Update Laravel database advisory #528
Conversation
|
I think this should rather be added as separate advisories linking to https://blog.laravel.com/security-laravel-62012-7303-released instead of updating the existing one while keeping the old link. |
|
Also, the version number look wrong to me. the blog post says that the fixes are in 6.10.13 and 7.30.3. If your own concerns still a different security fix released in 6.20.14, 7.30.4 and 8.24.0, this should definitely be a separate advisory with a dedicated link |
|
@stof I don't know why @taylorotwell didn't update the advisory (GHSA-3p32-j457-pg5x). But as you can see in PR laravel/framework#35972, another fix was required to address the security issue. It was tagged with the versions I specified in the this PR. |
The previous fix could be bypassed, so new versions were released.
|
The files were already moved to the correct CVE locations in #529 so this conflicts now - was there any feedback/response on creating an additional advisory / at least updating the announcement blog post? |
|
@naderman Not from an official side: laravel/framework#35972 (comment) |
|
@jaylinski Maybe instead of modifying this file, you can make a separate one for the newer versions which simplify references https://blog.laravel.com/security-laravel-62012-7303-released as a link as that's public confirmation those versions were still vulnerable? That way the existing CVE issue matches what was reported on the issue, but the newer versions are marked insecure via the yet to be created file? Thanks! |
The previous fix could be bypassed, so new versions were released.
Source: