-
Notifications
You must be signed in to change notification settings - Fork 3.5k
-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify importance of phpseclib security release #2066
Comments
Hello @lode ! Sorry to answer this so late, but this is a great question. PHPSeclib is only used in this library when verifying ID tokens using the We require a minimum of I hope this helps. Thanks! |
Hi @bshaffer thanks for the reply! And I'm sorry for the unclear link. It was a while ago now, and I don't remember the issue. I'm also a bit puzzled why I linked to 3.0.7, because indeed nothing is shown there. And in my internal issue tracking I see a mention of another version (to which I patched at that moment): https://github.com/phpseclib/phpseclib/releases/tag/3.0.19. I was notified by GitHub via GHSA-hm7p-r324-hhf3. So I'd say this repo is still using a vulnerable dependency. But I don't know if that part is used and thus needed? |
This is super helpful, thank you @lode ! As mentioned above, phpseclib is used in this library ONLY to verify ID tokens in I've submitted a fix to raise the minimum version here: #2499 Thanks again for providing this information! |
Great, thanks for the fix! |
One of the dependencies, phpseclib, just released https://github.com/phpseclib/phpseclib/releases/tag/3.0.7 which was flagged as a security release. Since I don't have enough knowledge about reviewing their changes, it would be nice if you could provide some more information on this.
E.g. how is this used? What cases does this fix? How high risk is it for this project?
And maybe adjust the dependency in composer to minimally 2.0.31/3.0.7 to confirm this is a needed/safe upgrade?
The text was updated successfully, but these errors were encountered: