Surf icon indicating copy to clipboard operation
Surf copied to clipboard

Published 20 hours ago verified publisher icon TYPO3

Security vulnerability due to abandoned padraic/phar-updater

Open astehlik opened this issue 2 years ago • 0 comments

Expected Behavior

No security vulnerabilities are reported during composer install.

Actual Behavior

The dependency to padraic/phar-updater introduces a security vulnerability:

Package padraic/humbug_get_contents
CVE CVE-2016-5385
Title HTTP Proxy header vulnerability
URL https://github.com/humbug/file_get_contents/releases/tag/1.1.2
Affected versions <1.1.2
Reported at 2018-02-12T19:47:17+00:00

Steps to Reproduce the Problem

  1. run composer require typo3/surf
  2. see output

    Package padraic/phar-updater is abandoned, you should avoid using it. No replacement was suggested. ... Found 1 security vulnerability advisory affecting 1 package.

  3. running composer audit prints the table documented under "Actual Behavior"

Specifications

  • Surf Version: 8.1
  • Application: Surf
  • PHP Version: 8.1
  • Platform: Linux
  • Environment (CI): Docker
  • Deployment configuration: none

Possible solutions

  • Use an alternative tool like https://github.com/consolidation/self-update
  • Remove the self-update command and optionally suggest the usage of https://phar.io/ (and register surf in their registry)

astehlik avatar Oct 13 '22 08:10 astehlik