-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can we have a PHP 7.2/PHP 7.3 security release ? (CVE-2023-30536) #284
Comments
@akrabat This is a security concern, could you have a look please ? |
Maybe this will be temporary, but we can not stop because the vendor does not reply. It's been two weeks. Ref: slimphp/Slim-Psr7#284 Signed-off-by: William Desportes <[email protected]>
@williamdes we cannot do security releases for PHP versions we do not support anymore unfortunately. We are using typed properties in the codebase which are not supported by either PHP 7.2 or PHP 7.3. This would be an insane amount of work. If someone wants to raise the PR for it, I will gladly release it. Otherwise it's not going to happen. |
We could "easily" make a branch from the last releases I mentioned, pick the security fix and release it I can do the PRs if you validate that |
@l0gicgate What can be done is to create a branch from the tag, and then I wasn't able to do that because there are no 1.4.x and 1.5.x branches to open PRs to. |
Maybe you can create them on a fork and @l0gicgate can push the tags from them |
@MauricioFauth @williamdes I will create branches for those later today that you can PR against |
Here are the branches @MauricioFauth @williamdes feel free to raise PRs and I will release soon as we merge. https://github.com/slimphp/Slim-Psr7/tree/1.4.x |
A simple cherry-pick and it worked, tests did run perfectly (for the HeadersTest, others where failing before the PR)
Should I open another PR on 1.4 and 1.5 to fix the currently failing tests (failing before the PR) ? |
Here are the releases:
Thank you @MauricioFauth @williamdes for these contributions! cc: @akrabat I am closing as resolved now feel free to re-open if there's anything |
Thanks @l0gicgate ! 🎉 🚀 PS: The bot says (github/advisory-database#2233 (comment)) that the advisory needs a manual update here: GHSA-q2qj-628g-vhfw |
Thanks for the update. I was used version 0.6 due to I would like to widely support many PHP versions in many places. Thank you. |
Only 7.2 is required Line 31 in d3cea65
Since 1.4 was fixed |
See: https://github.com/phpmyadmin/phpmyadmin/actions/runs/4772858589/jobs/8485603736
Is failing because of Roave/SecurityAdvisories@39006a7
Ref: CVE-2023-30536
At phpMyAdmin we have to support PHP 7.2 on the 5.2 series. I would be most grateful if you would allow a security release to be done for PHP 7.2 versions. It looks like PHP 7.3 versions would be un-covered since 1.6 dropped them.
That would mean:
The text was updated successfully, but these errors were encountered: