Can we have a PHP 7.2/PHP 7.3 security release ? (CVE-2023-30536)

[williamdes]

  Problem 1
    - slim/psr7 1.5 requires php ^7.3 || ^8.0 -> your php version (7.2.34) does not satisfy that requirement.
    - slim/psr7[1.6, ..., 1.6.1] require php ^7.4 || ^8.0 -> your php version (7.2.34) does not satisfy that requirement.
    - Root composer.json requires roave/security-advisories dev-latest -> satisfiable by roave/security-advisories[dev-latest].
    - roave/security-advisories dev-latest conflicts with slim/psr7 <1.6.1.
    - Root composer.json requires slim/psr7 ^1.4 -> satisfiable by slim/psr7[1.4, 1.5, 1.6, 1.6.1].

    - slim/psr7 1.5 requires php ^7.3 || ^8.0 -> your php version (7.2.34) does not satisfy that requirement.
    - slim/psr7[1.6, ..., 1.6.1] require php ^7.4 || ^8.0 -> your php version (7.2.34) does not satisfy that requirement.
    - Root composer.json requires roave/security-advisories dev-latest -> satisfiable by roave/security-advisories[dev-latest].
    - roave/security-advisories dev-latest conflicts with slim/psr7 <1.6.1.
    - Root composer.json requires slim/psr7 ^1.4 -> satisfiable by slim/psr7[1.4, 1.5, 1.6, 1.6.1].

See: https://github.com/phpmyadmin/phpmyadmin/actions/runs/4772858589/jobs/8485603736
Is failing because of Roave/SecurityAdvisories@39006a7

Ref: CVE-2023-30536

At phpMyAdmin we have to support PHP 7.2 on the 5.2 series. I would be most grateful if you would allow a security release to be done for PHP 7.2 versions. It looks like PHP 7.3 versions would be un-covered since 1.6 dropped them.

That would mean:

• 1.4.1 for PHP 7.2
• 1.5.1 for PHP 7.3

[williamdes]

@akrabat This is a security concern, could you have a look please ?

[l0gicgate]

@williamdes we cannot do security releases for PHP versions we do not support anymore unfortunately.

We are using typed properties in the codebase which are not supported by either PHP 7.2 or PHP 7.3.

This would be an insane amount of work.

If someone wants to raise the PR for it, I will gladly release it. Otherwise it's not going to happen.

[williamdes]

@williamdes we cannot do security releases for PHP versions we do not support anymore unfortunately.

We are using typed properties in the codebase which are not supported by either PHP 7.2 or PHP 7.3.

This would be an insane amount of work.

If someone wants to raise the PR for it, I will gladly release it. Otherwise it's not going to happen.

We could "easily" make a branch from the last releases I mentioned, pick the security fix and release it
It's only a regex change
Seems possible, don't you think?

I can do the PRs if you validate that

[MauricioFauth]

@l0gicgate What can be done is to create a branch from the tag, and then git cherry-pick the commit 4fea29e, which is the security fix.

I wasn't able to do that because there are no 1.4.x and 1.5.x branches to open PRs to.

[williamdes]

@l0gicgate What can be done is to create a branch from the tag, and then git cherry-pick the commit 4fea29e, which is the security fix.

I wasn't able to do that because there are no 1.4.x and 1.5.x branches to open PRs to.

Maybe you can create them on a fork and @l0gicgate can push the tags from them
Not needing to have a branch on the main repo as a result

[l0gicgate]

@MauricioFauth @williamdes I will create branches for those later today that you can PR against

[l0gicgate]

Here are the branches @MauricioFauth @williamdes feel free to raise PRs and I will release soon as we merge.

https://github.com/slimphp/Slim-Psr7/tree/1.4.x
https://github.com/slimphp/Slim-Psr7/tree/1.5.x

[williamdes]

A simple cherry-pick and it worked, tests did run perfectly (for the HeadersTest, others where failing before the PR)

• Fix CVE-2023-30536 - GHSA-q2qj-628g-vhfw (1.4.x) #286 (1.4.x)
• Fix CVE-2023-30536 - GHSA-q2qj-628g-vhfw (1.5.x) #287 (1.5.x)

Should I open another PR on 1.4 and 1.5 to fix the currently failing tests (failing before the PR) ?

[l0gicgate]

Here are the releases:

• https://github.com/slimphp/Slim-Psr7/releases/tag/1.4.1
• https://github.com/slimphp/Slim-Psr7/releases/tag/1.5.1

Thank you @MauricioFauth @williamdes for these contributions!

cc: @akrabat

I am closing as resolved now feel free to re-open if there's anything

[williamdes]

Thanks @l0gicgate ! 🎉 🚀

PS: The bot says (github/advisory-database#2233 (comment)) that the advisory needs a manual update here: GHSA-q2qj-628g-vhfw

[ve3]

Thanks for the update. I was used version 0.6 due to I would like to widely support many PHP versions in many places.
However, I have to bump up to minimum PHP 7.4 and Slim\PSr7 version 1.6.1 due to this security reason.
The update looks great because it seems to have nothing break since 0.6. So that I can continuous use my code without a lot of fix.

Thank you.

[williamdes]

Only 7.2 is required

Slim-Psr7/composer.json

Line 31 in d3cea65

"php": "^7.2 || ^8.0",

Since 1.4 was fixed