From bf373b5fcf844353a6194e83c175107e37be7f5b Mon Sep 17 00:00:00 2001 From: darkpills <> Date: Sun, 17 Mar 2024 09:33:25 +0100 Subject: [PATCH 1/7] Adding CVE-2024-28859 for SwiftMailer gadget chain in Symfony 1.x --- swiftmailer/swiftmailer/CVE-2024-28859.yaml | 14 ++++++++++++++ symfony/symfony/CVE-2024-28859.yaml | 8 ++++++++ 2 files changed, 22 insertions(+) create mode 100644 swiftmailer/swiftmailer/CVE-2024-28859.yaml create mode 100644 symfony/symfony/CVE-2024-28859.yaml diff --git a/swiftmailer/swiftmailer/CVE-2024-28859.yaml b/swiftmailer/swiftmailer/CVE-2024-28859.yaml new file mode 100644 index 000000000..2c0ce0928 --- /dev/null +++ b/swiftmailer/swiftmailer/CVE-2024-28859.yaml @@ -0,0 +1,14 @@ +title: Deserialization Gadget chain in Swift Mailer +link: https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-wjv8-pxr6-5f4r +cve: CVE-2024-28859 +branches: + 4.x: + time: null + versions: ['>=4.0.0'] + 5.x: + time: null + versions: ['>=5.0.0'] + 6.x: + time: 2020-12-8 19:18:59 + versions: ['>=6.0.0', '<6.30.0'] +reference: composer://swiftmailer/swiftmailer diff --git a/symfony/symfony/CVE-2024-28859.yaml b/symfony/symfony/CVE-2024-28859.yaml new file mode 100644 index 000000000..a7466bffc --- /dev/null +++ b/symfony/symfony/CVE-2024-28859.yaml @@ -0,0 +1,8 @@ +title: Deserialization Gadget chain in Swift Mailer dependancy +link: https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-wjv8-pxr6-5f4r +cve: CVE-2024-28859 +branches: + 1.x: + time: 2024-02-27 20:26:56 + versions: ['>=1.3.0', '<1.18.0'] +reference: composer://symfony/symfony From d157497397f816434baae308ea6461347a27888b Mon Sep 17 00:00:00 2001 From: darkpills <> Date: Sun, 17 Mar 2024 09:41:35 +0100 Subject: [PATCH 2/7] Fixing Symfony version number --- symfony/symfony/CVE-2024-28859.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/symfony/symfony/CVE-2024-28859.yaml b/symfony/symfony/CVE-2024-28859.yaml index a7466bffc..6142d6361 100644 --- a/symfony/symfony/CVE-2024-28859.yaml +++ b/symfony/symfony/CVE-2024-28859.yaml @@ -4,5 +4,5 @@ cve: CVE-2024-28859 branches: 1.x: time: 2024-02-27 20:26:56 - versions: ['>=1.3.0', '<1.18.0'] + versions: ['>=1.3.0', '<1.15.18'] reference: composer://symfony/symfony From 8bc31d121ca1e9dcbd14d885bcb6ec0eba844834 Mon Sep 17 00:00:00 2001 From: darkpills <209987+darkpills@users.noreply.github.com> Date: Sun, 17 Mar 2024 22:24:35 +0100 Subject: [PATCH 3/7] Update symfony/symfony/CVE-2024-28859.yaml Co-authored-by: Christian Flothmann --- symfony/symfony/CVE-2024-28859.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/symfony/symfony/CVE-2024-28859.yaml b/symfony/symfony/CVE-2024-28859.yaml index 6142d6361..1f4a2ee4b 100644 --- a/symfony/symfony/CVE-2024-28859.yaml +++ b/symfony/symfony/CVE-2024-28859.yaml @@ -5,4 +5,4 @@ branches: 1.x: time: 2024-02-27 20:26:56 versions: ['>=1.3.0', '<1.15.18'] -reference: composer://symfony/symfony +reference: composer://friendsofsymfony1/symfony1 From d3292f5668d39136fdeacf255bf5a837ebf68e7d Mon Sep 17 00:00:00 2001 From: darkpills <> Date: Tue, 19 Mar 2024 21:34:48 +0100 Subject: [PATCH 4/7] Adding another gadget chain for symfony1 (CVE-2024-28861) Aligning file path with composer paths Adding upper bounds for swiftmailer --- friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml | 14 ++++++++++++++ .../symfony1}/CVE-2024-28859.yaml | 0 friendsofsymfony1/symfony1/CVE-2024-28861.yaml | 8 ++++++++ swiftmailer/swiftmailer/CVE-2024-28859.yaml | 4 ++-- 4 files changed, 24 insertions(+), 2 deletions(-) create mode 100755 friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml rename {symfony/symfony => friendsofsymfony1/symfony1}/CVE-2024-28859.yaml (100%) mode change 100644 => 100755 create mode 100755 friendsofsymfony1/symfony1/CVE-2024-28861.yaml diff --git a/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml b/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml new file mode 100755 index 000000000..9aa4780b6 --- /dev/null +++ b/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml @@ -0,0 +1,14 @@ +title: Deserialization Gadget chain in Swift Mailer +link: https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-wjv8-pxr6-5f4r +cve: CVE-2024-28859 +branches: + 4.x: + time: null + versions: ['>=4.0.0', '<=4.3.1'] + 5.x: + time: null + versions: ['>=5.0.0', '<=5.4.12'] + 6.x: + time: 2020-12-8 19:18:59 + versions: ['>=6.0.0', '<6.30.0'] +reference: composer://friendsofsymfony1/swiftmailer diff --git a/symfony/symfony/CVE-2024-28859.yaml b/friendsofsymfony1/symfony1/CVE-2024-28859.yaml old mode 100644 new mode 100755 similarity index 100% rename from symfony/symfony/CVE-2024-28859.yaml rename to friendsofsymfony1/symfony1/CVE-2024-28859.yaml diff --git a/friendsofsymfony1/symfony1/CVE-2024-28861.yaml b/friendsofsymfony1/symfony1/CVE-2024-28861.yaml new file mode 100755 index 000000000..9dc30880a --- /dev/null +++ b/friendsofsymfony1/symfony1/CVE-2024-28861.yaml @@ -0,0 +1,8 @@ +title: Deserialization Gadget chain in Symfony sfNamespacedParameterHolder +link: https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-pv9j-c53q-h433 +cve: CVE-2024-28861 +branches: + 1.x: + time: 2024-03-19 13:59:00 + versions: ['>=1.1.0', '<1.15.19'] +reference: composer://friendsofsymfony1/symfony1 diff --git a/swiftmailer/swiftmailer/CVE-2024-28859.yaml b/swiftmailer/swiftmailer/CVE-2024-28859.yaml index 2c0ce0928..fe6f517e3 100644 --- a/swiftmailer/swiftmailer/CVE-2024-28859.yaml +++ b/swiftmailer/swiftmailer/CVE-2024-28859.yaml @@ -4,10 +4,10 @@ cve: CVE-2024-28859 branches: 4.x: time: null - versions: ['>=4.0.0'] + versions: ['>=4.0.0', '<=4.3.1'] 5.x: time: null - versions: ['>=5.0.0'] + versions: ['>=5.0.0', '<=5.4.12'] 6.x: time: 2020-12-8 19:18:59 versions: ['>=6.0.0', '<6.30.0'] From e3a7d9e8ef93c4c09e87caa45e9fe62dee98f76e Mon Sep 17 00:00:00 2001 From: darkpills <209987+darkpills@users.noreply.github.com> Date: Wed, 20 Mar 2024 21:17:56 +0100 Subject: [PATCH 5/7] Update friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml Co-authored-by: Christophe Coevoet --- friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml b/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml index 9aa4780b6..0cc553426 100755 --- a/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml +++ b/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml @@ -7,7 +7,7 @@ branches: versions: ['>=4.0.0', '<=4.3.1'] 5.x: time: null - versions: ['>=5.0.0', '<=5.4.12'] + versions: ['>=5.0.0', '<5.4.13'] 6.x: time: 2020-12-8 19:18:59 versions: ['>=6.0.0', '<6.30.0'] From f42cfb8032e6af2c849e92738c1e161e257aa51b Mon Sep 17 00:00:00 2001 From: darkpills <209987+darkpills@users.noreply.github.com> Date: Wed, 20 Mar 2024 21:18:25 +0100 Subject: [PATCH 6/7] Update friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml Co-authored-by: Christophe Coevoet --- friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml b/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml index 0cc553426..56fa87741 100755 --- a/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml +++ b/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml @@ -10,5 +10,5 @@ branches: versions: ['>=5.0.0', '<5.4.13'] 6.x: time: 2020-12-8 19:18:59 - versions: ['>=6.0.0', '<6.30.0'] + versions: ['>=6.0.0', '<6.2.5'] reference: composer://friendsofsymfony1/swiftmailer From df0cce593569fe221ad7e722ad10d3b2da320012 Mon Sep 17 00:00:00 2001 From: darkpills <> Date: Wed, 20 Mar 2024 22:14:34 +0100 Subject: [PATCH 7/7] Fix friendsofsymfony1/swiftmailer patch timestamp Merging swiftmailer 4.x and 5.x branch --- friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml | 9 +++------ swiftmailer/swiftmailer/CVE-2024-28859.yaml | 9 +++------ 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml b/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml index 56fa87741..d28fcc662 100755 --- a/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml +++ b/friendsofsymfony1/swiftmailer/CVE-2024-28859.yaml @@ -2,13 +2,10 @@ title: Deserialization Gadget chain in Swift Mailer link: https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-wjv8-pxr6-5f4r cve: CVE-2024-28859 branches: - 4.x: - time: null - versions: ['>=4.0.0', '<=4.3.1'] 5.x: - time: null - versions: ['>=5.0.0', '<5.4.13'] + time: 2024-02-27 16:08:02 + versions: ['>=4.0.0', '<5.4.13'] 6.x: - time: 2020-12-8 19:18:59 + time: 2020-12-08 19:18:59 versions: ['>=6.0.0', '<6.2.5'] reference: composer://friendsofsymfony1/swiftmailer diff --git a/swiftmailer/swiftmailer/CVE-2024-28859.yaml b/swiftmailer/swiftmailer/CVE-2024-28859.yaml index fe6f517e3..ef81fbf0a 100644 --- a/swiftmailer/swiftmailer/CVE-2024-28859.yaml +++ b/swiftmailer/swiftmailer/CVE-2024-28859.yaml @@ -2,13 +2,10 @@ title: Deserialization Gadget chain in Swift Mailer link: https://github.com/FriendsOfSymfony1/symfony1/security/advisories/GHSA-wjv8-pxr6-5f4r cve: CVE-2024-28859 branches: - 4.x: - time: null - versions: ['>=4.0.0', '<=4.3.1'] 5.x: time: null - versions: ['>=5.0.0', '<=5.4.12'] + versions: ['>=4.0.0', '<6.0.0'] 6.x: - time: 2020-12-8 19:18:59 - versions: ['>=6.0.0', '<6.30.0'] + time: 2020-12-08 19:18:59 + versions: ['>=6.0.0', '<6.2.5'] reference: composer://swiftmailer/swiftmailer