chore(deps): update dependency drupal/core-recommended to v10 [security] #28
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
|
renovate
bot
force-pushed
the
renovate/packagist-drupal-core-recommended-vulnerability
branch
from
fb4132f to
7b5a703
Compare
renovate
bot
force-pushed
the
renovate/packagist-drupal-core-recommended-vulnerability
branch
from
7b5a703 to
bd9e3cb
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
9.3.14->10.2.11GitHub Vulnerability Alerts
CVE-2024-45440
core/authorize.phpin Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value ofhash_saltisfile_get_contentsof a file that does not exist.CVE-2024-55637
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to
unserialize(). There are no such known exploits in Drupal core.To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a
TypeError.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
CVE-2024-55636
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Artbitrary File Deletion. It is not directly exploitable.
This issue is mitigated by the fact that in order to be exploitable, a separate vulnerability must be present that allows an attacker to pass unsafe input to
unserialize(). There are no such known exploits in Drupal core.To help protect against this vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a
TypeError.This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
CVE-2024-55634
Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
CVE-2024-12393
Drupal uses JavaScript to render status messages in some cases and configurations. In certain situations, the status messages are not adequately sanitized. This issue affects Drupal Core: from 8.8.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
CVE-2024-55638
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable.
This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to
unserialize(). There are no such known exploits in Drupal core.To help protect against this potential vulnerability, some additional checks have been added to Drupal core's database code. If you use a third-party database driver, check the release notes for additional configuration steps that may be required in certain cases.
This issue affects Drupal Core: from 7.0 before 7.102, from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9.
Release Notes
drupal/core-recommended (drupal/core-recommended)
v10.2.11Compare Source
v10.2.10Compare Source
v10.2.9Compare Source
v10.2.8Compare Source
v10.2.7Compare Source
v10.2.6Compare Source
v10.2.5Compare Source
v10.2.4Compare Source
v10.2.3Compare Source
v10.2.2Compare Source
v10.2.1Compare Source
v10.2.0Compare Source
v10.1.8Compare Source
v10.1.7Compare Source
v10.1.6Compare Source
v10.1.5Compare Source
v10.1.4Compare Source
v10.1.3Compare Source
v10.1.2Compare Source
v10.1.1Compare Source
v10.1.0Compare Source
v10.0.11Compare Source
v10.0.10Compare Source
v10.0.9Compare Source
v10.0.8Compare Source
v10.0.7Compare Source
v10.0.6Compare Source
v10.0.5Compare Source
v10.0.4Compare Source
v10.0.3Compare Source
v10.0.2Compare Source
v10.0.1Compare Source
v10.0.0Compare Source
v9.5.11Compare Source
v9.5.10Compare Source
v9.5.9Compare Source
v9.5.8Compare Source
v9.5.7Compare Source
v9.5.6Compare Source
v9.5.5Compare Source
v9.5.4Compare Source
v9.5.3Compare Source
v9.5.2Compare Source
v9.5.1Compare Source
v9.5.0Compare Source
v9.4.15Compare Source
v9.4.14Compare Source
v9.4.13Compare Source
v9.4.12Compare Source
v9.4.11Compare Source
v9.4.10Compare Source
v9.4.9Compare Source
v9.4.8Compare Source
v9.4.7Compare Source
v9.4.6Compare Source
v9.4.5Compare Source
v9.4.4Compare Source
v9.4.3Compare Source
v9.4.2Compare Source
v9.4.1Compare Source
v9.4.0Compare Source
v9.3.22Compare Source
v9.3.21Compare Source
v9.3.20Compare Source
v9.3.19Compare Source
v9.3.18Compare Source
v9.3.17Compare Source
v9.3.16Compare Source
v9.3.15Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.