Warm tip: This article is reproduced from serverfault.com, please click
php security symfony

Symfony's Prevent RCE when calling untrusted remote with CachingHttpClient error

发布于 2020-11-30 19:37:04

I got the following error when trying to do composer install --no-progress within deployment:

1 packages have known vulnerabilities.
!!  
!!  symfony/http-kernel (v5.0.7)
!!  ----------------------------
!!  
!!   * [CVE-2020-15094][]: Prevent RCE when calling untrusted remote with CachingHttpClient
!!  
!!  [CVE-2020-15094]: https://symfony.com/cve-2020-15094

Following this link provided in my error: https://symfony.com/blog/cve-2020-15094-prevent-rce-when-calling-untrusted-remote-with-cachinghttpclient

It navigates me to the following github link here: https://github.com/symfony/symfony/commit/ba3975329149cddebfe969f70b2577b0e37d1e76

What does that mean for local development and the fix associated to it? I tried following the link: src/Symfony/Component/HttpClient/Tests/CachingHttpClientTest.php

My project doesn't have that link

enter image description here

So how do I fix this issue? How does one update issues that come up moving forward? I'm using a mac set up.

Questioner
Majo0od
Viewed
0
分享
Francesco Abeni 2020-12-01 04:19:27

The best way to move forward is to update to a later Symfony version. 5.0 is not maintained anymore, you can use 5.1 or 5.2. If you are not the one responsible for updating dependencies on the project, you may want to report this to the person who is.

If you look at the page linked in the error itself (https://symfony.com/cve-2020-15094) you can read:

The issue has been fixed in Symfony 4.4.13 and 5.1.5. Symfony 4.3 and 5.0 won't be patched as they are not maintained anymore.

To update Symfony you can follow this link: https://symfony.com/doc/current/setup/upgrade_minor.html

Majo0od 2020-11-30 20:29:02

Ok that makes a lot of sense. Thank you for the great help!

热门帖子

1
关于英语学习的重要性的思考
2
这里分享一个免费的在线 PDF 总结工具: NoteGPT
3
没想到 Arc 浏览器对网络要求如此严格
4
[上海] 招中级前端开发工程师
5
澳大利亚🇦🇺归来~第一次去南半球,虽然看过很多次照片,亲临大洋路时仍觉震撼
6
Apple Watch Terminal 风格表盘
7
失业三个月,面试寥寥无几,朋友失业的也很多
8
开发了一个在线批量图片压缩网站
9
路由器批量端口映射到 NAS 的问题,求教~
10
chatgpt-4o 实时语音功能入口在哪里呀

热门github

1
Implementation of paper - YOLOv9: Learning What You Want to Learn Using Programmable Gradient Information
2
A Windows and Office activator using HWID / Ohook / KMS38 / Online KMS activation methods, with a focus on open-source code and fewer antivirus detections.
3
Get up and running with Llama 2, Mistral, Gemma, and other large language models.
4
该项目可以让你通过订阅的方式使用Cloudflare WARP+,自动获取流量。This project enables you to use Cloudflare WARP+ through subscription, automatically acquiring traffic.
5
Multi functional app to find duplicates, empty folders, similar images etc.
6
Xray panel supporting multi-protocol multi-user expire day & traffic & ip limit (Vmess & Vless & Trojan & ShadowSocks & Wireguard)
7
The Free Software Media System
8
lightweight, standalone C++ inference engine for Google's Gemma models.
9
📚 Freely available programming books
10
A collective list of free APIs
11
1️⃣🐝🏎️ The One Billion Row Challenge -- A fun exploration of how quickly 1B rows from a text file can be aggregated with Java
12
🎓 Path to a free self-taught education in Computer Science!
13
Curso para aprender el lenguaje de programación Python desde cero y para principiantes. 75 clases, 37 horas en vídeo, código, proyectos y grupo de chat. Fundamentos, frontend, backend, testing, IA...
14
This repository contains System Design resources which are useful while preparing for interviews and learning Distributed Systems
15
Mamba is a new state space model architecture showing promising performance on information-dense data such as language modeling, where previous subquadratic models fall short of Transformers. It is based on the line of progress on structured state space models, with an efficient hardware-aware design and implementation in the spirit of FlashAttention.