cms icon indicating copy to clipboard operation
cms copied to clipboard

Published 20 hours ago verified publisher icon craftcms

[3.x]: Craft 3.x was marked as insecure after last night

Open sfsmfc opened this issue 2 years ago • 2 comments

What happened?

Can we anything do, to get the 3.7.x version remarked as secure? (see e.g. https://labs.integrity.pt/advisories/cve-2022-37246/) The solution should be to update to 3.7.51 and higher OR 4.2.1 and higher. But the solution in the CVS bulletin is only to update to 4.2.1 and higher. Fix in Craft CMS was made in https://github.com/craftcms/cms/commit/1d5fdba23c84d6d09a8a980c7b6fc52fb93b679b

How to reproduce? Make composer update with active composer dev-requirement to "roave/security-advisories": "dev-latest"

Craft CMS version

3.7.x

PHP version

No response

Operating system and version

No response

Database type and version

No response

Image driver and version

No response

Installed plugins and versions

No response

sfsmfc avatar Sep 21 '22 14:09 sfsmfc

Thanks for pointing that out! It appears it was due to a few Craft 4-specific vulnerabilities added to the GitHub Advisory Database which incorrectly marked all Craft versions prior to 4.2.1 as affected, not just 4.0.0–4.2.0.2.

I’ve submitted PRs to fix:

  • github/advisory-database#696
  • github/advisory-database#697
  • github/advisory-database#698

Will leave this open until they’ve been accepted.

brandonkelly avatar Sep 21 '22 15:09 brandonkelly

I noticed this as well. The roave security advisories composer package now blocks anything below Craft 4.2 through composer. I've had to temporary remove this from our composer file to allow composer commands to work again.

jamesmacwhite avatar Sep 21 '22 18:09 jamesmacwhite

Same here (actually opened an issue which was rightfully closed: https://github.com/Roave/SecurityAdvisories/issues/103). I think roave securityadvisories will automatically pickup the new advisories once they're accepted

qrazi avatar Sep 22 '22 10:09 qrazi

At the moment the advisories still remain breaking any Craft CMS 3 version, currently roave securities is forcing: >= 4.0.0-RC1, < 4.2.1|<4.2.1

jamesmacwhite avatar Sep 22 '22 15:09 jamesmacwhite

The reference advisory in the meantime is updated with also 3.x version constraints: https://github.com/advisories/GHSA-mw37-wx8p-gp45, from which I now see a new patch version of Craft was released with a fix. This should mean that within a reasonable amount of time also roave/securityadvisories should be updated to reflect this.

qrazi avatar Sep 22 '22 15:09 qrazi

@qrazi Thanks. Will keep an eye out for the change to propagate through.

jamesmacwhite avatar Sep 22 '22 15:09 jamesmacwhite

There we go, landed in the securityadvisory repo: https://github.com/Roave/SecurityAdvisories/commit/ecbc17ac0817caed746a243e3805dd256be9fcdb

qrazi avatar Sep 22 '22 16:09 qrazi

Nice. Packagist shows it with the Craft CMS 3 version condition now. Should be safe to add back in without blocking composer updates.

jamesmacwhite avatar Sep 22 '22 17:09 jamesmacwhite

Yes, works for me too...

sfsmfc avatar Sep 22 '22 17:09 sfsmfc