Page MenuHomePhabricator
Create Task
Maniphest T303714

Outdated / buggy PHP version 7.4.27 used in wikibase-release-pipeline
Closed, DeclinedPublicSecurity
Actions

Description

Hi,

I refer to this repo:

https://github.com/wmde/wikibase-release-pipeline

I checked out master and noticed that the current php version is 7.4.27 (apache2handler). This contains a high security risk:

https://nvd.nist.gov/vuln/detail/CVE-2021-21708

this was fixed in 7.4.28

https://www.php.net/ChangeLog-7.php#7.4.28

Could you check this?

D063520

Event Timeline

DD063520 created this task.Mar 14 2022, 1:16 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 14 2022, 1:16 PM
Reedy closed this task as Declined.Mar 14 2022, 3:45 PM
Reedy added a project: SecTeam-Processed.
Reedy subscribed.

In the target repo, there is no pinning specifically to PHP 7.4.27. If that version is being used, it's due to the images being pulled in, which are likely updated by different upstreams.

And searching for FILTER_VALIDATE_FLOAT, that constant is not used in Wikibase repos, nor is it used in that repo.

Reedy added a project: Wikibase Suite Team.Mar 14 2022, 3:46 PM
Reedy updated the task description. (Show Details)
Reedy changed the visibility from "Custom Policy" to "Public (No Login Required)".
Reedy changed the edit policy from "Custom Policy" to "All Users".
sbassett removed a project: Security-Team.Mar 14 2022, 3:53 PM
DD063520 added a comment.Mar 14 2022, 4:24 PM

yes, I agree, it is coming from some images that are used ... still these images should be replaced, no?

Reedy added a comment.Mar 14 2022, 4:49 PM

It's not completely clear where you're looking, and as such which images are being used.

For the Wikimedia provided images we're now packaging PHP 7.4.28, and it's entirely possible that in the 12 days since the last commit to that repo, the images have already been rebuilt etc...

Aklapper renamed this task from Security risk Wikibase release to Outdated / buggy PHP version 7.4.27 used in wikibase-release-pipeline.Mar 14 2022, 5:17 PM
WMDE-leszek subscribed.Mar 14 2022, 8:14 PM
toan subscribed.Mar 15 2022, 7:43 AM
roti_WMDE moved this task from Inbox to Archive (closed) on the Wikibase Suite Team board.Sep 19 2023, 10:58 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits