Problem/Motivation

Symfony has done a security release of symfony/serializer - after co-ordination with their security team we decide that the release does not represent a risk to core code or known contrib code. Therefore we decided to release the updates to the meta-packages as a regular patch release.

Proposed resolution

composer update --with=phpunit/phpunit:^8 -W

Remaining tasks

User interface changes

None

API changes

None

Data model changes

None

Release notes snippet

@todo

CommentFileSizeAuthor
#12 3251000-9.2.x-11.patch9.44 KBalexpott
#12 3251000-9.1.x-11.patch13.64 KBalexpott
#12 3-11-interdiff.txt1.75 KBalexpott
#8 3251000-8.patch38.69 KBalexpott
#8 2-8-interdiff.txt715 bytesalexpott
#6 3251000-9.1.x-6.patch11.89 KBalexpott
#4 3251000-9.1.x-4.patch5.8 KBalexpott
#3 3251000-9.2.x-3.patch7.69 KBalexpott
#2 3251000-2.patch38 KBalexpott
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

alexpott created an issue. See original summary.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
Status: Active » Needs review
FileSize
3251000-2.patch38 KB
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
FileSize
3251000-9.2.x-3.patch7.69 KB

Here's the minimum patch for 9.2.x

Running https://github.com/fabpot/local-php-security-checker/releases shows

Symfony Security Check Report
=============================

2 packages have known vulnerabilities.

composer/composer (2.1.0)
-------------------------

 * [CVE-2021-41116][]: Improper escaping of command arguments on Windows leading to command injection

symfony/serializer (v4.4.25)
----------------------------

 * [CVE-2021-41270][]: Prevent CSV Injection via formulas

[CVE-2021-41116]: https://github.com/composer/composer/security/advisories/GHSA-frqg-7g38-6gcf
[CVE-2021-41270]: https://symfony.com/cve-2021-41270

Note that this checker can only detect vulnerabilities that are referenced in the security advisories database.
Execute this command regularly to check the newly discovered vulnerabilities.

In order to update composer (a dev dependency) to a secure version we need to update justinrainbow/json-schema too.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
FileSize
3251000-9.1.x-4.patch5.8 KB

Here's the same patch as #3 for 9.1.x as that is still security supported.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented

FWIW Symfony 3 is not affected so Drupal 8.9 is not either.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
Title: Update dependencies for 9.3.x/9.4.x » Update dependencies for 9.1.x/9.2.x/9.3.x/9.4.x
FileSize
3251000-9.1.x-6.patch11.89 KB

Ah #4 didn't update composer/composer for the security issue on 9.1.x. Because:

$ composer why-not composer/composer 2.1.9
composer/composer  2.1.9      requires          composer/xdebug-handler (^2.0)
drupal/drupal      9.1.x-dev  does not require  composer/xdebug-handler (but 1.4.4 is installed)

So bumping composer/xdebug-handler too.

The last submitted patch, 2: 3251000-2.patch, failed testing. View results

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
FileSize
2-8-interdiff.txt715 bytes
3251000-8.patch38.69 KB

Oh yep now we're using SF 5 release candidates we can bump minimum stability on 9.3.x and 9.4.x

The last submitted patch, 3: 3251000-9.2.x-3.patch, failed testing. View results

The last submitted patch, 6: 3251000-9.1.x-6.patch, failed testing. View results

andypost’s picture

andypost
he/him
Primary language Russian
CreditAttribution: andypost as a volunteer and at Skilld commented
Status: Needs review » Reviewed & tested by the community

Looks ready to go

+------------------------------------+--------------+------------+
| Production Changes                 | From         | To         |
+------------------------------------+--------------+------------+
| symfony/console                    | v4.4.33      | v4.4.34    |
| symfony/dependency-injection       | v4.4.33      | v4.4.34    |
| symfony/deprecation-contracts      | v2.4.0       | v2.5.0     |
| symfony/error-handler              | v4.4.30      | v4.4.34    |
| symfony/event-dispatcher           | v4.4.30      | v4.4.34    |
| symfony/event-dispatcher-contracts | v1.1.9       | v1.1.11    |
| symfony/http-client-contracts      | v2.4.0       | v2.5.0     |
| symfony/http-foundation            | v4.4.33      | v4.4.34    |
| symfony/http-kernel                | v4.4.33      | v4.4.35    |
| symfony/mime                       | v5.4.0-BETA1 | v5.4.0-RC1 |
| symfony/process                    | v4.4.30      | v4.4.35    |
| symfony/routing                    | v4.4.30      | v4.4.34    |
| symfony/serializer                 | v4.4.33      | v4.4.35    |
| symfony/service-contracts          | v2.4.0       | v2.5.0     |
| symfony/translation                | v4.4.32      | v4.4.34    |
| symfony/translation-contracts      | v2.4.0       | v2.5.0     |
| symfony/validator                  | v4.4.33      | v4.4.35    |
| symfony/var-dumper                 | v5.4.0-BETA2 | v5.4.0-RC1 |
| symfony/yaml                       | v4.4.29      | v4.4.34    |
+------------------------------------+--------------+------------+

+------------------------+--------------+------------+
| Dev Changes            | From         | To         |
+------------------------+--------------+------------+
| composer/spdx-licenses | 1.5.5        | 1.5.6      |
| symfony/phpunit-bridge | v5.4.0-BETA2 | v5.4.0-RC1 |
+------------------------+--------------+------------+
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
FileSize
3-11-interdiff.txt1.75 KB
3251000-9.1.x-11.patch13.64 KB
3251000-9.2.x-11.patch9.44 KB

Ah we need the composer test fixes from #3224000: Update dependencies for Drupal 9.3 on 9.1.x and 9.2.x

  • catch committed 2ed1f62 on 9.3.x 
    Issue #3251000 by alexpott, andypost: Update dependencies for 9.1.x/9.2....
catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented

The 9.3.x and 9.4.x patches are in, waiting for the bot on 9.2.x and 9.1.x

  • catch committed 1b9983e on 9.4.x 
    Issue #3251000 by alexpott, andypost: Update dependencies for 9.1.x/9.2....

  • catch committed fb699ef on 9.2.x 
    Issue #3251000 by alexpott, andypost: Update dependencies for 9.1.x/9.2....

  • catch committed 0612b4c on 9.1.x 
    Issue #3251000 by alexpott, andypost: Update dependencies for 9.1.x/9.2....
catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented
Version: 9.3.x-dev » 9.1.x-dev

Alright that's everything into 9.4, 9.3, 9.2, and 9.1 respectively. 9.0 is out of support. 8.9 is both out of support and unaffected anyway.

catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented
catch’s picture

catch
he/him
Primary language English
CreditAttribution: catch at Third and Grove commented
Status: Reviewed & tested by the community » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.