Dependency to vulnerable phpseclib package

Created on 11 July 2024, 4 months ago

Updated 6 August 2024, 4 months ago

Steps to reproduce

Run composer audit

You'll see the phpseclib/phpseclib package as a dependency with vulnerable version

+-------------------+----------------------------------------------------------------------------------+
| Package           | phpseclib/phpseclib                                                              |
| Severity          | high                                                                             |
| CVE               | CVE-2024-27354                                                                   |
| Title             | phpseclib a large prime can cause a denial of service                            |
| URL               | https://github.com/advisories/GHSA-hg35-mp25-qf6h                                |
| Affected versions | >=3.0.0,<3.0.36|>=2.0.0,<2.0.47|>=1.0.0,<1.0.23                                  |
| Reported at       | 2024-03-02T00:31:33+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package           | phpseclib/phpseclib                                                              |
| Severity          | high                                                                             |
| CVE               | CVE-2024-27355                                                                   |
| Title             | phpseclib does not properly limit the ASN1 OID length                            |
| URL               | https://github.com/advisories/GHSA-jr22-8qgm-4q87                                |
| Affected versions | >=3.0.0,<3.0.36|>=2.0.0,<2.0.47|>=1.0.0,<1.0.23                                  |
| Reported at       | 2024-03-02T00:31:33+00:00                                                        |
+-------------------+----------------------------------------------------------------------------------+

Proposed resolution

Update composer to use newer version of the phpseclib/phpseclib library eg.: ^3.0.36

🐛 Bug report

Status

Fixed

Version

1.1

Component

Code

Created by

🇬🇧United Kingdom endrukk

Live updates comments and jobs are added and updated live.

Comments & Activities

Issue created by @endrukk
Comment 4 months ago →
🇬🇧United Kingdom endrukk
Comment 4 months ago →
🇬🇧United Kingdom endrukk
Here is a patch that requires a higher version of the dependency.
Status changed to Needs review 4 months ago4:13pm 11 July 2024
Comment 4 months ago →
🇬🇧United Kingdom endrukk

Comment 4 months ago →

System Message

59cb5b72 committed on 1.x

Issue #3460836 by endrukk, John Franklin: Update composer.json to use...

Status changed to Fixed 4 months ago3:02pm 23 July 2024
Comment 4 months ago →
🇺🇸United States John Franklin
Fixed, thanks for the patch!
Comment 4 months ago →
🇺🇸United States John Franklin
Comment 4 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024