[#44805] - [5.2] [Security] Composer update symfony/http-client and symfony/process to version 6.4.15
- Fixed in Code Base
- 2 Feb 2025
- Medium
- Build: 5.2-dev
- # 44805
- Diff
- richard67:5.2-dev-composer-update-2025-02-01
User tests: Successful: Unsuccessful:
Pull Request for Issue # .
Summary of Changes
This pull request (PR) updates the indirect composer dependencies "symfony/http-client" and "symfony/process", both to version 6.4.15, in order to fix 2 security vulnerability advisories (one low and one high severity) from composer audit.
When this PR is applied there is one medium severity security vulnerability advisory from composer audit remaining which is not fixed by this PR. To fix that would require to update "web-auth/webauthn-lib" to version 4.9.0 (or newer), but this would break our webauthn system plugin.
"symfony/http-client" is updated from version 6.4.11.
It is used by the "web-token/jwt-library" direct dependency and as indirect developer dependency. Change log:
- no significant changes
- security (low) GHSA-9c3x-r3wp-mgxm [HttpClient] Filter private IPs before connecting when Host == IP
- bug symfony/symfony#58704
- security (low) GHSA-9c3x-r3wp-mgxm [HttpClient] Resolve hostnames in NoPrivateNetworkHttpClient
"symfony/process" is updated from version 6.4.8.
It is used only as an indirect development dependency. Change log:
- no significant changes
- security (high) GHSA-qq5c-677p-737q [Process] Use PATH before CD to load the shell on Windows
- bug symfony/symfony#58752
- bug symfony/symfony#58735
- bug symfony/symfony#58723
- bug symfony/symfony#58711
- no significant changes
(There were no versions 6.4.9 to 6.4.11.)
Testing Instructions
This test requires a composer version 2.4 or newer and a git clone of this repository.
For the actual result, run composer install and then composer audit in a command shell window in the root folder of your git clone on the current 5.2-dev branch of this repository.
For the expected result, run composer install and then composer audit on a branch with this PR applied.
You can create such a branch in your git clone and then check out that branch with the following commands, assuming that you have a git clone of your fork of this repository, and upstream is the remote for this repository here:
git fetch upstream pull/44805/head:test-pr-44805
git checkout test-pr-44805
If you git clone is a clone of this repository here and not of your fork, replace the upstream by origin in the first command.
After that, run
composer install
composer audit
Actual result BEFORE applying this Pull Request
composer install succeeds, no errors or warning.
composer audit result:
Found 3 security vulnerability advisories affecting 3 packages:
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/http-client |
| Severity | low |
| CVE | CVE-2024-50342 |
| Title | CVE-2024-50342: Internal address and port enumeration allowed by |
| | NoPrivateNetworkHttpClient |
| URL | https://symfony.com/cve-2024-50342 |
| Affected versions | >=4.3.0,<4.4.0|>=4.4.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3 |
| | .0,<5.4.0|>=5.4.0,<5.4.47|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,<6.3.0|>=6.3.0,< |
| | 6.4.0|>=6.4.0,<6.4.15|>=7.0.0,<7.1.0|>=7.1.0,<7.1.8 |
| Reported at | 2024-11-13T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | symfony/process |
| Severity | high |
| CVE | CVE-2024-51736 |
| Title | CVE-2024-51736: Command execution hijack on Windows with Process class |
| URL | https://symfony.com/cve-2024-51736 |
| Affected versions | >=2.0.0,<3.0.0|>=3.0.0,<4.0.0|>=4.0.0,<5.0.0|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2 |
| | .0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.46|>=6.0.0,<6.1.0|>=6.1.0,<6.2.0|>=6.2.0,< |
| | 6.3.0|>=6.3.0,<6.4.0|>=6.4.0,<6.4.14|>=7.0.0,<7.1.0|>=7.1.0,<7.1.7 |
| Reported at | 2024-11-05T08:00:00+00:00 |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
Expected result AFTER applying this Pull Request
composer install succeeds, no errors or warning.
composer audit result:
Found 1 security vulnerability advisory affecting 1 package:
+-------------------+----------------------------------------------------------------------------------+
| Package | web-auth/webauthn-lib |
| Severity | medium |
| CVE | CVE-2024-39912 |
| Title | The FIDO2/Webauthn Support for PHP library allows enumeration of valid usernames |
| URL | https://github.com/advisories/GHSA-875x-g8p7-5w27 |
| Affected versions | >=4.5.0,<4.9.0 |
| Reported at | 2024-07-15T16:37:49+00:00 |
+-------------------+----------------------------------------------------------------------------------+
Found 1 abandoned package:
+---------------------------+----------------------------------------------------------------------------------+
| Abandoned Package | Suggested Replacement |
+---------------------------+----------------------------------------------------------------------------------+
| web-auth/metadata-service | web-auth/webauthn-lib |
+---------------------------+----------------------------------------------------------------------------------+
To fix the remaining advisory it would need to update "web-auth/webauthn-lib" to version 4.9.0 (or newer), which would also remove the abandoned "web-auth/metadata-service" package, but this would break our webauthn system plugin as that still uses the abandoned package.
Link to documentations
Please select:
-
Documentation link for docs.joomla.org:
-
No documentation changes for docs.joomla.org needed
-
Pull Request link for manual.joomla.org:
-
No documentation changes for manual.joomla.org needed
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | External Library Composer Change |
| Title |
|
||||||
| Labels |
Added:
Composer Dependency Changed
PR-5.2-dev
|
||
Since this is a security update and "just" a dependency update without custom code and it has been tested by the head of JSST, I'm overruling the 2 tests criteria here and merge this as is. Thank you for this contribution.
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2025-02-02 22:23:37 |
| Closed_By | ⇒ | Hackwar |
I have tested this item ✅ successfully on a893315
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/44805.