jank/ventry
1
0
Fork 0
Code Issues 1 Pull requests 8 Projects Releases Wiki Activity

fix(deps): update dependency symfony/runtime to 6.4.* [security] #12

Merged
jank merged 1 commit from renovate/packagist-symfony-runtime-vulnerability into main 2025-08-21 07:38:58 +00:00
Conversation 0 Commits 1 Files changed 2 +13 -13
Renovate commented 2025-08-21 07:36:33 +00:00
Collaborator
Copy link

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
symfony/runtime (source) 6.3.* -> 6.4.* age adoption passing confidence

Symfony allows changing the environment through a query

CVE-2024-50340 / GHSA-x8vp-gf4q-mw5j

More information

Details

Description

When the register_argc_argv php directive is set to on , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request.

Resolution

The SymfonyRuntime now ignores the argv values for non-cli SAPIs PHP runtimes

The patch for this issue is available here for branch 5.4.

Credits

We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix.

Severity

  • CVSS Score: 7.3 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

symfony/runtime (symfony/runtime)

v6.4.14

Compare Source

Changelog (https://github.com/symfony/runtime/compare/v6.4.13...v6.4.14)

  • security symfony/symfony#cve-2024-50340 [Runtime] Do not read from argv on non-CLI SAPIs (@​wouterj)

v6.4.13

Compare Source

Changelog (https://github.com/symfony/runtime/compare/v6.4.12...v6.4.13)

v6.4.12

Compare Source

Changelog (https://github.com/symfony/runtime/compare/v6.4.11...v6.4.12)

  • no significant changes

v6.4.8

Compare Source

Changelog (https://github.com/symfony/runtime/compare/v6.4.7...v6.4.8)

  • no significant changes

v6.4.7

Compare Source

Changelog (https://github.com/symfony/runtime/compare/v6.4.6...v6.4.7)

  • no significant changes

v6.4.3

Compare Source

Changelog (https://github.com/symfony/runtime/compare/v6.4.2...v6.4.3)

  • no significant changes

v6.4.0

Compare Source

Changelog (https://github.com/symfony/runtime/compare/v6.4.0-RC2...v6.4.0)

  • no significant changes

v6.3.12

Compare Source

Changelog (https://github.com/symfony/runtime/compare/v6.3.11...v6.3.12)

  • no significant changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [symfony/runtime](https://symfony.com) ([source](https://github.com/symfony/runtime)) | `6.3.*` -> `6.4.*` | [![age](https://developer.mend.io/api/mc/badges/age/packagist/symfony%2fruntime/6.4.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/packagist/symfony%2fruntime/6.4.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/packagist/symfony%2fruntime/6.3.2/6.4.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/packagist/symfony%2fruntime/6.3.2/6.4.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Symfony allows changing the environment through a query [CVE-2024-50340](https://nvd.nist.gov/vuln/detail/CVE-2024-50340) / [GHSA-x8vp-gf4q-mw5j](https://github.com/advisories/GHSA-x8vp-gf4q-mw5j) <details> <summary>More information</summary> #### Details ##### Description When the `register_argc_argv` php directive is set to `on` , and users call any URL with a special crafted query string, they are able to change the environment or debug mode used by the kernel when handling the request. ##### Resolution The `SymfonyRuntime` now ignores the `argv` values for non-cli SAPIs PHP runtimes The patch for this issue is available [here](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) for branch 5.4. ##### Credits We would like to thank Vladimir Dusheyko for reporting the issue and Wouter de Jong for providing the fix. #### Severity - CVSS Score: 7.3 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L` #### References - [https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j](https://github.com/symfony/symfony/security/advisories/GHSA-x8vp-gf4q-mw5j) - [https://nvd.nist.gov/vuln/detail/CVE-2024-50340](https://nvd.nist.gov/vuln/detail/CVE-2024-50340) - [https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa](https://github.com/symfony/symfony/commit/a77b308c3f179ed7c8a8bc295f82b2d6ee3493fa) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/runtime/CVE-2024-50340.yaml](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/runtime/CVE-2024-50340.yaml) - [https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50340.yaml](https://github.com/FriendsOfPHP/security-advisories/blob/master/symfony/symfony/CVE-2024-50340.yaml) - [https://github.com/symfony/symfony](https://github.com/symfony/symfony) - [https://symfony.com/cve-2024-50340](https://symfony.com/cve-2024-50340) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-x8vp-gf4q-mw5j) and the [GitHub Advisory Database](https://github.com/github/advisory-database) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>symfony/runtime (symfony/runtime)</summary> ### [`v6.4.14`](https://github.com/symfony/runtime/releases/tag/v6.4.14) [Compare Source](https://github.com/symfony/runtime/compare/v6.4.13...v6.4.14) **Changelog** (<https://github.com/symfony/runtime/compare/v6.4.13...v6.4.14>) - security symfony/symfony#cve-2024-50340 \[Runtime] Do not read from argv on non-CLI SAPIs ([@&#8203;wouterj](https://github.com/wouterj)) ### [`v6.4.13`](https://github.com/symfony/runtime/releases/tag/v6.4.13) [Compare Source](https://github.com/symfony/runtime/compare/v6.4.12...v6.4.13) **Changelog** (<https://github.com/symfony/runtime/compare/v6.4.12...v6.4.13>) - bug [symfony/symfony#58372](https://github.com/symfony/symfony/issues/58372) Tweak error/exception handler registration ([@&#8203;nicolas-grekas](https://github.com/nicolas-grekas)) ### [`v6.4.12`](https://github.com/symfony/runtime/releases/tag/v6.4.12) [Compare Source](https://github.com/symfony/runtime/compare/v6.4.8...v6.4.12) **Changelog** (<https://github.com/symfony/runtime/compare/v6.4.11...v6.4.12>) - no significant changes ### [`v6.4.8`](https://github.com/symfony/runtime/releases/tag/v6.4.8) [Compare Source](https://github.com/symfony/runtime/compare/v6.4.7...v6.4.8) **Changelog** (<https://github.com/symfony/runtime/compare/v6.4.7...v6.4.8>) - no significant changes ### [`v6.4.7`](https://github.com/symfony/runtime/releases/tag/v6.4.7) [Compare Source](https://github.com/symfony/runtime/compare/v6.4.3...v6.4.7) **Changelog** (<https://github.com/symfony/runtime/compare/v6.4.6...v6.4.7>) - no significant changes ### [`v6.4.3`](https://github.com/symfony/runtime/releases/tag/v6.4.3) [Compare Source](https://github.com/symfony/runtime/compare/v6.4.0...v6.4.3) **Changelog** (<https://github.com/symfony/runtime/compare/v6.4.2...v6.4.3>) - no significant changes ### [`v6.4.0`](https://github.com/symfony/runtime/releases/tag/v6.4.0) [Compare Source](https://github.com/symfony/runtime/compare/v6.3.12...v6.4.0) **Changelog** (<https://github.com/symfony/runtime/compare/v6.4.0-RC2...v6.4.0>) - no significant changes ### [`v6.3.12`](https://github.com/symfony/runtime/releases/tag/v6.3.12) [Compare Source](https://github.com/symfony/runtime/compare/v6.3.2...v6.3.12) **Changelog** (<https://github.com/symfony/runtime/compare/v6.3.11...v6.3.12>) - no significant changes </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44MS40IiwidXBkYXRlZEluVmVyIjoiNDEuODEuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiJ3NlY3VyaXR5JyJdfQ==-->
jank merged commit 225caef8ef into main 2025-08-21 07:38:58 +00:00
jank deleted branch renovate/packagist-symfony-runtime-vulnerability 2025-08-21 07:38:58 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: jank/ventry#12
No description provided.
Delete branch "renovate/packagist-symfony-runtime-vulnerability"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?