Skip to content

Update dependency symfony/runtime to v6.4.14 [SECURITY] #1365

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency symfony/runtime to v6.4.14 [SECURITY] #1365

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
symfony/runtime (source) 6.4.0 -> 6.4.14 age confidence

GitHub Vulnerability Alerts

CVE-2024-50340

Description

When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.

Resolution

The SymfonyRuntime now ignores the argv values for non-cli SAPIs PHP runtimes

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.

Release Notes

symfony/runtime (symfony/runtime)

v6.4.14

Compare Source

Changelog (symfony/runtime@v6.4.13...v6.4.14)

v6.4.13

Compare Source

Changelog (symfony/runtime@v6.4.12...v6.4.13)

v6.4.12

Compare Source

Changelog (symfony/runtime@v6.4.11...v6.4.12)

  • no significant changes

v6.4.8

Compare Source

Changelog (symfony/runtime@v6.4.7...v6.4.8)

  • no significant changes

v6.4.7

Compare Source

Changelog (symfony/runtime@v6.4.6...v6.4.7)

  • no significant changes

v6.4.3

Compare Source

Changelog (symfony/runtime@v6.4.2...v6.4.3)

  • no significant changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Add or update dependencies label Nov 6, 2024
@renovate
Copy link
Contributor Author

renovate bot commented Nov 6, 2024
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: backend/composer.lock
Command failed: composer install --ignore-platform-req='ext-*' --ignore-platform-req='lib-*' --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Installing dependencies from lock file (including require-dev)
Verifying lock file contents can be installed on current platform.
Your lock file does not contain a compatible set of packages. Please run composer update.

  Problem 1
    - lcobucci/clock is locked to version 3.0.0 and an update of this package was not requested.
    - lcobucci/clock 3.0.0 requires php ~8.1.0 || ~8.2.0 -> your php version (8.4.2) does not satisfy that requirement.
  Problem 2
    - lcobucci/jwt is locked to version 5.2.0 and an update of this package was not requested.
    - lcobucci/jwt 5.2.0 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.4.2) does not satisfy that requirement.
  Problem 3
    - ergebnis/composer-normalize is locked to version 2.41.1 and an update of this package was not requested.
    - ergebnis/composer-normalize 2.41.1 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.4.2) does not satisfy that requirement.
  Problem 4
    - ergebnis/json is locked to version 1.1.0 and an update of this package was not requested.
    - ergebnis/json 1.1.0 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.4.2) does not satisfy that requirement.
  Problem 5
    - ergebnis/json-normalizer is locked to version 4.4.1 and an update of this package was not requested.
    - ergebnis/json-normalizer 4.4.1 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.4.2) does not satisfy that requirement.
  Problem 6
    - ergebnis/json-pointer is locked to version 3.3.0 and an update of this package was not requested.
    - ergebnis/json-pointer 3.3.0 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.4.2) does not satisfy that requirement.
  Problem 7
    - ergebnis/json-printer is locked to version 3.4.0 and an update of this package was not requested.
    - ergebnis/json-printer 3.4.0 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.4.2) does not satisfy that requirement.
  Problem 8
    - ergebnis/json-schema-validator is locked to version 4.1.0 and an update of this package was not requested.
    - ergebnis/json-schema-validator 4.1.0 requires php ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.4.2) does not satisfy that requirement.
  Problem 9
    - vimeo/psalm is locked to version 5.20.0 and an update of this package was not requested.
    - vimeo/psalm 5.20.0 requires php ^7.4 || ~8.0.0 || ~8.1.0 || ~8.2.0 || ~8.3.0 -> your php version (8.4.2) does not satisfy that requirement.
  Problem 10
    - lexik/jwt-authentication-bundle is locked to version v2.20.3 and an update of this package was not requested.
    - lcobucci/clock 3.0.0 requires php ~8.1.0 || ~8.2.0 -> your php version (8.4.2) does not satisfy that requirement.
    - lexik/jwt-authentication-bundle v2.20.3 requires lcobucci/clock ^1.2|^2.0|^3.0 -> satisfiable by lcobucci/clock[3.0.0].

@renovate renovate bot force-pushed the deps-packagist-symfony-runtime-vulnerability branch from 775abc4 to 3736379 Compare January 7, 2025 11:29
@renovate renovate bot changed the title Update dependency symfony/runtime to v6.4.14 [SECURITY] Update dependency symfony/runtime to v6.4.14 [SECURITY] - autoclosed Feb 17, 2025
@renovate renovate bot closed this Feb 17, 2025
@renovate renovate bot deleted the deps-packagist-symfony-runtime-vulnerability branch February 17, 2025 07:08
@github-actions github-actions bot locked and limited conversation to collaborators Feb 17, 2025
@renovate renovate bot changed the title Update dependency symfony/runtime to v6.4.14 [SECURITY] - autoclosed Update dependency symfony/runtime to v6.4.14 [SECURITY] Feb 17, 2025
@renovate renovate bot reopened this Feb 17, 2025
@renovate renovate bot force-pushed the deps-packagist-symfony-runtime-vulnerability branch from 95f1958 to 3736379 Compare February 17, 2025 10:30
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Add or update dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant