SecurityAdvisories icon indicating copy to clipboard operation
SecurityAdvisories copied to clipboard

Published 20 hours ago verified publisher icon Roave

Something weird is happening in regards of version constraints

Open SCIF opened this issue 1 year ago • 3 comments

Here is one of the latest commits: https://github.com/Roave/SecurityAdvisories/commit/3c621b023ec96ba669e5510067b5d4fe4a1f51e0

  1. The latest CVE is https://github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2023-50262.yaml which has a constraint <2.0.4.

  2. The message has a link to PR has nothing to do with dompdf.

Any idea?

SCIF avatar Feb 23 '24 00:02 SCIF

See:

  • https://github.com/Roave/SecurityAdvisoriesBuilder/pull/459
  • https://github.com/Roave/SecurityAdvisoriesBuilder/issues/451

Check also https://github.com/advisories for the latest updates.

Ocramius avatar Feb 23 '24 01:02 Ocramius

I found next security issue but it seems like dompdf is not actually the source of the problem as they have a wide constraint allowing but not forcing the usage of affected version of phenx/php-svg-lib. Does it mean GH advisory report has mentioned dompdf incorrect so your package reflected this wrong decision as well?

SCIF avatar Feb 23 '24 01:02 SCIF

Sounds like it: I would bring it up there then, as this package only follows.

Ocramius avatar Feb 23 '24 01:02 Ocramius