[4.x] / [5.x]: Update Yii requirement due to CVE in Yii #15124
Comments
GewoonRoy
changed the title
|
This would be helpful for us, too -- it's getting flagged in our SOC2 audit systems. |
|
looks like this is already fixed in 4.10 |
|
The specific vulnerability fixed in Yii 2.0.50 is based on a similar CVE for Craft, which we fixed in 4.4.15 (GHSA-4w8r-3xrw-v25g). So from a purely security standpoint, there’s no need to worry about this :) That said, I understand this is going to cause headaches with roave/security-advisories and other auditing services, so we are fast-tracking Craft 4.10 and 5.2, which contain the update. Those were previously planned for later this month, but we’re going to push some of the planned improvements to the following releases. Craft 4.10.0-beta.1 and 5.2.0-beta.1 are both tagged now, with Yii 2.0.50. Updating to them should be pretty safe. The main reason for the beta is because there are some new UI strings we need to get translated before the GA releases. You can update to them by changing your // craft 4.10
"craftcms/cms": "^4.10.0-beta.1",
// craft 5.2
"craftcms/cms": "^5.2.0-beta.1", |
|
Are there any plans to backport this "fix" to version 4.9? |
|
No, Yii updates tend to be pretty involved, so they warrant a minor version bump. |
|
Craft 4.10.0 and 5.2.0 are out with Yii 2.0.50 🎉 |
What happened?
Description
Is it possible to update yiisoft/yii2 to 2.0.50. the versions <= 2.0.49 are marked as a CVE vulnerability.
GHSA-cjcc-p67m-7qxm
Steps to reproduce
Craft CMS version
4 / 5
PHP version
8.1 / 8.2
Operating system and version
No response
Database type and version
No response
Image driver and version
No response
Installed plugins and versions
The text was updated successfully, but these errors were encountered: