Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SECURITY] Update typo3/cms-core to v12.4.25 - closed #396

Closed
wants to merge 1 commit into from
Closed

[SECURITY] Update typo3/cms-core to v12.4.25 - closed #396

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 14, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
typo3/cms-core (source) 12.4.24 -> 12.4.25 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

TYPO3 Potential Open Redirect via Parsing Differences

CVE-2024-55892 / GHSA-2fx5-pggv-6jjr

More information

Details

Problem

Applications that use TYPO3\CMS\Core\Http\Uri to parse externally provided URLs (e.g., via a query parameter) and validate the host of the parsed URL may be vulnerable to open redirect or SSRF attacks if the URL is used after passing the validation checks.

Solution

Update to TYPO3 versions 9.5.49 ELTS, 10.4.48 ELTS, 11.5.42 ELTS, 12.4.25 LTS, 13.4.3 LTS that fix the problem described.

Credits

Thanks to Sam Mush who reported this issue and to TYPO3 core & security team member Benjamin Franzke who fixed the issue.

References

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Updates project dependencies label Jan 14, 2025
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Jan 14, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: composer.lock
Command failed: composer update typo3/cms-core:12.4.25 --with-dependencies --ignore-platform-req ext-intl --no-ansi --no-interaction --no-scripts --no-autoloader --no-plugins
Loading composer repositories with package information
Dependency psr/event-dispatcher is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency psr/http-message is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency psr/log is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency symfony/config is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency symfony/dependency-injection is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency symfony/finder is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency typo3fluid/fluid is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Dependency symfony/event-dispatcher is also a root requirement. Package has not been listed as an update argument, so keeping locked at old version. Use --with-all-dependencies (-W) to include root dependencies.
Updating dependencies
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - Root composer.json requires typo3/cms-core ~12.4.11, found typo3/cms-core[v12.4.11, ..., v12.4.25] but these were not loaded, likely because it conflicts with another require.
  Problem 2
    - typo3/cms-extbase is locked to version v12.4.24 and an update of this package was not requested.
    - typo3/cms-extbase v12.4.24 requires typo3/cms-core 12.4.24 -> found typo3/cms-core[v12.4.24] but it conflicts with your temporary update constraint (typo3/cms-core:12.4.25).
  Problem 3
    - typo3/cms-fluid is locked to version v12.4.24 and an update of this package was not requested.
    - typo3/cms-fluid v12.4.24 requires typo3/cms-core 12.4.24 -> found typo3/cms-core[v12.4.24] but it conflicts with your temporary update constraint (typo3/cms-core:12.4.25).
  Problem 4
    - typo3/cms-frontend is locked to version v12.4.24 and an update of this package was not requested.
    - typo3/cms-frontend v12.4.24 requires typo3/cms-core 12.4.24 -> found typo3/cms-core[v12.4.24] but it conflicts with your temporary update constraint (typo3/cms-core:12.4.25).
  Problem 5
    - Root composer.json requires cpsit/typo3-handlebars-test-extension 1.0.0 -> satisfiable by cpsit/typo3-handlebars-test-extension[1.0.0].
    - cpsit/typo3-handlebars-test-extension 1.0.0 requires typo3/cms-core * -> found typo3/cms-core[v8.7.7, ..., v8.7.32, v9.0.0, ..., v9.5.31, v10.0.0, ..., v10.4.37, v11.0.0, ..., v11.5.41, v12.0.0, ..., v12.4.25, v13.0.0, ..., v13.4.3] but these were not loaded, likely because it conflicts with another require.
  Problem 6
    - saschaegerer/phpstan-typo3 is locked to version 1.10.2 and an update of this package was not requested.
    - saschaegerer/phpstan-typo3 1.10.2 requires typo3/cms-core ^11.5 || ^12.4 || ^13.0 -> found typo3/cms-core[v11.5.0, ..., v11.5.41, v12.4.0, ..., v12.4.25, v13.0.0, ..., v13.4.3] but these were not loaded, likely because it conflicts with another require.
  Problem 7
    - typo3/testing-framework is locked to version 8.2.7 and an update of this package was not requested.
    - typo3/testing-framework 8.2.7 requires typo3/cms-core 12.*.*@dev || 13.*.*@dev -> found typo3/cms-core[v12.0.0, ..., v12.4.25, v13.0.0, ..., v13.4.3] but these were not loaded, likely because it conflicts with another require.

Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.

@coveralls
Copy link
Collaborator

coveralls commented Jan 14, 2025
edited
Loading

Pull Request Test Coverage Report for Build 12784339781

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 93.697%
Totals Coverage Status
Change from base Build 12784319552: 0.0%
Covered Lines: 892
Relevant Lines: 952
💛 - Coveralls

@renovate
[SECURITY] Update typo3/cms-core to v12.4.25
0a6b91b 
| datasource | package        | from    | to      |
| ---------- | -------------- | ------- | ------- |
| packagist  | typo3/cms-core | 12.4.24 | 12.4.25 |
| packagist  | typo3/cms-core | 8.7.7   | 12.4.25 |
@renovate renovate bot force-pushed the renovate/packagist-typo3-cms-core-vulnerability branch from 02e7fae to 0a6b91b Compare January 15, 2025 08:28
@eliashaeussler eliashaeussler changed the title [SECURITY] Update typo3/cms-core to v12.4.25 [SECURITY] Update typo3/cms-core to v12.4.25 - closed Jan 15, 2025
@eliashaeussler eliashaeussler deleted the renovate/packagist-typo3-cms-core-vulnerability branch January 15, 2025 08:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@eliashaeussler eliashaeussler

Labels
dependencies Updates project dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@coveralls @eliashaeussler