[go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T207221

wikimedia/wikimania-scholarships has vulnerable dependencies
Closed, ResolvedPublic
Actions

Description

https://integration.wikimedia.org/ci/job/php-composer-security-docker/7/console

Hosted at https://scholarships.wikimedia.org/apply

14:44:56 Security Report
14:44:56 ===============
14:44:56 
14:44:56 The checker detected 1 package(s) that have known* vulnerabilities in
14:44:56 your project. We recommend you to check the related security advisories
14:44:56 and upgrade these dependencies.
14:44:56 
14:44:56 phpmailer/phpmailer (v5.2.9)
14:44:56 ----------------------------
14:44:56 
14:44:56 CVE-2016-10033: Remote Code Execution
14:44:56                https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.18
14:44:56 
14:44:56 CVE-2017-5223: Local File Disclosure
14:44:56                https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.22
14:44:56 
14:44:56 CVE-2017-11503: XSS vulnerability in code example
14:44:56                https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.24
14:44:56 
14:44:56 CVE-2015-8476: Multiple CRLF injection vulnerabilities
14:44:56                https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14
14:44:56 
14:44:56 CVE-2016-10045: Remote Code Execution
14:44:56                https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.20
14:44:56 
14:44:56 
14:44:56 * Disclaimer: This checker can only detect vulnerabilities that are referenced
14:44:56               in the security advisories database.
14:44:56               https://github.com/FriendsOfPHP/security-advisories

Details

SubjectRepoBranchLines +/-
Update vendor dependencieswikimedia/wikimania-scholarshipsmaster+23 K -16 K
Customize query in gerrit

Event Timeline

Legoktm created this task.Oct 16 2018, 9:55 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 16 2018, 9:55 PM
Legoktm added a subscriber: bd808.Oct 16 2018, 9:55 PM
Aklapper added a project: Wikimedia-Wikimania-Scholarships.Oct 17 2018, 5:47 PM
Bawolff added subscribers: eyoung, Niharika, KTC and 5 others.Nov 9 2018, 1:30 AM

Ping

MartinRulsch added a comment.Nov 9 2018, 8:40 AM

I don't know how I can help here. I only used this tool but never had access to its code. I don't understand the error log either. ;-)

Bawolff added a comment.Nov 9 2018, 12:26 PM
In T207221#4734426, @MartinRulsch wrote:

I don't know how I can help here. I only used this tool but never had access to its code. I don't understand the error log either. ;-)

Thats ok. I just subscribed everyone on phab who was listed as a member of the "project" as security tasks are restricted but i wanted to make sure anyone potentially involved could see it.

KTC added a comment.Nov 9 2018, 12:31 PM

I think someone need to update the package under \wikimania-scholarships\vendor\phpmailer\phpmailer and make sure nothing are broken by it?

bd808 added a comment.Nov 9 2018, 10:03 PM

I will poke at this in my "volunteer" time over the long weekend.

bd808 claimed this task.Nov 30 2018, 3:15 AM
bd808 added a project: Patch-For-Review.

https://gerrit.wikimedia.org/r/#/c/wikimedia/wikimania-scholarships/+/476799/

Niharika added a comment.Nov 30 2018, 7:50 PM

Thanks @bd808. @Bawolff do you want to run another report to make sure this is fixed?

sbassett subscribed.Nov 30 2018, 8:12 PM

@Niharika - just ran the wikimedia-apps-php-security job against scholarships and slimapp in jenkins. First time I've ever done that, but it looks like they came back clean:

https://integration.wikimedia.org/ci/job/wikimedia-apps-php-security/46/console

(as opposed to iegreview, which still fails with CVEs reported)

Niharika closed this task as Resolved.Nov 30 2018, 8:23 PM

Thanks @sbassett! Closing this task. I accepted the iegreview one (D1128) but I believe it still needs to be landed by bd808.

bd808 reopened this task as Open.Nov 30 2018, 9:27 PM

Reopening because these fixes are in git, but not deployed yet.

bd808 closed this task as Resolved.Feb 19 2019, 1:46 AM

Updates have been deployed into production

Legoktm changed the visibility from "Custom Policy" to "Public (No Login Required)".Feb 19 2019, 3:19 AM
chasemp added a project: Security.Feb 10 2020, 10:51 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:12 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits