Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merge release 4.0.4 into 4.1.x #788

Merged
merged 4 commits into from
Sep 28, 2021
Merged

Merge release 4.0.4 into 4.1.x #788

merged 4 commits into from
Sep 28, 2021

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Sep 28, 2021
edited by lcobucci

Release Notes for 4.0.4

This patch ships a minor security fix to prevent misuse of the LocalFileReference key.

4.0.4

  • Total issues resolved: 1
  • Total pull requests resolved: 0
  • Total contributors: 0

lcobucci and others added 4 commits September 27, 2021 15:28
@lcobucci
Fix locked version of ocramius/package-versions
80784ee 
It seems that dependabot is always using the lowest supported version of
PHP 7.4, which forces composer to install `ocramius/package-versions`
v1.9 instead of v2.1.

We'll handle this on the latest development branch.
@lcobucci @arokettu @Ocramius
Ensure key contents is used for all hashing algorithms
8175de5 
On v3.4.0 we introduced the
`Lcobucci\JWT\Signer\Key\LocalFileReference`, which was designed to be
used with OpenSSL-based algorithms and avoid having to load the file
contents into user-land to sign/verify tokens.

However, other algorithms don't understand the scheme `file://` and will
incorrectly use the file path as the signing key.

This modifies and deprecates `LocalFileReference` to avoid that
misleading behaviour.

Co-authored-by: Anton Smirnov <sandfox@sandfox.me>
Co-authored-by: Marco Pivetta <ocramius@gmail.com>
@lcobucci
Merge pull request from GHSA-7322-jrq4-x5hf
5556426 
Ensure key contents is used for all hashing algorithms
@lcobucci
Merge remote-tracking branch 'origin/4.1.x' into 4.0.x-merge-up-into-…
4a1e591 
…4.1.x_7QZpeQfq
@lcobucci lcobucci self-assigned this Sep 28, 2021
@lcobucci lcobucci added this to the 4.1.5 milestone Sep 28, 2021
@lcobucci lcobucci merged commit fe2d89f into 4.1.x Sep 28, 2021
@lcobucci lcobucci deleted the 4.0.x-merge-up-into-4.1.x_7QZpeQfq branch September 28, 2021 19:34
@github-actions github-actions bot mentioned this pull request Sep 28, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@lcobucci lcobucci

Labels
Security
Projects
None yet
Milestone
4.1.5
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@lcobucci