Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
phpc.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A server for PHP programmers & friends. Join us for discussions on the PHP programming language, frameworks, packages, tools, open source, tech, life, and more.

Administered by:

Server stats:

837
active users

phpc.social: AboutProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.6

Public *
Wouter de Jong

Someone has created bogus CVE reports for Symfony (CVE-2024-36611 and CVE-2024-36610).

You might experience warnings from `composer audit` or other tools about these bogus CVEs when using Symfony components <7.1.

These MUST BE IGNORED, the reports are NOT security issues.

We're trying to find out how we can solve this. If someone has experience with this, please let us know!

#symfony
Public
Alister Bulman

@wouterj in the longer term, probably having Symfony (and/or the PHP-src project) become its own ' CVE Numbering Authority' (I'd guess with the PHP Foundation?), like Curl did - daniel.haxx.se/blog/2024/01/16 and also the Linux Kernel project. Though the kernel appears to be flooding the ecosystem with everything, so no one knows what's serious anymore 😆

There's also the issues of the split between PHP-core, large frameworks, and all the little libraries that have CVEs written up for them.

daniel.haxx.se · curl is a CNAThe curl project has been accepted as a CVE Numbering Authority (CNA) for vulnerabilities in all products directly made or managed by the project. If I'm counting correctly, we are the 351st CNA. The official announcement from Mitre states: curl is now a CVE Numbering Authority (CNA) for all products made and managed by the … Continue reading curl is a CNA →
Quiet public
Harald Leithner

@alister @wouterj we as joomla have applied for our ecosystem to be the CVE Numbering Authority which is not too complicated and makes perfectly sense if you have a security team which already manage relevant reports.

Wouter de Jong

@hleithner @alister thanks for the suggestion! We've started investigating this path to prevent this from happening in the future.

Dec 04, 2024, 10:42 AM·Quiet public
0boosts·0favorites
SearchLive feeds
About