diff --git a/.github/workflows/code_samples.yaml b/.github/workflows/code_samples.yaml index b0f1e22e2d..2528cd7f36 100644 --- a/.github/workflows/code_samples.yaml +++ b/.github/workflows/code_samples.yaml @@ -75,7 +75,8 @@ jobs: "PKSA-g9zw-qxh8-pq8w": "As this is for code quality tests and not to run a production DXP, this can be ignored.", "PKSA-yd6k-t2gh-1m43": "As this is for code quality tests and not to run a production DXP, this can be ignored.", "PKSA-1tmc-rt7x-12w6": "As this is for code quality tests and not to run a production DXP, this can be ignored.", - "PKSA-xx6c-6d96-db2w": "As this is for code quality tests and not to run a production DXP, this can be ignored." + "PKSA-xx6c-6d96-db2w": "As this is for code quality tests and not to run a production DXP, this can be ignored.", + "PKSA-8zx5-v2nz-58pb": "As this is for code quality tests and not to run a production DXP, this can be ignored." }' - name: Ignore audit advisory for PHP 8.2 diff --git a/docs/update_and_migration/from_4.6/update_from_4.6.md b/docs/update_and_migration/from_4.6/update_from_4.6.md index fc233f61f0..89a3677b0a 100644 --- a/docs/update_and_migration/from_4.6/update_from_4.6.md +++ b/docs/update_and_migration/from_4.6/update_from_4.6.md @@ -673,6 +673,7 @@ For security reasons, it's highly recommenced to update `twig/twig` and `twig/in For more information, see the following security advisories: * PHP 8.0 and PHP 7.4 + * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) * [PKSA-5k7f-wvjj-jrgw](https://packagist.org/security-advisories/PKSA-5k7f-wvjj-jrgw) * [PKSA-sjvz-tbbr-vwth](https://packagist.org/security-advisories/PKSA-sjvz-tbbr-vwth) * [PKSA-h8hf-ytnd-5t9q](https://packagist.org/security-advisories/PKSA-h8hf-ytnd-5t9q) @@ -690,7 +691,6 @@ For more information, see the following security advisories: * [PKSA-n7sg-8f52-pqtf](https://packagist.org/security-advisories/PKSA-n7sg-8f52-pqtf) * [PKSA-8kk8-h2xr-h5nx](https://packagist.org/security-advisories/PKSA-8kk8-h2xr-h5nx) * [PKSA-2rbx-bjdx-4d4d](https://packagist.org/security-advisories/PKSA-2rbx-bjdx-4d4d) - * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) * PHP 7.4 only * [PKSA-fbvq-z33h-r2np](https://packagist.org/security-advisories/PKSA-fbvq-z33h-r2np) * [PKSA-g9zw-qxh8-pq8w](https://packagist.org/security-advisories/PKSA-g9zw-qxh8-pq8w) @@ -714,17 +714,13 @@ Then, update Ibexa DXP. If updating the Twig packages isn't possible, for example, because the project is using PHP 7.4 or 8.0 where the fixes are not available, review the security issues carefully and assess the danger. -If you choose to implement countermeasures without upgrading PHP and updating Twig, you can silence the advisories in `composer.json`: +If you choose to implement countermeasures without upgrading PHP and updating Twig, you can silence the advisories in `composer.json`. For example, here for PHP 7.4: ```json "config": { "audit": { "ignore": { - "PKSA-fbvq-z33h-r2np": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", - "PKSA-g9zw-qxh8-pq8w": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", - "PKSA-yd6k-t2gh-1m43": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", - "PKSA-1tmc-rt7x-12w6": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", - "PKSA-xx6c-6d96-db2w": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", + "PKSA-fs5b-x5k4-1h39": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", "PKSA-5k7f-wvjj-jrgw": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", "PKSA-sjvz-tbbr-vwth": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", "PKSA-h8hf-ytnd-5t9q": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", @@ -742,7 +738,11 @@ If you choose to implement countermeasures without upgrading PHP and updating Tw "PKSA-n7sg-8f52-pqtf": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", "PKSA-8kk8-h2xr-h5nx": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", "PKSA-2rbx-bjdx-4d4d": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", - "PKSA-fs5b-x5k4-1h39": "Description of the countermeasures you've implemented causing this one to be safe to ignore." + "PKSA-fbvq-z33h-r2np": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", + "PKSA-g9zw-qxh8-pq8w": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", + "PKSA-yd6k-t2gh-1m43": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", + "PKSA-1tmc-rt7x-12w6": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", + "PKSA-xx6c-6d96-db2w": "Description of the countermeasures you've implemented causing this one to be safe to ignore." } } } @@ -752,7 +752,12 @@ In addition, consider upgrading your project to one of [the actively supported P ## v4.6.31 -No additional steps needed. +### Security + +To [update Twig to v3.26.0](#update-twig-to-v3260) is still highly recommended. +If you use PHP 8.0 or 7.4, there is one more security advisory to take into account: + +* [PKSA-8zx5-v2nz-58pb](https://packagist.org/security-advisories/PKSA-8zx5-v2nz-58pb) ## LTS Updates @@ -1019,3 +1024,10 @@ To use the [latest features](ibexa_dxp_v4.6.md) added to them, update them separ ```bash composer require ibexa/fieldtype-richtext-rte:[[= latest_tag_4_6 =]] ibexa/ckeditor-premium:[[= latest_tag_4_6 =]] ``` + + #### v4.6.30 + + For security reason, [update `twig/cssinliner-extra` to v3.26.0](#update-twig-to-v3260). + When using Collaborative editing, this security advisories affects more PHP versions, including PHP 8.2 and older versions: + + * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39)