8000 security-csrf 2.8 depends on unsupported & vulnerable security-core 3.0 · Issue #27507 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

security-csrf 2.8 depends on unsupported & vulnerable security-core 3.0 #27507

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
stephank opened this issue Jun 5, 2018 · 2 comments
Closed

security-csrf 2.8 depends on unsupported & vulnerable security-core 3.0 #27507

stephank opened this issue Jun 5, 2018 · 2 comments

Comments

@stephank
Copy link
stephank commented Jun 5, 2018

Symfony version(s) affected: 2.8

Description
Installing version 2.8 of symfony/security-csrf by itself installs an unsupported and vulnerable version of symfony/security-core.

The following line causes composer to prefer the unsupported 3.0 version of symfony/security-core:

symfony/src/Symfony/Component/Security/Csrf/composer.json

Line 22 in efe9beb

"symfony/security-core": "~2.4|~3.0.0"

The last released version on the 3.0 branch is 3.0.9, which is listed as vulnerable: https://github.com/FriendsOfPHP/security-advisories/blob/e9093b7fc2649d99119cf2540ee6a66471c32480/symfony/security-core/CVE-2018-11407.yaml

How to reproduce

  • Start a new project (composer init)
  • composer require 'symfony/security-csrf:^2.8'

Result:

$ composer require 'symfony/security-csrf:^2.8'
./composer.json has been updated
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 6 installs, 0 updates, 0 removals
  - Installing symfony/polyfill-util (v1.8.0): Loading from cache
  - Installing symfony/polyfill-php56 (v1.8.0): Loading from cache
  - Installing symfony/security-core (v3.0.9): Loading from cache
  - Installing paragonie/random_compat (v2.0.12): Loading from cache
  - Installing symfony/polyfill-php70 (v1.8.0): Loading from cache
  - Installing symfony/security-csrf (v2.8.41): Loading from cache
symfony/security-core suggests installing symfony/event-dispatcher ()
symfony/security-core suggests installing symfony/expression-language (For using the expression voter)
symfony/security-core suggests installing symfony/http-foundation ()
symfony/security-core suggests installing symfony/ldap (For using LDAP integration)
symfony/security-core suggests installing symfony/validator (For using the user password constraint)
paragonie/random_compat suggests installing ext-libsodium (Provides a modern crypto API that can be used to generate random bytes.)
symfony/security-csrf suggests installing symfony/http-foundation (For using the class SessionTokenStorage.)
Writing lock file
Generating autoload files

Possible Solution
Loosen the dep to allow any 3.x version or disallow the dep on 3.0, (but that may be backwards breaking.)
@stof
Copy link
Member
stof commented Jun 6, 2018

If you want to stay on the 2.8 LTS while using component packages rather than the fullstack, I suggest you to install the symfony/lts package.

Our handling of non-fullstack projects regarding LTS was not that good for 2.8, due to the fact that 99% (that number is a guess, not an exact number) of Symfony projects were fullstack ones at that time.

and composer does not know the concept of maintained vs unmaintained version, so we cannot tell it to prefer 2.8.x versions over 3.0.x versions due to that.
When working on the 3.4 LTS, we thought about the issue of inter-component dependencies (as we were working on the Flex world where fullstack is not the main usage anymore), and this is why we changed our policy for our requirements and we created the symfony/lts package to enforce having all components on the LTS version.

And if you want prevent installing vulnerable versions during a composer update, you might also want to use https://packagist.org/packages/roave/security-advisories

@nicolas-grekas
Copy link
Member

would you mind sending a PR?
this was missed somehow in #27295

stephank pushed a commit to stephank/symfony that referenced this issue Jun 7, 2018
Fix security-core cross-dependencies, fixes symfony#27507
725d774
@stephank stephank mentioned this issue Jun 7, 2018
Merged
@fabpot fabpot closed this as completed Jun 8, 2018
fabpot added a commit that referenced this issue Jun 8, 2018
@fabpot
minor #27532 Fix security-core cross-dependencies, fixes #27507 (step…
e2effa3 
…hank)

This PR was merged into the 2.8 branch.

Discussion
----------

Fix security-core cross-dependencies, fixes #27507

| Q             | A
| ------------- | ---
| Branch?       | 2.8
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #27507
| License       | MIT
| Doc PR        | -

Based on earlier changes in #27295

Commits
-------

725d774 Fix security-core cross-dependencies, fixes #27507
nicolas-grekas added a commit that referenced this issue Jun 8, 2018
@nicolas-grekas
Merge branch '2.8' into 3.4
9586c43 
* 2.8:
  revert #27545
  Update Finder.php
  Fix security-core cross-dependencies, fixes #27507
  Pass previous exception to FatalErrorException
nicolas-grekas added a commit that referenced this issue Jun 8, 2018
@nicolas-grekas
Merge branch '3.4' into 4.0
ca48f4c 
* 3.4:
  revert #27545
  Update Finder.php
  [FrameworkBundle] remove dead code in CachePoolClearerPass
  Fix security-core cross-dependencies, fixes #27507
  Pass previous exception to FatalErrorException
nicolas-grekas added a commit that referenced this issue Jun 8, 2018
@nicolas-grekas
Merge branch '4.0' into 4.1
302b0d4 
* 4.0:
  [Cache][Security] Use Throwable where possible
  revert #27545
  Update Finder.php
  [FrameworkBundle] remove dead code in CachePoolClearerPass
  Fix security-core cross-dependencies, fixes #27507
  Pass previous exception to FatalErrorException
nicolas-grekas added a commit that referenced this issue Jun 8, 2018
@nicolas-grekas
Merge branch '4.1'
1b2bd8f 
* 4.1:
  [Cache][Security] Use Throwable where possible
  revert #27545
  Update Finder.php
  [FrameworkBundle] remove dead code in CachePoolClearerPass
  Fix security-core cross-dependencies, fixes #27507
  Pass previous exception to FatalErrorException
ankitpokhrel added a commit to ankitpokhrel/tus-php that referenced this issue Jun 24, 2018
@ankitpokhrel
[Security Fix] CVE-2018-11386
766963a 
symfony/symfony#27507
https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler
ankitpokhrel added a commit to ankitpokhrel/tus-php that referenced this issue Jun 24, 2018
@ankitpokhrel
[Security Fix] CVE-2018-11386
aceb5e2 
symfony/symfony#27507
    https://symfony.com/blog/cve-2018-11386-denial-of-service-when-using-pdosessionhandler

Signed-off-by: Ankit Pokhrel <ankitpokhrel@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fabpot @stephank @nicolas-grekas @stof
0