-
Notifications
You must be signed in to change notification settings - Fork 82
More SA to ignore #3246
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More SA to ignore #3246
Changes from all commits
a2f0232
bc5bf11
09201d9
fb84deb
1ff5fe1
80c0be8
b83315f
41a6007
2bb87ca
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -673,6 +673,7 @@ For security reasons, it's highly recommenced to update `twig/twig` and `twig/in | |||||||||
| For more information, see the following security advisories: | ||||||||||
|
|
||||||||||
| * PHP 8.0 and PHP 7.4 | ||||||||||
| * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) | ||||||||||
| * [PKSA-5k7f-wvjj-jrgw](https://packagist.org/security-advisories/PKSA-5k7f-wvjj-jrgw) | ||||||||||
| * [PKSA-sjvz-tbbr-vwth](https://packagist.org/security-advisories/PKSA-sjvz-tbbr-vwth) | ||||||||||
| * [PKSA-h8hf-ytnd-5t9q](https://packagist.org/security-advisories/PKSA-h8hf-ytnd-5t9q) | ||||||||||
|
|
@@ -690,7 +691,6 @@ For more information, see the following security advisories: | |||||||||
| * [PKSA-n7sg-8f52-pqtf](https://packagist.org/security-advisories/PKSA-n7sg-8f52-pqtf) | ||||||||||
| * [PKSA-8kk8-h2xr-h5nx](https://packagist.org/security-advisories/PKSA-8kk8-h2xr-h5nx) | ||||||||||
| * [PKSA-2rbx-bjdx-4d4d](https://packagist.org/security-advisories/PKSA-2rbx-bjdx-4d4d) | ||||||||||
| * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) | ||||||||||
| * PHP 7.4 only | ||||||||||
| * [PKSA-fbvq-z33h-r2np](https://packagist.org/security-advisories/PKSA-fbvq-z33h-r2np) | ||||||||||
| * [PKSA-g9zw-qxh8-pq8w](https://packagist.org/security-advisories/PKSA-g9zw-qxh8-pq8w) | ||||||||||
|
|
@@ -714,17 +714,13 @@ Then, update Ibexa DXP. | |||||||||
|
|
||||||||||
| If updating the Twig packages isn't possible, for example, because the project is using PHP 7.4 or 8.0 where the fixes are not available, review the security issues carefully and assess the danger. | ||||||||||
|
|
||||||||||
| If you choose to implement countermeasures without upgrading PHP and updating Twig, you can silence the advisories in `composer.json`: | ||||||||||
| If you choose to implement countermeasures without upgrading PHP and updating Twig, you can silence the advisories in `composer.json`. For example, here for PHP 7.4: | ||||||||||
|
|
||||||||||
| ```json | ||||||||||
| "config": { | ||||||||||
| "audit": { | ||||||||||
| "ignore": { | ||||||||||
| "PKSA-fbvq-z33h-r2np": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-g9zw-qxh8-pq8w": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-yd6k-t2gh-1m43": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-1tmc-rt7x-12w6": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-xx6c-6d96-db2w": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-fs5b-x5k4-1h39": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-5k7f-wvjj-jrgw": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-sjvz-tbbr-vwth": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-h8hf-ytnd-5t9q": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
|
|
@@ -742,7 +738,11 @@ If you choose to implement countermeasures without upgrading PHP and updating Tw | |||||||||
| "PKSA-n7sg-8f52-pqtf": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-8kk8-h2xr-h5nx": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-2rbx-bjdx-4d4d": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-fs5b-x5k4-1h39": "Description of the countermeasures you've implemented causing this one to be safe to ignore." | ||||||||||
| "PKSA-fbvq-z33h-r2np": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-g9zw-qxh8-pq8w": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-yd6k-t2gh-1m43": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-1tmc-rt7x-12w6": "Description of the countermeasures you've implemented causing this one to be safe to ignore.", | ||||||||||
| "PKSA-xx6c-6d96-db2w": "Description of the countermeasures you've implemented causing this one to be safe to ignore." | ||||||||||
| } | ||||||||||
| } | ||||||||||
| } | ||||||||||
|
|
@@ -752,7 +752,12 @@ In addition, consider upgrading your project to one of [the actively supported P | |||||||||
|
|
||||||||||
| ## v4.6.31 | ||||||||||
|
|
||||||||||
| No additional steps needed. | ||||||||||
| ### Security | ||||||||||
|
|
||||||||||
| To [update Twig to v3.26.0](#update-twig-to-v3260) is still highly recommended. | ||||||||||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
|
||||||||||
| If you use PHP 8.0 or 7.4, there is one more security advisory to take into account: | ||||||||||
|
|
||||||||||
| * [PKSA-8zx5-v2nz-58pb](https://packagist.org/security-advisories/PKSA-8zx5-v2nz-58pb) | ||||||||||
|
Comment on lines
+757
to
+760
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. https://packagist.org/security-advisories/PKSA-8zx5-v2nz-58pb says that it's fixed in 3.27 -and right now I'm not sure who should update (everyone?) |
||||||||||
|
|
||||||||||
| ## LTS Updates | ||||||||||
|
|
||||||||||
|
|
@@ -1019,3 +1024,10 @@ To use the [latest features](ibexa_dxp_v4.6.md) added to them, update them separ | |||||||||
| ```bash | ||||||||||
| composer require ibexa/fieldtype-richtext-rte:[[= latest_tag_4_6 =]] ibexa/ckeditor-premium:[[= latest_tag_4_6 =]] | ||||||||||
| ``` | ||||||||||
|
|
||||||||||
| #### v4.6.30 | ||||||||||
|
|
||||||||||
| For security reason, [update `twig/cssinliner-extra` to v3.26.0](#update-twig-to-v3260). | ||||||||||
|
adriendupuis marked this conversation as resolved.
|
||||||||||
| When using Collaborative editing, this security advisories affects more PHP versions, including PHP 8.2 and older versions: | ||||||||||
|
|
||||||||||
| * [PKSA-fs5b-x5k4-1h39](https://packagist.org/security-advisories/PKSA-fs5b-x5k4-1h39) | ||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It fixed https://github.com/ibexa/documentation-developer/actions/runs/28652048983/job/84972184814?pr=3246