Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
While upgrading to Drupal core 9.4.9 we did notice the security vulnerability for dompdf version lower then 2.0.1
References:
- https://github.com/advisories/GHSA-6x28-7h8c-chx4
- https://github.com/dompdf/dompdf/issues/2994
Proposed resolution
Update the dompdf for entity_print with version 2.0.1
Note
Users who are using Entity Print with dompdf 1.x and with custom code that requires 1.x will need to update to 2.x.
here's dompdf's migration guide for that - https://github.com/dompdf/dompdf/wiki/Migration-Guide
| Comment | File | Size | Author |
|---|---|---|---|
| #5 | update-minimum-version-of-dompdf-3326573-5.patch | 936 bytes | vipin.j |
| #4 | update-minimum-version-of-dompdf-3326573-4.patch | 935 bytes | vipin.j |
Comments
Comment #2
vipin.j commentedComment #3
vipin.j commentedComment #4
vipin.j commentedIn previous versions of Entity Print, we supported both dompdf 1.x and 2.x. However, the 1.x series is no longer being updated with security patches. 2.0 fixed a security bug that remains in 1.2.1, and 2.0.1 fixes another security bug which remains in 1.2.1. This patch updates our requirement to 2.0.1 and removes support for the 1.x branch.
Comment #5
vipin.j commentedThe patch #4 needed an update.
Comment #6
larowlanThanks, we kept it relaxed because there were reports of breakage for some folks and we wanted to give them time to update custom code.
I think the time is right now, but I'll still do this as a new major.
Comment #8
vladimirausThank you