phpstan
Update dependency symfony/process to v5.4.46 [SECURITY]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| symfony/process (source) | 5.4.40 -> 5.4.46 |
GitHub Vulnerability Alerts
CVE-2024-51736
Description
On Windows, when an executable file named cmd.exe is located in the current working directory it will be called by the Process class when preparing command arguments, leading to possible hijacking.
Resolution
The Process class now uses the absolute path to cmd.exe.
The patch for this issue is available here for branch 5.4.
Credits
We would like to thank Jordi Boggiano for reporting the issue and Nicolas Grekas for providing the fix.
Release Notes
symfony/process (symfony/process)
v5.4.46
Changelog (https://github.com/symfony/process/compare/v5.4.45...v5.4.46)
- security symfony/symfony#cve-2024-51736 [Process] Use PATH before CD to load the shell on Windows (@nicolas-grekas)
- bug symfony/symfony#58752 [Process] Fix escaping /X arguments on Windows (@nicolas-grekas)
- bug symfony/symfony#58735 [Process] Return built-in cmd.exe commands directly in ExecutableFinder (@Seldaek)
- bug symfony/symfony#58723 [Process] Properly deal with not-found executables on Windows (@nicolas-grekas)
- bug symfony/symfony#58711 [Process] Fix handling empty path found in the PATH env var with ExecutableFinder (@nicolas-grekas)
v5.4.45
Changelog (https://github.com/symfony/process/compare/v5.4.44...v5.4.45)
- no significant changes
v5.4.44
Changelog (https://github.com/symfony/process/compare/v5.4.43...v5.4.44)
- bug symfony/symfony#58291 [Process] Fix finding executables independently of open_basedir (@BlackbitDevs)
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}