Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Problem/Motivation
Symfony 4.4.13 has been released.
Also please see CVE-2020-15094: Prevent RCE when calling untrusted remote with CachingHttpClient
Proposed resolution
Upgrade Symfony components on 9.0.x branch from 4.4.7 to 4.4.13.
Upgrade Symfony components on 9.1.x branch from 4.4.12 to 4.4.13.
| Comment | File | Size | Author |
|---|---|---|---|
| #6 | symfony-3168763-9_1-5.patch | 1.95 KB | xjm |
| #5 | symfony-3168763-8_8-4.patch | 3.82 KB | xjm |
| #5 | symfony-3168763-8_9-4.patch | 1.97 KB | xjm |
| #5 | symfony-3168763-9_0-4.patch | 2.14 KB | xjm |
Comments
Comment #2
suzymasriComment #3
xjmNote that core is not vulnerable to this issue, so we've agreed this update can be handled in public. The main annoyance is automated security testing failing because of the attached
http-kernelupdate.Comment #4
Dane Powell CreditAttribution: Dane Powell at Acquia commentedI think this should be considered major or critical and requires an immediate core release to upgrade symfony/http-kernel.
My understanding is that best practice is for end users to require drupal/core-recommended instead of drupal/core. This pins symfony/http-kernel to a vulnerable version with no way for end users to override it. *
This means that out of the box, all new Drupal sites build on drupal/recommended-project (which also depends on drupal/core-recommended) will also be affected with no possibility of making them secure without a new release.
This is partially mitigated if the vulnerability doesn't actually affect Drupal, but this will still wreak havoc given how many users probably make use of automated security scans and Composer security advisories.
* technically you might be able to use Composer version aliases in your composer.json or fork drupal/core-recommended or something to override it, but let's not go there
Comment #5
xjmComment #6
xjm9.1.x also needs its own patch apparently.
Comment #7
longwaveI checked each of the patches and the 9.1/9.0/8.9 patches contain the minimum set of changes required to upgrade the package in question.
The 8.8 patch contains additional funding information as it was created with Composer 1.10 and the previous lock file must have been created with Composer 1.9, but this won't affect anything and it is probably better to be consistent.
Therefore this is RTBC assuming the tests pass.
Comment #8
xjmComment #13
catchCommitted/pushed the respective patches to all four branches.
Comment #14
timmillwoodI think it'd be nice to add Roave/SecurityAdvisories library to Drupal core, so created #3168853: Add Roave/SecurityAdvisories to Drupal core to discuss.
Comment #15
longwaveJust realised that this only updates symfony/http-kernel and not all of Symfony as per the title, but I suppose this is a technicality, we don't need point releases to be in sync as far as I know (unless a bug fix relies on another bug fix in a related component, I suppose).
Comment #16
xjm@longwave, we generally limit the updates we do in patch releases to the affected component(s). We can have a further update of Symfony in 9.1.
Tagging "Needs followup" for that, since #3157296: Upgrade dependencies prior to 9.1.0 just updated Symfony components to 4.4.12.