New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[TASK] Add security advisories for TYPO3's November 2020 releases #501
Conversation
typo3/cms-core/2020-11-17-1.yaml
Outdated
8.x: | ||
time: '2020-11-17 08:55:33' | ||
versions: ['>=8.7.0', '<8.7.38'] | ||
reference: 'composer://typo3/cms-core' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As the issue happens in typo3fluid/fluid
, and that typo3/cms-core
does not depend on an exact version of fluid, this does not guarantee that the advisory matching is right for projects using composer.
Instead, the advisory should be assigned to the typo3fluid/fluid
package itself
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo3fluid/fluid
is totally separate thing... however typo3/cms
has strong dependencies on it as well.
→ see Fluid dependency https://github.com/TYPO3/TYPO3.CMS/blob/master/composer.json#L80
→ at least 2.6.10
having the latest security fixes included
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, but as the security issue is in typo3fluid/fluid (at least according to my understanding of the linked page), the advisory should be on that package, not on typo3/cms
and typo3/cms-core
which depend on it.
Bundled versions of typo3fluid/fluid in the typo3 CMS full download are not meaningful here, because composer-based installation are not relying on such bundled dependencies but on composer resolving dependencies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
at least 2.6.10 having the latest security fixes included
According to https://typo3.org/security/advisory/typo3-core-sa-2020-009/, that's not only fixed in 2.6.10 but also in patch releases for older minor versions of typo3fluid/fluid:
Update to versions 2.0.8, 2.1.7, 2.2.4, 2.3.7, 2.4.4, 2.5.11 or 2.6.10 of the underlying standalone typo3fluid/fluid package.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay fine, so let's skip TYPO3-CORE-SA-2020-009 for this PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you should not skip it entirely. You should create the advisory for the typo3fluid/fluid
package instead.
8.x: | ||
time: '2020-11-17 08:55:33' | ||
versions: ['>=8.7.0', '<8.7.38'] | ||
reference: 'composer://typo3/cms-core' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this looks wrong to me. the linked page says that this affects typo3/cms-fluid
, not typo3/cms-core
10.x: | ||
time: '2020-11-17 08:51:21' | ||
versions: ['>=10.0.0', '<10.4.10'] | ||
reference: 'composer://typo3/cms-core' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be assigned to typo3/cms-dashboard
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
None of the TYPO3 packages can be used without typo3/cms-core
, that's the reason we're using it for these advisories. Each of the packages have the same versions since they are maintained in a monolithic repository and subtree-split into those packages. Basically we did it like that during the last few years...
Since none of these typo3/cms-*
packages can be used standalone, I don't see a reason for making things more complicated here. I'm giving it up for the time being...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ohader but is it enforced that you have the exact same version of typo3/cms-core
and typo3/cms-fluid
?
IIRC, the generation of these advisories has been scripted by the typo3 team based on the advisory pages. And these pages do contain that info already (see ext: core
vs ext: dashboard
in the Subcomponent
info) so that could be extracted automatically.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, let's have a quick look into that:
- https://packagist.org/packages/typo3/cms-fluid#v10.4.10 → requires
typo3-core:10.4.10
(exact version, no^
, no~
) - https://packagist.org/packages/typo3/cms-core?query=typo3%2Fcms&type=typo3-cms-framework#v10.4.10 → same for all subtree-split packages
typo3/cms-*
- all(!) packages require a specific version of
typo3/cms-core
All of those packages have to be used for the exact same version - as the TYPO3 core monolith is maintained and released as a whole.
I'm going to merge this one as is. If there is anything to change or tweak, another PR could be submitted. |
No description provided.