraded 7.1.1 7.1.6 See details
symfony/workflow Upgraded 7.1.1 7.1.6 See details
symfony/yaml Upgraded 7.1.4 7.1.6 See details
symfonycasts/reset-password-bundle Upgraded 1.22.0 1.23.0 See details
symfonycasts/verify-email-bundle Upgraded 1.17.1 1.17.2 See details
zircote/swagger-php Upgraded 4.10.6 4.11.1 See details

PHP Dev Dependencies (require-dev)

Package Action Old Version New Version
doctrine/data-fixtures Upgraded 1.7.0 1.8.0 See details
doctrine/doctrine-fixtures-bundle Upgraded 3.6.1 3.6.2 See details
fakerphp/faker Upgraded 1.23.1 1.24.0 See details
myclabs/deep-copy Upgraded 1.12.0 1.12.1 See details
nikic/php-parser Upgraded 5.3.0 5.3.1 See details
phpstan/phpstan Upgraded 1.12.6 1.12.10 See details
phpunit/php-code-coverage Upgraded 11.0.6 11.0.7 See details
phpunit/phpunit Upgraded 11.4.0 11.4.3 See details
sebastian/comparator Upgraded 6.1.0 6.2.1 See details
sebastian/version Upgraded 5.0.1 5.0.2 See details
symfony/browser-kit Upgraded 7.1.1 7.1.6 See details
symfony/debug-bundle Upgraded 7.1.1 7.1.6 See details
symfony/dom-crawler Upgraded 7.1.1 7.1.6 See details
symfony/phpunit-bridge Upgraded 7.1.4 7.1.6 See details
symfony/web-profiler-bundle Upgraded 7.1.4 7.1.7 See details

@melroy89 melroy89 added dependencies Pull requests that update a dependency file security Issues and pull requests that address security concerns labels Nov 15, 2024
@melroy89 melroy89 added this to the v1.7.3 milestone Nov 15, 2024
@BentiGorlich
Copy link
Member

BentiGorlich commented Nov 15, 2024

I think you should write down which packages were updated in such a PR

Did you resd the patch notes of the packages so we know whether there are weird updates that introduce weird stuff like the messenger did once?

@melroy89
Copy link
Member Author

I think you should write down which packages were updated in such a PR

Added

@melroy89
Copy link
Member Author

melroy89 commented Nov 15, 2024

Did you resd the patch notes of the packages so we know whether there are weird updates that introduce weird stuff like the messenger did once?

No, I then will need to read 50+ patch notes...

However, the latest v7.1.4 of security-http package will fix: cve-2024-51996 - Check owner of persisted remember-me cookie. With Severity high !

I will test this branch on my instance. But if developers follow the major, minor, patch notation. All the updated packages above are NOT major release updates. And all the Symfony package updates above are only patch releases.

@melroy89 melroy89 added the high priority critical issue or PR that impacts production label Nov 15, 2024
@melroy89
Copy link
Member Author

On my instance (kbin.melroy.org), everything seems to work just fine.

@melroy89 melroy89 enabled auto-merge (squash) November 15, 2024 13:13
@melroy89 melroy89 merged commit 86b89da into main Nov 15, 2024
7 checks passed
@melroy89 melroy89 deleted the fix_audit_2 branch November 15, 2024 14:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file high priority critical issue or PR that impacts production security Issues and pull requests that address security concerns
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants