Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CVE-2024-4990 #724

Merged
merged 4 commits into from
Jul 30, 2024
Merged

Add CVE-2024-4990 #724

merged 4 commits into from
Jul 30, 2024

Conversation

DBX12
Copy link
Contributor

@DBX12 DBX12 commented Jun 3, 2024

This PR adds the CVE-2024-4990 in yiisoft/yii2.

This is my first contribution, I hope I did it right, especially the branches key 😅

naderman
naderman reviewed Jun 4, 2024
View reviewed changes
yiisoft/yii2/CVE-2024-4990.yaml Outdated
cve: CVE-2024-4990
branches:
2.0.49.x:
time: null
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
time: null
time: 2024-05-30 17:23:00

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understood the time field correctly, that should hold the timestamp of the commit which fixed it in that branch. So if it is not for that branch, then I would go with 2024-05-30 since that was the commit yiisoft/yii2@628d406 which fixed it in the 2.0.50 branch. If that field is understood as fixed in that branch I would rather use 2024-06-04 16:23:00 from yiisoft/yii2@62d081f since that was merged to branch 2.0.49.x.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@DBX12 makes sense, can you apply that change then?

Copy link
Contributor Author

@DBX12 DBX12 Jul 29, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @naderman
can you clarify how the time field is to be understood? :)
Edit: I misread your comment, so you can disregard that question. Also, the related CVE got updated again so I've pushed an update.

@DBX12 DBX12 requested a review from naderman June 9, 2024 11:45
@DBX12
Copy link
Contributor Author

DBX12 commented Jul 8, 2024

It seems like the 2.0.49.x branch got updated and version 2.0.49.4 contains the security fixes: yiisoft/yii2#20183

@DBX12
Correct constraint from <=2.0.49 to <2.0.49 for CVE-2024-4990
e18ad5f 
The security advisory got updated again.
@DBX12
Add timestamp for branch 2.0.49.x for CVE-2024-4990
ccdf41d 
The vulnerability was fixed with this commit: yiisoft/yii2@62d081f
@naderman naderman merged commit f7c3867 into FriendsOfPHP:master Jul 30, 2024
1 check passed
@naderman
Copy link
Contributor

Thanks for all your efforts on this @DBX12 !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@naderman naderman Awaiting requested review from naderman

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@DBX12 @naderman