Currently the version of SimpleSAMLphp is locked on 1.17 with the version string ~1.17.2 in de composer.json. To allow upgrading to a version without security problems this version string needs to be updated. I will add a patch to fix this problem.

CommentFileSizeAuthor
#5 simplesamlphp_auth-dependency_version_update-3097283-5.patch1.1 KBpdenooijer
#2 simplesamlphp_auth-dependency_version_update-3097283-2.patch367 bytespdenooijer
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

pdenooijer created an issue. See original summary.

pdenooijer’s picture

pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commented
Status: Active » Needs review
FileSize
simplesamlphp_auth-dependency_version_update-3097283-2.patch367 bytes

Provided patch will allow updating minor and patch versions of the simplesamlphp/simplesamlphp dependency with composer.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented

The reason I used ~ and not ^ was that 1.17 caused quite a few problems due to deprecations, so I tried to be more careful. I guess its fine to expand it.

idebr’s picture

idebr CreditAttribution: idebr at iO commented

There is a line in simplesamlphp_auth_requirements() mentioning the minimum version requirement for simplesamlphp. It currently says:

SimpleSAMLphp module requires the simplesamlphp library, version 1.17.2 or later. See README file for installation instructions.

Let's update this line so it matches the version requirement in the composer.json file. Alternatively, we could remove the version number mentioned here since the calling code does not actually parse the version number.

pdenooijer’s picture

pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commented
FileSize
simplesamlphp_auth-dependency_version_update-3097283-5.patch1.1 KB

Updated the patch with the simplesamlphp_auth_requirements() change included.

pdenooijer’s picture

pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commented

For now we mitigated the problem by adding the following line in the composer.json require field:
"simplesamlphp/simplesamlphp": "1.18.2 as 1.17.8",
Had to upgrade some other dependencies (like simplesamlphp/saml2) to get it to work.

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented

Patch looks good, I think it's useful to keep the version number.

Our test coverage is obviously very limited, if you can confirm that there are no issues with 1.18 using that workaround then I can commit it to -dev, which should make it easier to test.

pdenooijer’s picture

pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commented

Our CI is currently running with quite a lot of Behat test, after it is tested by hand as well I will report back.

pdenooijer’s picture

pdenooijer CreditAttribution: pdenooijer at Ordina Digital Services for RTL Nieuws commented

Works fine for us @Berdir!

Berdir’s picture

Berdir
Primary language German
Location Switzerland
CreditAttribution: Berdir at MD Systems GmbH commented
Status: Needs review » Fixed

Great, committed.

  • Berdir committed a014e74 on 8.x-3.x authored by pdenooijer 
    Issue #3097283 by pdenooijer: Allow updating to SimpleSAMLphp 1.18 and...
apaderno’s picture

apaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
CreditAttribution: apaderno as a volunteer commented
Issue tags: -Security Issue +Security

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.