There is a security release for doctrine that includes annotations, cache and common.
http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vul...
composer update doctrine/common
Proposed resolution
Bring doctrine/common up to 2.4.3, annotations to 1.2.7 and cache to 1.3.2
Beta phase evaluation
Issue category | Task because no functionality changes. |
---|---|
Issue priority | Major because security release |
Comment | File | Size | Author |
---|---|---|---|
#21 | update_doctrine_common-2105825-21.patch | 650.32 KB | hussainweb |
#21 | update_doctrine_common-2105825-21-do-not-test.patch | 14.89 KB | hussainweb |
#17 | doctrine-2105825.10.patch | 588.17 KB | larowlan |
#16 | doctrine-2105825.16.patch | 544.97 KB | larowlan |
#16 | doctrine-2105825.do-not-test.patch | 13.84 KB | larowlan |
Comments
Comment #1
cosmicdreams CreditAttribution: cosmicdreams commentedI messed up other similar patches earlier today. So I'm resubmitting this one to be sure I'm submitting a patch and contains the entire update.
This issue is actually rather important because the previous version was an RC candidate and this one is 2.4.1.
Looks like there are some caching stuff that was included.
Comment #2
cosmicdreams CreditAttribution: cosmicdreams commentedComment #3
cosmicdreams CreditAttribution: cosmicdreams commentedreroll because another library was updated. Upgrade to stable.
Comment #4
jhedstromPatch no longer applies.
Also, related #2325779: Upgrade to Doctrine v1.2.0.
Comment #5
Nitesh Sethia CreditAttribution: Nitesh Sethia as a volunteer commentedRerolled the patch successfully.
Comment #6
Nitesh Sethia CreditAttribution: Nitesh Sethia as a volunteer commentedRerolled the patch.
Comment #7
dawehnerMh, the patch removes lines related to behat/mink, but never adds something like that back ... are we sure that this is something what we want? (not sure either)
Comment #8
cosmicdreams CreditAttribution: cosmicdreams as a volunteer commentedThis patch was first created before the inclusion of behat / mink. This patch will require more than a straight reroll in order to be accepted.
Comment #9
dawehnerYeah this is what I thought as well.
Let's be clear, the reroll tag is confusing to start with .
Comment #10
cosmicdreams CreditAttribution: cosmicdreams as a volunteer commentedFuthermore, the current version of doctrine/common is 2.4.2. That's the most current 2.4.x version of the package.
It is more difficult to discern but I think we're using doctrine/annotations 1.2.1. That could be updated to 1.2.4 without much conflict.
So perhaps I should rename this issue to focus it better.
Comment #11
cosmicdreams CreditAttribution: cosmicdreams as a volunteer commentedRewrote issue summary and added a beta evaluation here. This is a small task that could be knocked out at an upcoming Drupal Camp like TC Drupal Camp
Comment #12
cosmicdreams CreditAttribution: cosmicdreams as a volunteer commentedHa, looksl like I added two beta summaries.
Comment #13
larowlan1.2.7 is out and is a security release http://www.doctrine-project.org/2015/08/31/security_misconfiguration_vul...
Comment #14
larowlanClosed #2493909: Update doctrine/cache to the latest stable release as duplicate.
Please add
naveenvalecha, iMiksu, edysmp
to commit credits.Comment #15
larowlanComment #16
larowlanComment #17
larowlanMissed new files
Comment #18
kim.pepperThis looks simple enough, and tests are green.
Comment #20
webchickWe should be able to get this in soon after tagging beta 15.
Comment #21
hussainweb2.5.1 is out, which contains the same security fix, and we could as well try to update the minor here. I don't want to hijack this issue but it seems wasteful to create another one.
If you want to deal with that upgrade in another issue, this could go back to RTBC as per #18.
Comment #22
dawehner+1
Well the other patch is not green anway
Comment #23
hussainwebSince we agree, lets update the metadata. :)
It is critical as per the parent issue (minor updates are critical).
Comment #24
naveenvalechaClosed #2493907: Update doctrine/collections to the latest stable release as duplicate.
Already mentioned to add me and iMiksu to commit credits in #14
Comment #25
webchickCommitted and pushed to 8.0.x. Thanks!