Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport security fixes to 2.0.49.x line #20183

Merged
merged 3 commits into from
Jun 4, 2024
Merged

Backport security fixes to 2.0.49.x line #20183

merged 3 commits into from
Jun 4, 2024

Conversation

rob006
Copy link
Contributor

@rob006 rob006 commented Jun 3, 2024

Q A
Is bugfix? ✔️
New feature?
Breaks BC?
Fixed issues GHSA-cjcc-p67m-7qxm, GHSA-qg5r-95m4-mjgj

mtangoo and others added 3 commits June 3, 2024 21:17
@mtangoo @rob006
Merge pull request from GHSA-cjcc-p67m-7qxm
7b69320 
* Fix: Unsafe Reflection in base Component class

* Fix style for consistency

* add changelog entry

* Fix wrong logic

* Fix exception message

* Update framework/CHANGELOG.md

---------

Co-authored-by: Stefano Mtangoo <stefano@hosannahighertech.co.tz>
Co-authored-by: Alexander Makarov <sam@rmcreative.ru>
(cherry picked from commit 628d406)
@Antiphishing @rob006
Merge pull request from GHSA-qg5r-95m4-mjgj
b82f99f 
* Hotfix: Reflected XSS in Debug mode

* Added entry for the security issue GHSA-qg5r-95m4-mjgj to the CHANGELOG

* Update CHANGELOG.md

* Update CHANGELOG.md

---------

Co-authored-by: Alexander Makarov <sam@rmcreative.ru>
(cherry picked from commit f7baab1)
@samdark @rob006
Fix ErrorHandler quoting tests
99ddc18 
(cherry picked from commit ff3aee3)
@rob006
Copy link
Contributor Author

rob006 commented Jun 3, 2024

@samdark Affected versions should be updated:

For GHSA-cjcc-p67m-7qxm it should be <2.0.49.4.
For GHSA-qg5r-95m4-mjgj it should be >=2.0.43,<2.0.49.4.

Right now dependabot is proposing updating to 2.0.49.1, because it does not match current constraints.

Roave/SecurityAdvisories@a15ad81#diff-d2ab9925cad7eac58e0ff4cc0d251a937ecf49e4b6bf57f8b95aab76648a9d34R719

@samdark samdark modified the milestone: 2.0.50.1 Jun 4, 2024
@samdark samdark merged commit 62d081f into yiisoft:2.0.49.x Jun 4, 2024
48 checks passed
@samdark
Copy link
Member

samdark commented Jun 4, 2024

Thanks!

@rob006 rob006 deleted the 2.0.49.x-backport branch June 4, 2024 16:31
@jjmaun
Copy link

jjmaun commented Jun 4, 2024

@samdark Does this mean there will be a 2.0.49.4 version offered up containing only the security changes? We've been following this and are holding off on updating to 2.0.50 in case a fixed version is offered with the isolated changes.

@samdark
Copy link
Member

samdark commented Jun 4, 2024

Yes

@rob006
Copy link
Contributor Author

rob006 commented Jun 10, 2024

@samdark Can we release this? 2.0.49.x line is security-only, there will be no more fixes, so there is no point to wait for anything.

@samdark
Copy link
Member

samdark commented Jun 10, 2024

Yes.

@samdark
Copy link
Member

samdark commented Jun 10, 2024

Done.

This was referenced Jun 10, 2024
Merged
Merged
@DBX12 DBX12 mentioned this pull request Jul 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bizley bizley bizley approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@rob006 @samdark @jjmaun @bizley @mtangoo @Antiphishing