phar-updater icon indicating copy to clipboard operation
phar-updater copied to clipboard

Published 20 hours ago verified publisher icon humbug

Security check fail with "padraic/humbug_get_contents" old version 1.0.4

Open charlesc-ai opened this issue 7 years ago • 6 comments

Hello, I have noticed an issue recently : The package "padraic/phar-updater" requires "padraic/humbug_get_contents" version 1.0.4 but not newest version 1.1.2, which create failure in security check.

Are you going to update package "padraic/phar-updater" for solving this issue ?

Thanks in advance.

Symfony Security Check Report

// Checked file: /my_project/apache/volume/composer.lock

[ERROR] 1 packages have known vulnerabilities.

padraic/humbug_get_contents (1.0.4)

  • CVE-2016-5385: HTTP Proxy header vulnerability https://github.com/humbug/file_get_contents/releases/tag/1.1.2

! [NOTE] This checker can only detect vulnerabilities that are referenced in
! the SensioLabs security advisories database. Execute this command
! regularly to check the newly discovered vulnerabilities.

Loaded config default from ".php_cs.dist".

charlesc-ai avatar Feb 19 '18 16:02 charlesc-ai

Hi, the package should be permissive enough to allow you to upgrade to humbug/file_get_contents 1.1.2 as the constraint is ^1.0.

So what you should do here is to update your dependencies. You can force Composer to not install those vulnerable dependencies by requiring Roave SecurityAdvisories.

theofidry avatar Feb 19 '18 18:02 theofidry

Hi, the package should be permissive enough to allow you to upgrade to humbug/file_get_contents1.1.2 as the constraint is ^1.0.

GitHub might think that, but Packagist doesn't:

screen shot 2018-02-19 at 21 31 49

@theofidry I think you might need to click "Update" on Packagist, at least? until it shows the right constraint. (Maybe the 1.0.4 tag was force-pushed on this repo?)

pjcdawkins avatar Feb 19 '18 21:02 pjcdawkins

Erf, indeed looks like there is quite a difference between the last release and master. I'll try to update that ASAP

theofidry avatar Feb 19 '18 23:02 theofidry

Done. Please upgrade to 1.0.5.

However keep in mind that if you are stuck on PHP 5.3, this won't work. Indeed newer versions of padraic/file_get_contents are not compatible with 5.3.

theofidry avatar Feb 20 '18 01:02 theofidry

Thanks @theofidry!

pjcdawkins avatar Feb 20 '18 13:02 pjcdawkins

@theofidry Thanks, it works ! Just need to update both packages by "composer require padraic/phar-updater" and "composer require padraic/file_get_contents". Have a nice day !

charlesc-ai avatar Feb 22 '18 09:02 charlesc-ai