Skip to content
This repository has been archived by the owner on Jan 29, 2020. It is now read-only.

LTS Version 1.7 is missing a security fix #373

Open
2 tasks done
alexpott opened this issue Oct 17, 2019 · 5 comments
Open
2 tasks done

LTS Version 1.7 is missing a security fix #373

alexpott opened this issue Oct 17, 2019 · 5 comments

Comments

@alexpott
Copy link

  • I was not able to find an open or closed issue matching what I'm seeing.
  • This is not a question. (Questions should be asked on chat (Signup here) or our forums.)

According to https://framework.zend.com/long-term-support 1.7 is the long term support version of zend-diactoros, however the Symfony security scanner shows that 1.7.2 is missing the fix for the URL Rewrite vulnerability [CVE-NONE-0001]: https://framework.zend.com/security/advisory/ZF2018-01

I've tried to be helpful and backport this in https://github.com/alexpott/zend-diactoros/tree/1.7.x-CVE-NONE-0001 but I can't create a PR because there is no 1.7 release branch.

Code to reproduce the issue

        $server = [
            'REQUEST_URI' => 'https://example.com/requested/path',
            'HTTP_X_ORIGINAL_URL' => '/hijack-attempt'
        ];
        $path = ServerRequestFactory::marshalRequestUri($server);

Expected results

        $path === '/requested/path';

Actual results

        $path === '/hijack-attempt';
@weierophinney
Copy link
Member

The LTS page is a bit misleading. While 1.7 is listed as the LTS version, you can safely upgrade to any other release in the 1.X series without issue since we follow semver. Since 1.8 has received those fixes, update your version constraint to use ^1.7 (which will get anything from 1.7.0 forward in the 1.X series).

@alexpott
Copy link
Author

@weierophinney Well if we want support until 2022-03-15 then looking at https://framework.zend.com/long-term-support we need to stay on 1.7 since support for 1.8 ends in 2019-09-27.

Are you saying that because 1.7 is supported until 2022-03-15 then because you follow semver 1.8 will supported till then as well? If so yep the LTS page does seem misleading.

But also if there are known security issues against 1.7 what does LTS mean?

@jibran
Copy link

jibran commented Oct 24, 2019

If we follow the release notes then the release-1.8 branch has not received any changes other than the fixes since September last year so I think we can assume 1.8 is an LTS as well but yeah having an actual confirmation will help.

@michalbundyra
Copy link
Member

@jibran @alexpott

Version 1.8 is LTS version, not 1.7. The issue is in the table - we will try to update it shortly.
Please note that there is a paragraph how to adapt LTS version:

Adopting an LTS version

Opting-in to an LTS version of a component can be done using Composer:

$ composer require "{package}:^{version}"

The above will modify your composer.json to provide a semantic version constraint, ensuring you only get backwards-compatible updates to the given package.

and, paragraph before we have:

During the LTS period, all direct dependencies of the skeleton will receive security support in the latest versions possible under the version constraints as listed in the skeleton application's composer.json file.

so, when we use ^1.7.0, version 1.8 will be installed as well and this one should be marked as LTS.

@weierophinney weierophinney mentioned this issue Dec 31, 2019
Closed
2 tasks
@weierophinney
Copy link
Member

This repository has been closed and moved to laminas/laminas-diactoros; a new issue has been opened at laminas/laminas-diactoros#4.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@weierophinney @alexpott @jibran @michalbundyra