Skip to content

Update dependency symfony/http-client to v6.4.15 [SECURITY] #1364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency symfony/http-client to v6.4.15 [SECURITY] #1364

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
symfony/http-client (source) 6.4.2 -> 6.4.15 age confidence

GitHub Vulnerability Alerts

CVE-2024-50342

Description

When using the NoPrivateNetworkHttpClient, some internal information is still leaking during host resolution, which leads to possible IP/port enumeration.

Resolution

The NoPrivateNetworkHttpClient now filters blocked IPs earlier to prevent such leaks.

The fisrt patch for this issue is available here for branch 5.4.

The second one is available here for branch 5.4 also.

Credits

We would like to thank Linus Karlsson and Chris Smith for reporting the issue and Nicolas Grekas for providing the fix.

Release Notes

symfony/http-client (symfony/http-client)

v6.4.15

Compare Source

Changelog (symfony/http-client@v6.4.14...v6.4.15)

v6.4.14

Compare Source

Changelog (symfony/http-client@v6.4.13...v6.4.14)

v6.4.13

Compare Source

Changelog (symfony/http-client@v6.4.12...v6.4.13)

  • no significant changes

v6.4.12

Compare Source

Changelog (symfony/http-client@v6.4.11...v6.4.12)

v6.4.11

Compare Source

Changelog (symfony/http-client@v6.4.10...v6.4.11)

v6.4.10

Compare Source

Changelog (symfony/http-client@v6.4.9...v6.4.10)

  • no significant changes

v6.4.9

Compare Source

Changelog (symfony/http-client@v6.4.8...v6.4.9)

v6.4.8

Compare Source

Changelog (symfony/http-client@v6.4.7...v6.4.8)

v6.4.7

Compare Source

Changelog (symfony/http-client@v6.4.6...v6.4.7)

v6.4.6

Compare Source

Changelog (symfony/http-client@v6.4.5...v6.4.6)

v6.4.5

Compare Source

Changelog (symfony/http-client@v6.4.4...v6.4.5)

v6.4.4

Compare Source

Changelog (symfony/http-client@v6.4.3...v6.4.4)

v6.4.3

Compare Source

Changelog (symfony/http-client@v6.4.2...v6.4.3)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Add or update dependencies label Nov 6, 2024
@renovate
Copy link
Contributor Author

renovate bot commented Nov 6, 2024
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: backend/composer.lock
Command failed: composer install --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Installing dependencies from lock file (including require-dev)
Verifying lock file contents can be installed on current platform.
Your lock file does not contain a compatible set of packages. Please run composer update.

  Problem 1
    - lcobucci/clock is locked to version 3.0.0 and an update of this package was not requested.
    - lcobucci/clock 3.0.0 requires php ~8.1.0 || ~8.2.0 -> your php version (8.5.0) does not satisfy that requirement.
  Problem 2
    - lcobucci/jwt is locked to version 5.2.0 and an update of this package was not requested.
    - lcobucci/jwt 5.2.0 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.5.0) does not satisfy that requirement.
  Problem 3
    - ergebnis/composer-normalize is locked to version 2.41.1 and an update of this package was not requested.
    - ergebnis/composer-normalize 2.41.1 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.5.0) does not satisfy that requirement.
  Problem 4
    - ergebnis/json is locked to version 1.1.0 and an update of this package was not requested.
    - ergebnis/json 1.1.0 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.5.0) does not satisfy that requirement.
  Problem 5
    - ergebnis/json-normalizer is locked to version 4.4.1 and an update of this package was not requested.
    - ergebnis/json-normalizer 4.4.1 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.5.0) does not satisfy that requirement.
  Problem 6
    - ergebnis/json-pointer is locked to version 3.3.0 and an update of this package was not requested.
    - ergebnis/json-pointer 3.3.0 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.5.0) does not satisfy that requirement.
  Problem 7
    - ergebnis/json-printer is locked to version 3.4.0 and an update of this package was not requested.
    - ergebnis/json-printer 3.4.0 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.5.0) does not satisfy that requirement.
  Problem 8
    - ergebnis/json-schema-validator is locked to version 4.1.0 and an update of this package was not requested.
    - ergebnis/json-schema-validator 4.1.0 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.5.0) does not satisfy that requirement.
  Problem 9
    - vimeo/psalm is locked to version 5.20.0 and an update of this package was not requested.
    - vimeo/psalm 5.20.0 requires php ^7.4 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.5.0) does not satisfy that requirement.
  Problem 10
    - lexik/jwt-authentication-bundle is locked to version v2.20.3 and an update of this package was not requested.
    - lcobucci/clock 3.0.0 requires php ~8.1.0 || ~8.2.0 -> your php version (8.5.0) does not satisfy that requirement.
    - lexik/jwt-authentication-bundle v2.20.3 requires lcobucci/clock ^1.2|^2.0|^3.0 -> satisfiable by lcobucci/clock[3.0.0].

renovate-approve[bot]
renovate-approve bot previously approved these changes Nov 6, 2024
View reviewed changes
@renovate renovate bot force-pushed the deps-packagist-symfony-http-client-vulnerability branch from 506dcce to fc4937e Compare November 13, 2024 18:46
@renovate renovate bot changed the title Update dependency symfony/http-client to v6.4.14 [SECURITY] Update dependency symfony/http-client to v6.4.15 [SECURITY] Nov 13, 2024
@renovate renovate bot force-pushed the deps-packagist-symfony-http-client-vulnerability branch from fc4937e to bff3001 Compare January 7, 2025 11:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Add or update dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant