Mark v1.0.7 as a security release because older versions have a remote code execution vulnerability
Closed this issue · 5 comments
Versions before v1.0.7 have a serious remote code execution vulnerability for which there are exploits available since early 2018 (https://twitter.com/GossiTheDog/status/968140034527453184).
The vulnerability comes from the phpunit library: https://www.cvedetails.com/cve/CVE-2017-9841 (and fix sebastianbergmann/phpunit@284a69f).
Older versions than v1.0.7 should be clearly flagged as insecure and the v1.0.7 should have the mention that this is a security update.
What are the best ways on github to do that?
I see https://help.github.com/en/articles/about-maintainer-security-advisories which seems like it is about fixing something that is not yet fixed. I'm not sure if/how it could be applied retroactively to a release.
AFAIK, only the Github release (the ZIP) had the security issue. Even in v1.0.6 PHPUnit was marked as a dev dependency https://github.com/thinkshout/mailchimp-api-php/blob/v1.0.6/composer.json#L13
If it's possible to see a security vulnerability by installing an older version of the API with composer (not with downloading the ZIP), let me know and I can make an advisory.
So a composer/packagist based advisory does not make sense to me. I can update the releases page to unpublish or mark those releases as insecure.
I've remove the ZIP files from all releases prior to v1.0.7.
Closing this out, please re-open if any composer-based mailchimp-api-php installations (not using require-dev) are insecure.