Problem/Motivation

Background from @xjm: In general, Drupal has only been updating our production branches' core/composer.json constraints for security issues if the vulnerability affects Drupal core, and only updating the lockfile if we don't expose the vulnerability.
However, the Security Team had a discussion that it might be better to actually increase the constraint as well, especially for the moment where we don't have e.g. the FriendsOfPHP security advisories as a dependency.
We're about to release 8.9.0 (an LTS) as well as 8.8.7 (the last patch release of 8.8.x) so now is a good time to do a patch-level update of a constraint for this. In particular, symfony/http-foundation had a security release in 3.4.35.

Proposed resolution

Create a patch that updates 8.9.x and 8.8.x.
Steps to create the patch:

  1. Update "symfony/http-foundation": "~3.4.27", to version "~3.4.35" in core/composer.json
  2. Run COMPOSER_ROOT_VERSION=8.9.x-dev composer update drupal/core (to make sure the metapackages are updated if needed)

Remaining tasks

User interface changes

API changes

Data model changes

Release notes snippet

CommentFileSizeAuthor
#12 interdiff_3-12.txt2.41 KBshaal
#12 3143722-d88-update_symfony_http_foundation-12.patch1.73 KBshaal
#11 interdiff_2-11.txt21.57 KBshaal
#11 3143722-d89-update_symfony_http_foundation-11.patch1.38 KBshaal
#3 update_symfony_http-3143722-3.patch3.78 KBshaal
#2 update_symfony_http-3143722-2.patch22.59 KBshaal
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

shaal created an issue. See original summary.

shaal’s picture

shaal
he/him
Primary language English
Location Boca Raton, FL
CreditAttribution: shaal as a volunteer and at Palantir.net commented
FileSize
update_symfony_http-3143722-2.patch22.59 KB

Patch for 8.9.x

shaal’s picture

shaal
he/him
Primary language English
Location Boca Raton, FL
CreditAttribution: shaal as a volunteer and at Palantir.net commented
Status: Active » Needs review
FileSize
update_symfony_http-3143722-3.patch3.78 KB

Patch for 8.8.x

(COMPOSER_ROOT_VERSION=8.8.x-dev composer update drupal/core)

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost as a volunteer and at Skilld commented

Few other packages needs other issue to update

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented

@andypost Yep, just this one is the one production dependency with a security issue in the minimum allowed version. (There's dev dependencies too and other updates but we can deal with those less urgently, and I figured the specific scope would be an easier review.)

jungle’s picture

jungle
He/Him
Location Chongqing, China
CreditAttribution: jungle as a volunteer commented
Status: Needs review » Needs work 
  1. +++ b/composer.lock
@@ -687,7 +687,7 @@
-                "symfony/http-foundation": "~3.4.27",
+                "symfony/http-foundation": "~3.4.35",

    Should we update it to 3.4.40, the latest minor release of 3.4.x? https://github.com/symfony/http-foundation/releases/tag/v3.4.40 

  2. +++ b/composer.lock
@@ -2209,6 +2224,20 @@
+            "funding": [

@@ -2281,6 +2310,20 @@
+            "funding": [

    Funding info introduced here, it's in the scope of #3127918: Add funding info in composer.lock, Using composer 1.9.0 won't bring it to here. As funding was introduced in composer 1.10.

NW for #2 at least.

Thanks!

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented

For #6.1, our previous policy was to not increase constraints at all unless core was actually vulnerable, so I think we should keep the lowest possible version that is secure, particularly for 8.8.x. (I could go either way for 8.9.x).

I did not know about #6.2, interesting! I was wondering what that all was.

jungle’s picture

jungle
He/Him
Location Chongqing, China
CreditAttribution: jungle as a volunteer commented

Thanks, @xjm.

Then +1 to 3.4.35

#6.2, Once #3127918: Add funding info in composer.lock gets landed, it's ok to use both composer 1.10.x and composer 1.9.x

jungle’s picture

jungle
He/Him
Location Chongqing, China
CreditAttribution: jungle as a volunteer commented
jungle’s picture

jungle
He/Him
Location Chongqing, China
CreditAttribution: jungle as a volunteer commented

(Sorry for the noisy, clicking the back button of browser might submit the form again and again)

shaal’s picture

shaal
he/him
Primary language English
Location Boca Raton, FL
CreditAttribution: shaal as a volunteer and at Palantir.net commented
Status: Needs work » Needs review
FileSize
3143722-d89-update_symfony_http_foundation-11.patch1.38 KB
interdiff_2-11.txt21.57 KB

Thank you @jungle

Fix for 8.9.x
(I hide the interdiff because it seems more noise than helping)

shaal’s picture

shaal
he/him
Primary language English
Location Boca Raton, FL
CreditAttribution: shaal as a volunteer and at Palantir.net commented
FileSize
3143722-d88-update_symfony_http_foundation-12.patch1.73 KB
interdiff_3-12.txt2.41 KB

Fix for 8.8.x
(I hide the interdiff because it seems more noise than helping)

jungle’s picture

jungle
He/Him
Location Chongqing, China
CreditAttribution: jungle as a volunteer commented
Status: Needs review » Reviewed & tested by the community 
< +            "bin": [
< +                "bin/composer"
< +            ],

Manually run again with the steps in IS, confirmed that the only diff of #11 and #12 is the bin-thing. it's back and forth like a ghost, I think we are good with or without it.

So the two patches in #11 and #12 are RTBC to me.

jungle’s picture

jungle
He/Him
Location Chongqing, China
CreditAttribution: jungle as a volunteer commented

One thing that composer-lock-diff outputs nothing to me.

But composer show symfony/http-foundation did tell the version is v3.4.35, so it might be something wrong with composer-lock-diff itself perhaps.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott at Acro Commerce, Thunder commented
Version: 8.9.x-dev » 8.8.x-dev
Status: Reviewed & tested by the community » Fixed

Committed c198171 and pushed to 8.9.x. Thanks!
Committed c8a8761 and pushed to 8.8.x. Thanks!

@jungle lock-diff is telling you nothing because the lock file has not changed. What's changed here is the minimum version we support. The version installed for 8.8.x and 8.9.x is already v3.4.35 or greater

  • alexpott committed c198171 on 8.9.x 
    Issue #3143722 by shaal, jungle, xjm: Update symfony/http-foundation to...

  • alexpott committed c8a8761 on 8.8.x 
    Issue #3143722 by shaal, jungle, xjm: Update symfony/http-foundation to...
jungle’s picture

jungle
He/Him
Location Chongqing, China
CreditAttribution: jungle as a volunteer commented

Thanks, @alexpott, that explained.

xjm’s picture

xjm
she/her
Primary language English
CreditAttribution: xjm at Acquia commented
Issue tags: +8.8.7 release notes, +8.9.0 release notes

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.