Symfony/security-http is restricted to >= 4.4.23 but 4.4.22 is latest for symfony 4.4

Question

Symfony/security-http is restricted to >= 4.4.23 but 4.4.22 is latest for symfony 4.4

Zombaya opened this issue 4 years ago · 4 comments

The restrictions for symfony 4.4 for CVE-2021-21424 have been removed in FriendsOfPHP/security-advisories@42081fa.

These limits do still occur in the generated composer.json from this repo.

I tried running Roave/SecurityAdvisoriesBundle-build-conflicts.php and got the same composer.json as output. I grepped the build-directory but could not find any reason where the restrictions for that library were sourced.

Could this be looked into?

Current status

If you have symfony/security-http installed, you are not able to upgrade to a safe version since that does not exist. Latest available version for symfony 4.4 is 4.4.22, which is lower than the required 4.4.23.

What I tried/found out

$ php build-conflicts.php

$ cd build

$ grep --recursive --line-number security-http .
./composer.json:256:        "symfony/security-http": ">=2.3,<2.3.41|>=2.4,<2.7.51|>=2.8,<3.4.48|>=4,<4.4.23|>=5,<5.2.8",
./roave-security-advisories-original/composer.json:256:        "symfony/security-http": ">=2.3,<2.3.41|>=2.4,<2.7.51|>=2.8,<3.4.48|>=4,<4.4.23|>=5,<5.2.8",
./roave-security-advisories/composer.json:256:        "symfony/security-http": ">=2.3,<2.3.41|>=2.4,<2.7.51|>=2.8,<3.4.48|>=4,<4.4.23|>=5,<5.2.8",
./security-advisories/symfony/security-http/CVE-2021-21424.yaml:11:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2020-5275.yaml:11:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2019-18886.yaml:14:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2019-10911.yaml:35:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2018-19790.yaml:35:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2018-11406.yaml:38:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2018-11385.yaml:38:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2017-16652.yaml:23:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2016-4423.yaml:26:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2015-8125.yaml:17:reference: composer://symfony/security-http
./security-advisories/symfony/security-http/CVE-2015-8124.yaml:17:reference: composer://symfony/security-http

$ grep --recursive --line-number "4\\.4\\." ./security-advisories/symfony/security-http
./security-advisories/symfony/security-http/CVE-2020-5275.yaml:5:    4.4.x:
./security-advisories/symfony/security-http/CVE-2020-5275.yaml:7:        versions: ['>=4.4.0', '<4.4.7']

Answer 1 · 2021-05-14T09:29:38.000Z

See GHSA-5pv8-ppvj-4h68 - the advisory there still contains >=4.0.0,<4.4.23

Answer 2 · 2021-05-14T09:32:20.000Z

OK, thanks for pointing me in the right direction. I'll try to ask some assistance from the symfony-team to see if they can either release a new version or update the CVE in github.

Answer 3 · 2021-05-14T09:35:19.000Z

Be aware that to update a CVE in github, github support needs to be contacted.

Answer 4 · 2021-05-14T09:37:48.000Z

There was already an issue about it on the symfony-project. Fabien Potencier updated the original github CVE and created a new one as well.

I guess now we only need to wait for this to get automatically resolved.