Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add CVE-2022-28368 for Dompdf #625

Merged
merged 1 commit into from
Apr 14, 2022
Merged

Add CVE-2022-28368 for Dompdf #625

merged 1 commit into from
Apr 14, 2022

Conversation

klausi
Copy link
Contributor

@klausi klausi commented Apr 12, 2022

Creating this manually kind of sucks.

Can we somehow import all Github security advisories like GHSA-x752-qjv4-c4hc for PHP composer projects automatically? https://github.com/advisories?query=type%3Areviewed+ecosystem%3Acomposer

stof
stof reviewed Apr 12, 2022
View reviewed changes
dompdf/dompdf/CVE-2022-28368.yaml
@@ -0,0 +1,8 @@
title: Remote code injection via remote fonts
link: https://github.com/advisories/GHSA-x752-qjv4-c4hc
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

using dompdf/dompdf#2598 as link would give more details

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would rather link to the Github advisory, they do a good job linking to all further resources like dompdf/dompdf#2598

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but the link itself provide no details about the vulnerability if you don't go to other links

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that page gives a pretty good summary of the vulnerability? It also provides visually clear info about severity, versions and further links.

But I can change it if you want, no problem.

@klausi klausi mentioned this pull request Apr 12, 2022
Closed
@klausi
Copy link
Contributor Author

klausi commented Apr 12, 2022

Opened #626 for automating this process.

stof
stof approved these changes Apr 14, 2022
View reviewed changes
Copy link
Member

@stof stof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, let's merge this as is.

@stof stof merged commit 904a28a into FriendsOfPHP:master Apr 14, 2022
@klausi klausi deleted the patch-1 branch April 14, 2022 09:44
@klausi
Copy link
Contributor Author

klausi commented Apr 14, 2022

Thank you, appreciated!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stof stof stof approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@klausi @stof