Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix patched version for CVE-2024-50342 #737

Merged
merged 1 commit into from
Nov 13, 2024
Merged

fix patched version for CVE-2024-50342 #737

merged 1 commit into from
Nov 13, 2024

Conversation

jderusse
Copy link
Contributor

No description provided.

@naderman
Copy link
Contributor

@jderusse this correct now? 😆

@naderman
Copy link
Contributor

Is the referenced advisory on GitHub wrong too? GHSA-9c3x-r3wp-mgxm

naderman
naderman reviewed Nov 13, 2024
View reviewed changes
symfony/http-client/CVE-2024-50342.yaml
@@ -21,8 +21,8 @@ branches:
time: ~
versions: ['>=5.3.0', '<5.4.0']
5.4.x:
time: 2024-11-05 08:00:00
versions: ['>=5.4.0', '<5.4.46']
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My impression is, that this CVE shouldn't be edited in this PR?

@nicolas-grekas
Copy link
Contributor

GHSA-9c3x-r3wp-mgxm has been updated because this is the same CVE...

@naderman
Copy link
Contributor

@nicolas-grekas same CVE as what? There are two CVEs here. One was published last week from what I can tell and one hasn't gotten any published info yet, neither on GitHub nor elsewhere?

@jderusse
Copy link
Contributor Author

It looks like github has some replication issues:

GHSA-9c3x-r3wp-mgxm

Patched versions
5.4.46
6.4.14
7.1.7

GHSA-9c3x-r3wp-mgxm

Patched versions
5.4.47
6.4.15
7.1.8

@jderusse jderusse changed the title fix fixed version for CVE-2024-50342 fix patched version for CVE-2024-50342 Nov 13, 2024
@nicolas-grekas
Copy link
Contributor

Which corresponds to CVE-2024-50342
Maybe some cache refresh pending

@naderman
Copy link
Contributor

So any info on what CVE-2024-51996 is? Or why that got merged here without any public info available yet? I guess that's coming now?

@jderusse
Copy link
Contributor Author

So any info on what CVE-2024-51996 is? Or why that got merged here without any public info available yet? I guess that's coming now?

The advisory for CVE-2024-51996 is available here GHSA-cg23-qf8f-62rr

@naderman
Copy link
Contributor

Alright, PR looks fine then. Should anything else still happen before merging it?

@stof
Copy link
Member

stof commented Nov 13, 2024

@jderusse GitHub does not automatically applies updates from repository-level advisories to the advisories of the global database. they import the repository-level advisories into the global database (which also imports other sources). So you would have to contribute on https://github.com/github/advisory-database/ to update the version in the global database.

@naderman naderman merged commit ae5ad79 into FriendsOfPHP:master Nov 13, 2024
1 check passed
@jderusse jderusse deleted the security-advisories-2024-03 branch November 13, 2024 15:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@naderman naderman naderman approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jderusse @naderman @nicolas-grekas @stof