Project

General

Profile

Actions
Copy link

Task #100233

closed

Upgrade enshrined/svg-sanitize to ^0.16

Added by J. Peter M. Schuler over 1 year ago. Updated over 1 year ago.

Status:
Rejected
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2023-03-20
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

The current dependency of enshrined/svg-sanitize:^0.15.4 is marked insecure: https://github.com/advisories/GHSA-xrqq-wqh4-5hg2
As 0.15.4 is the last 0.15.x and SemVer dictates to treat ^0.15 as a major, the dependency needs to be raised to ^0.16.0 to allow installation of a secure version.

Related issues 3 (0 open3 closed)

Related to TYPO3 Core - Bug #96901: Upgrade enshrined/svg-sanitize to ^0.15Closed2022-02-15

Actions
Related to TYPO3 Core - Bug #100234: Incorporate tests of enshrined/svg-sanitize:v0.16.0RejectedOliver Hader2023-03-21

Actions
Related to TYPO3 Core - Task #103722: Detected vulnerability with package 'enshrined/svg-sanitize' Closed2024-04-25

Actions
Actions
Copy link
 #1

Updated by J. Peter M. Schuler over 1 year ago

  • TYPO3 Version changed from 11 to 12

Relevant for 10LTS, 11LTS and 12

Actions
Copy link
 #2

Updated by J. Peter M. Schuler over 1 year ago

  • Related to Bug #96901: Upgrade enshrined/svg-sanitize to ^0.15 added
Actions
Copy link
 #3

Updated by J. Peter M. Schuler over 1 year ago

Quick hotfix to allow install:

composer req enshrined/svg-sanitize:"0.16.0 as 0.15.5" 
composer remove --dev roave/security-advisories

This would install 0.16.0, still roave needs removal as the alias 0.15.5 would be still flagged insecure, yet 0.15.5 would satisfy the core requirement.

The discussion in #96901 for the last security fix for svg-sanitize mentions that that introduced regressions. I didn't test compatibility with 0.16.0 yet.

Actions
Copy link
 #4

Updated by Gerrit Code Review over 1 year ago

  • Status changed from New to Under Review

Patch set 3 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions
Copy link
 #5

Updated by Gerrit Code Review over 1 year ago

Patch set 4 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions
Copy link
 #6

Updated by Gerrit Code Review over 1 year ago

Patch set 5 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions
Copy link
 #7

Updated by Oliver Hader over 1 year ago

  • Related to Bug #100234: Incorporate tests of enshrined/svg-sanitize:v0.16.0 added
Actions
Copy link
 #8

Updated by Gerrit Code Review over 1 year ago

Patch set 6 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions
Copy link
 #9

Updated by Gerrit Code Review over 1 year ago

Patch set 7 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/78191

Actions
Copy link
 #10

Updated by Oliver Hader over 1 year ago

  • Status changed from Under Review to Rejected

Not required, the CVE for v0.16.0 was rejected as well (it wasn't a security vulnerability at all).

Actions
Copy link
 #11

Updated by Lars Tode 7 months ago

  • Related to Task #103722: Detected vulnerability with package 'enshrined/svg-sanitize' added
Actions
Copy link

Also available in: Atom PDF