Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge release 4.1.5 into 4.2.x #789

Merged
merged 6 commits into from Sep 28, 2021
Merged

Merge release 4.1.5 into 4.2.x #789

merged 6 commits into from Sep 28, 2021

Conversation

github-actions[bot]
Copy link
Contributor

Release Notes for 4.1.5

This patch ships a minor security fix to prevent misuse of the LocalFileReference key.

4.1.5

  • Total issues resolved: 0
  • Total pull requests resolved: 1
  • Total contributors: 1

Security

lcobucci and others added 6 commits September 27, 2021 15:28
@lcobucci
Fix locked version of ocramius/package-versions
80784ee 
It seems that dependabot is always using the lowest supported version of
PHP 7.4, which forces composer to install `ocramius/package-versions`
v1.9 instead of v2.1.

We'll handle this on the latest development branch.
@lcobucci @arokettu @Ocramius
Ensure key contents is used for all hashing algorithms
8175de5 
On v3.4.0 we introduced the
`Lcobucci\JWT\Signer\Key\LocalFileReference`, which was designed to be
used with OpenSSL-based algorithms and avoid having to load the file
contents into user-land to sign/verify tokens.

However, other algorithms don't understand the scheme `file://` and will
incorrectly use the file path as the signing key.

This modifies and deprecates `LocalFileReference` to avoid that
misleading behaviour.

Co-authored-by: Anton Smirnov <sandfox@sandfox.me>
Co-authored-by: Marco Pivetta <ocramius@gmail.com>
@lcobucci
Merge pull request from GHSA-7322-jrq4-x5hf
5556426 
Ensure key contents is used for all hashing algorithms
@lcobucci
Merge remote-tracking branch 'origin/4.1.x' into 4.0.x-merge-up-into-…
4a1e591 
…4.1.x_7QZpeQfq
@lcobucci
Merge pull request #788 from lcobucci/4.0.x-merge-up-into-4.1.x_7QZpeQfq
fe2d89f 
Merge release 4.0.4 into 4.1.x
@lcobucci
Merge remote-tracking branch 'origin/4.2.x' into 4.1.x-merge-up-into-…
c4b756a 
…4.2.x_2wDOtBHX
@lcobucci lcobucci self-assigned this Sep 28, 2021
@lcobucci lcobucci added this to the 4.2.0 milestone Sep 28, 2021
@lcobucci lcobucci merged commit 3b3fbeb into 4.2.x Sep 28, 2021
@lcobucci lcobucci deleted the 4.1.x-merge-up-into-4.2.x_2wDOtBHX branch September 28, 2021 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@lcobucci lcobucci

Labels
Security
Projects
None yet
Milestone
4.2.0
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@lcobucci