Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/workflows/code_samples.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,8 @@ jobs:
"PKSA-g9zw-qxh8-pq8w": "As this is for code quality tests and not to run a production DXP, this can be ignored.",
"PKSA-yd6k-t2gh-1m43": "As this is for code quality tests and not to run a production DXP, this can be ignored.",
"PKSA-1tmc-rt7x-12w6": "As this is for code quality tests and not to run a production DXP, this can be ignored.",
"PKSA-xx6c-6d96-db2w": "As this is for code quality tests and not to run a production DXP, this can be ignored."
"PKSA-xx6c-6d96-db2w": "As this is for code quality tests and not to run a production DXP, this can be ignored.",
"PKSA-8zx5-v2nz-58pb": "As this is for code quality tests and not to run a production DXP, this can be ignored."

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

}'

- name: Ignore audit advisory for PHP 8.2
Expand Down
30 changes: 21 additions & 9 deletions docs/update_and_migration/from_4.6/update_from_4.6.md
Original file line number Diff line number Diff line change
Expand Up @@ -673,6 +673,7 @@ For security reasons, it's highly recommenced to update `twig/twig` and `twig/in
For more information, see the following security advisories:

* PHP 8.0 and PHP 7.4
* [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39)
* [PKSA-5k7f-wvjj-jrgw](https://packagist.org/security-advisories/PKSA-5k7f-wvjj-jrgw)
* [PKSA-sjvz-tbbr-vwth](https://packagist.org/security-advisories/PKSA-sjvz-tbbr-vwth)
* [PKSA-h8hf-ytnd-5t9q](https://packagist.org/security-advisories/PKSA-h8hf-ytnd-5t9q)
Expand All @@ -690,7 +691,6 @@ For more information, see the following security advisories:
* [PKSA-n7sg-8f52-pqtf](https://packagist.org/security-advisories/PKSA-n7sg-8f52-pqtf)
* [PKSA-8kk8-h2xr-h5nx](https://packagist.org/security-advisories/PKSA-8kk8-h2xr-h5nx)
* [PKSA-2rbx-bjdx-4d4d](https://packagist.org/security-advisories/PKSA-2rbx-bjdx-4d4d)
* [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39)
* PHP 7.4 only
* [PKSA-fbvq-z33h-r2np](https://packagist.org/security-advisories/PKSA-fbvq-z33h-r2np)
* [PKSA-g9zw-qxh8-pq8w](https://packagist.org/security-advisories/PKSA-g9zw-qxh8-pq8w)
Expand All @@ -714,17 +714,13 @@ Then, update Ibexa DXP.

If updating the Twig packages isn't possible, for example, because the project is using PHP 7.4 or 8.0 where the fixes are not available, review the security issues carefully and assess the danger.

If you choose to implement countermeasures without upgrading PHP and updating Twig, you can silence the advisories in `composer.json`:
If you choose to implement countermeasures without upgrading PHP and updating Twig, you can silence the advisories in `composer.json`. For example, here for PHP 7.4:

```json
"config": {
"audit": {
"ignore": {
"PKSA-fbvq-z33h-r2np": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-g9zw-qxh8-pq8w": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-yd6k-t2gh-1m43": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-1tmc-rt7x-12w6": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-xx6c-6d96-db2w": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-fs5b-x5k4-1h39": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-5k7f-wvjj-jrgw": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-sjvz-tbbr-vwth": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-h8hf-ytnd-5t9q": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
Expand All @@ -742,7 +738,11 @@ If you choose to implement countermeasures without upgrading PHP and updating Tw
"PKSA-n7sg-8f52-pqtf": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-8kk8-h2xr-h5nx": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-2rbx-bjdx-4d4d": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-fs5b-x5k4-1h39": "Description of the countermeasures you've implemented causing this one to be safe to ignore."
"PKSA-fbvq-z33h-r2np": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-g9zw-qxh8-pq8w": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-yd6k-t2gh-1m43": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-1tmc-rt7x-12w6": "Description of the countermeasures you've implemented causing this one to be safe to ignore.",
"PKSA-xx6c-6d96-db2w": "Description of the countermeasures you've implemented causing this one to be safe to ignore."
}
}
}
Expand All @@ -752,7 +752,12 @@ In addition, consider upgrading your project to one of [the actively supported P

## v4.6.31

No additional steps needed.
### Security

To [update Twig to v3.26.0](#update-twig-to-v3260) is still highly recommended.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To [update Twig to v3.26.0](#update-twig-to-v3260) is still highly recommended.
To [update Twig to v3.27.0](#update-twig-to-v3260) is still highly recommended.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
To [update Twig to v3.26.0](#update-twig-to-v3260) is still highly recommended.
It's recommended to update Twig to v3.27.0. You can look at how it was previously made for [Twig v3.26.0](#update-twig-to-v3260).

If you use PHP 8.0 or 7.4, there is one more security advisory to take into account:

* [PKSA-8zx5-v2nz-58pb](https://packagist.org/security-advisories/PKSA-8zx5-v2nz-58pb)
Comment on lines +757 to +760

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://packagist.org/security-advisories/PKSA-8zx5-v2nz-58pb says that it's fixed in 3.27 -and right now I'm not sure who should update (everyone?)


## LTS Updates

Expand Down Expand Up @@ -1019,3 +1024,10 @@ To use the [latest features](ibexa_dxp_v4.6.md) added to them, update them separ
```bash
composer require ibexa/fieldtype-richtext-rte:[[= latest_tag_4_6 =]] ibexa/ckeditor-premium:[[= latest_tag_4_6 =]]
```

#### v4.6.30

For security reason, [update `twig/cssinliner-extra` to v3.26.0](#update-twig-to-v3260).
Comment thread
adriendupuis marked this conversation as resolved.
When using Collaborative editing, this security advisories affects more PHP versions, including PHP 8.2 and older versions:

* [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39)
Loading