-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CVE-2024-25117 #3399
Fix CVE-2024-25117 #3399
Conversation
The master branch currently reflects the next release of Dompdf and includes some major changes, so this update won't alleviate issues for users attempting to deploy 2.x. The svglib-update branch is based on 2.0.4 and will be the basis of a 2.0.5 release (if required). |
OK great news. And you know when you will merge svglib-update branch ? |
It'll be sometime in the next few hours. |
It looks like the update should not be necessary. Dependency managers are updating to reflect that 2.0.4 is OK to install. Please let me know if you're finding otherwise. |
@bsweeney correct, we're seeing |
It's OK for me too. Thanks for all |
When is 2.0.5 going to be released? It's still wrong to have a min version specified that would allow installing a dependency that is affected by a vulnerability. |
FYI if you want to enforce a minimum SvgLib version with your Dompdf installation without specifying it in your composer you can upgrade to 2.0.7. |
Force min version of phenx/php-svg-lib to 0.5.2
Resolves #3393