-
-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LTS Version 1.7 is missing a security fix #4
Comments
The LTS page is a bit misleading. While 1.7 is listed as the LTS version, you can safely upgrade to any other release in the 1.X series without issue since we follow semver. Since 1.8 has received those fixes, update your version constraint to use Originally posted by @weierophinney at zendframework/zend-diactoros#373 (comment) |
@weierophinney Well if we want support until 2022-03-15 then looking at https://framework.zend.com/long-term-support we need to stay on 1.7 since support for 1.8 ends in 2019-09-27. Are you saying that because 1.7 is supported until 2022-03-15 then because you follow semver 1.8 will supported till then as well? If so yep the LTS page does seem misleading. But also if there are known security issues against 1.7 what does LTS mean? Originally posted by @alexpott at zendframework/zend-diactoros#373 (comment) |
If we follow the release notes then the Originally posted by @jibran at zendframework/zend-diactoros#373 (comment) |
Version 1.8 is LTS version, not 1.7. The issue is in the table - we will try to update it shortly.
and, paragraph before we have:
so, when we use Originally posted by @michalbundyra at zendframework/zend-diactoros#373 (comment) |
According to https://framework.zend.com/long-term-support 1.7 is the long term support version of zend-diactoros, however the Symfony security scanner shows that 1.7.2 is missing the fix for the URL Rewrite vulnerability [CVE-NONE-0001]: https://framework.zend.com/security/advisory/ZF2018-01
I've tried to be helpful and backport this in https://github.com/alexpott/zend-diactoros/tree/1.7.x-CVE-NONE-0001 but I can't create a PR because there is no 1.7 release branch.
Code to reproduce the issue
Expected results
Actual results
Originally posted by @alexpott at zendframework/zend-diactoros#373
The text was updated successfully, but these errors were encountered: