From 7edb5657263d5bd7b4c2bca8d467bc5368e564b5 Mon Sep 17 00:00:00 2001 From: Michiel Kodde Date: Thu, 7 Nov 2019 11:21:07 +0100 Subject: [PATCH 1/2] Enable ant on Travis builds Ant is no longer installed by default on the Travis platform. An explicit installtion instruction was added to achieve installation. --- .travis.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index db68dd9f3..4fda12d89 100644 --- a/.travis.yml +++ b/.travis.yml @@ -27,9 +27,12 @@ before_script: script: - ant - branches: only: - master - develop - - feature/fine-grained-authorization + +addons: + apt: + packages: + - ant From c8b4aa901649a2b3debfb67b380d189110fabfb7 Mon Sep 17 00:00:00 2001 From: Michiel Kodde Date: Thu, 7 Nov 2019 11:34:50 +0100 Subject: [PATCH 2/2] Upgrade Stepup-saml-bundle to version 4.1.8 This change will apply the countermeasures to harden against CVE 2019-3465 and will effectively bump `robrichards/xmlseclibs` to version 3.0.4 --- CHANGELOG.md | 9 ++++--- composer.lock | 75 +++++++++++++++++++++++++++------------------------ 2 files changed, 46 insertions(+), 38 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a952affad..4edcb23d5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,8 @@ # Changelog - +## 3.0.1 +This is a security release that will harden the application against CVE 2019-346 + * Upgrade Stepup-saml-bundle to version 4.1.8 #176 + ## 3.0.0 FGA (fine grained authorization) The new fine grained authorization logic will allow Ra's from other institutions to accredidate RA's on behalf of another organisation. This is determined based on the institution configuration. https://github.com/OpenConext/Stepup-Deploy/wiki/rfc-fine-grained-authorization/b6852587baee698cccae7ebc922f29552420a296 @@ -8,8 +11,8 @@ The new fine grained authorization logic will allow Ra's from other institutions The changes to SelfService in regards to the FGA changes only where to remain compatible with API changes made for Stepup-RA. No new features have been added. ## 2.10.7 -**Improvement** -* Install security updates +This is a security release that will harden the application against CVE 2019-346 + * Upgrade Stepup-saml-bundle to version 4.1.8 #175 ## 2.10.6 **Bugfix** diff --git a/composer.lock b/composer.lock index 8b7653551..498eff870 100644 --- a/composer.lock +++ b/composer.lock @@ -1,7 +1,7 @@ { "_readme": [ "This file locks the dependencies of your project to a known state", - "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies", + "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file", "This file is @generated automatically" ], "content-hash": "2bb70d27e1f4aa52aa09d6d53fd6ac05", @@ -998,16 +998,16 @@ }, { "name": "monolog/monolog", - "version": "1.24.0", + "version": "1.25.1", "source": { "type": "git", "url": "https://github.com/Seldaek/monolog.git", - "reference": "bfc9ebb28f97e7a24c45bdc3f0ff482e47bb0266" + "reference": "70e65a5470a42cfec1a7da00d30edb6e617e8dcf" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/Seldaek/monolog/zipball/bfc9ebb28f97e7a24c45bdc3f0ff482e47bb0266", - "reference": "bfc9ebb28f97e7a24c45bdc3f0ff482e47bb0266", + "url": "https://api.github.com/repos/Seldaek/monolog/zipball/70e65a5470a42cfec1a7da00d30edb6e617e8dcf", + "reference": "70e65a5470a42cfec1a7da00d30edb6e617e8dcf", "shasum": "" }, "require": { @@ -1072,7 +1072,7 @@ "logging", "psr-3" ], - "time": "2018-11-05T09:00:11+00:00" + "time": "2019-09-06T13:49:17+00:00" }, { "name": "moontoast/math", @@ -1761,16 +1761,16 @@ }, { "name": "psr/log", - "version": "1.1.0", + "version": "1.1.2", "source": { "type": "git", "url": "https://github.com/php-fig/log.git", - "reference": "6c001f1daafa3a3ac1d8ff69ee4db8e799a654dd" + "reference": "446d54b4cb6bf489fc9d75f55843658e6f25d801" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/php-fig/log/zipball/6c001f1daafa3a3ac1d8ff69ee4db8e799a654dd", - "reference": "6c001f1daafa3a3ac1d8ff69ee4db8e799a654dd", + "url": "https://api.github.com/repos/php-fig/log/zipball/446d54b4cb6bf489fc9d75f55843658e6f25d801", + "reference": "446d54b4cb6bf489fc9d75f55843658e6f25d801", "shasum": "" }, "require": { @@ -1779,7 +1779,7 @@ "type": "library", "extra": { "branch-alias": { - "dev-master": "1.0.x-dev" + "dev-master": "1.1.x-dev" } }, "autoload": { @@ -1804,7 +1804,7 @@ "psr", "psr-3" ], - "time": "2018-11-20T15:27:04+00:00" + "time": "2019-11-01T11:05:21+00:00" }, { "name": "psr/simple-cache", @@ -1978,16 +1978,16 @@ }, { "name": "robrichards/xmlseclibs", - "version": "3.0.3", + "version": "3.0.4", "source": { "type": "git", "url": "https://github.com/robrichards/xmlseclibs.git", - "reference": "406c68ac9124db033d079284b719958b829cb830" + "reference": "0a53d3c3aa87564910cae4ed01416441d3ae0db5" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/406c68ac9124db033d079284b719958b829cb830", - "reference": "406c68ac9124db033d079284b719958b829cb830", + "url": "https://api.github.com/repos/robrichards/xmlseclibs/zipball/0a53d3c3aa87564910cae4ed01416441d3ae0db5", + "reference": "0a53d3c3aa87564910cae4ed01416441d3ae0db5", "shasum": "" }, "require": { @@ -2012,7 +2012,7 @@ "xml", "xmldsig" ], - "time": "2018-11-15T11:59:02+00:00" + "time": "2019-11-05T11:44:22+00:00" }, { "name": "sensio/distribution-bundle", @@ -2233,16 +2233,16 @@ }, { "name": "simplesamlphp/saml2", - "version": "v3.3.6", + "version": "v3.2.6", "source": { "type": "git", "url": "https://github.com/simplesamlphp/saml2.git", - "reference": "513970e78c527d87a3358829d7c0f417267a582b" + "reference": "a56e46ef8e0c5245a4ca7facc3d308b493215751" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/simplesamlphp/saml2/zipball/513970e78c527d87a3358829d7c0f417267a582b", - "reference": "513970e78c527d87a3358829d7c0f417267a582b", + "url": "https://api.github.com/repos/simplesamlphp/saml2/zipball/a56e46ef8e0c5245a4ca7facc3d308b493215751", + "reference": "a56e46ef8e0c5245a4ca7facc3d308b493215751", "shasum": "" }, "require": { @@ -2255,11 +2255,11 @@ }, "require-dev": { "mockery/mockery": "~0.9", - "phpmd/phpmd": "~2.6", + "phpmd/phpmd": "~1.5", "phpunit/phpunit": "~4", - "sebastian/phpcpd": "~2.0", - "sensiolabs/security-checker": "~4.1", - "squizlabs/php_codesniffer": "~3.2" + "sebastian/phpcpd": "~1.4", + "sensiolabs/security-checker": "~1.1", + "squizlabs/php_codesniffer": "~1.4" }, "type": "library", "extra": { @@ -2286,7 +2286,7 @@ } ], "description": "SAML2 PHP library from SimpleSAMLphp", - "time": "2019-01-04T13:42:36+00:00" + "time": "2018-11-20T11:11:28+00:00" }, { "name": "surfnet/stepup-bundle", @@ -2400,30 +2400,35 @@ }, { "name": "surfnet/stepup-saml-bundle", - "version": "4.1.2", + "version": "4.1.8", "source": { "type": "git", "url": "https://github.com/OpenConext/Stepup-saml-bundle.git", - "reference": "1ce8e74a7e35963e60378da8c8647656e382cef9" + "reference": "cf88eb328a31d30a3b94deea7931a759bd362aab" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/OpenConext/Stepup-saml-bundle/zipball/1ce8e74a7e35963e60378da8c8647656e382cef9", - "reference": "1ce8e74a7e35963e60378da8c8647656e382cef9", + "url": "https://api.github.com/repos/OpenConext/Stepup-saml-bundle/zipball/cf88eb328a31d30a3b94deea7931a759bd362aab", + "reference": "cf88eb328a31d30a3b94deea7931a759bd362aab", "shasum": "" }, "require": { "ext-openssl": "*", "php": ">=5.6,<8.0-dev", - "robrichards/xmlseclibs": "^3.0", - "simplesamlphp/saml2": "^3.0", + "robrichards/xmlseclibs": "^3.0.4", + "simplesamlphp/saml2": "3.2.*", "symfony/dependency-injection": ">=2.7,<4", "symfony/framework-bundle": ">=2.7,<4" }, "require-dev": { - "ibuildings/qa-tools": "~1.1", "mockery/mockery": "~0.9", - "psr/log": "~1.0" + "phpmd/phpmd": "^2.6", + "phpunit/phpunit": "^5.7", + "psr/log": "~1.0", + "sebastian/exporter": "~2.0", + "sebastian/phpcpd": "^2.0", + "sensiolabs/security-checker": "^5.0", + "squizlabs/php_codesniffer": "^3.0" }, "type": "symfony-bundle", "autoload": { @@ -2443,7 +2448,7 @@ "stepup", "surfnet" ], - "time": "2018-09-04T10:06:38+00:00" + "time": "2019-11-06T13:09:53+00:00" }, { "name": "surfnet/stepup-u2f-bundle",