Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Backport security fixes to 2.0.49.x line #20183

Merged
merged 3 commits into from
Jun 4, 2024
Merged

Backport security fixes to 2.0.49.x line #20183

merged 3 commits into from
Jun 4, 2024

Conversation

rob006
Copy link
Contributor

@rob006 rob006 commented Jun 3, 2024

Q A
Is bugfix? ✔️
New feature?
Breaks BC?
Fixed issues GHSA-cjcc-p67m-7qxm, GHSA-qg5r-95m4-mjgj

mtangoo and others added 3 commits June 3, 2024 21:17
@mtangoo @rob006
Merge pull request from GHSA-cjcc-p67m-7qxm
7b69320 
* Fix: Unsafe Reflection in base Component class

* Fix style for consistency

* add changelog entry

* Fix wrong logic

* Fix exception message

* Update framework/CHANGELOG.md

---------

Co-authored-by: Stefano Mtangoo <stefano@hosannahighertech.co.tz>
Co-authored-by: Alexander Makarov <sam@rmcreative.ru>
(cherry picked from commit 628d406)
@Antiphishing @rob006
Merge pull request from GHSA-qg5r-95m4-mjgj
b82f99f 
* Hotfix: Reflected XSS in Debug mode

* Added entry for the security issue GHSA-qg5r-95m4-mjgj to the CHANGELOG

* Update CHANGELOG.md

* Update CHANGELOG.md

---------

Co-authored-by: Alexander Makarov <sam@rmcreative.ru>
(cherry picked from commit f7baab1)
@samdark @rob006
Fix ErrorHandler quoting tests
99ddc18 
(cherry picked from commit ff3aee3)
@rob006
Copy link
Contributor Author

rob006 commented Jun 3, 2024

@samdark Affected versions should be updated:

For GHSA-cjcc-p67m-7qxm it should be <2.0.49.4.
For GHSA-qg5r-95m4-mjgj it should be >=2.0.43,<2.0.49.4.

Right now dependabot is proposing updating to 2.0.49.1, because it does not match current constraints.

Roave/SecurityAdvisories@a15ad81#diff-d2ab9925cad7eac58e0ff4cc0d251a937ecf49e4b6bf57f8b95aab76648a9d34R719

@samdark samdark modified the milestone: 2.0.50.1 Jun 4, 2024
@samdark samdark merged commit 62d081f into yiisoft:2.0.49.x Jun 4, 2024
48 checks passed
@samdark
Copy link
Member

samdark commented Jun 4, 2024

Thanks!

@rob006 rob006 deleted the 2.0.49.x-backport branch June 4, 2024 16:31
@jjmaun
Copy link

jjmaun commented Jun 4, 2024

@samdark Does this mean there will be a 2.0.49.4 version offered up containing only the security changes? We've been following this and are holding off on updating to 2.0.50 in case a fixed version is offered with the isolated changes.

@samdark
Copy link
Member

samdark commented Jun 4, 2024

Yes

@rob006
Copy link
Contributor Author

rob006 commented Jun 10, 2024

@samdark Can we release this? 2.0.49.x line is security-only, there will be no more fixes, so there is no point to wait for anything.

@samdark
Copy link
Member

samdark commented Jun 10, 2024

Yes.

@samdark
Copy link
Member

samdark commented Jun 10, 2024

Done.

This was referenced Jun 10, 2024
Merged
Merged
@DBX12 DBX12 mentioned this pull request Jul 8, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@bizley bizley bizley approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@rob006 @samdark @jjmaun @bizley @mtangoo @Antiphishing