Skip to content

SC-23868: Fix security vulnerabilities #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

SC-23868: Fix security vulnerabilities #126

wants to merge 4 commits into from
+150 −113

Conversation

@pushokwhite
Copy link
Collaborator

@pushokwhite pushokwhite commented Nov 7, 2025
edited
Loading

PR Description

Improvements

  • Updated PHP versions to the latest patch releases
  • Updated NewRelic to version 12.1.0.26 (from 11.10.0.24) to fix security vulnerabilities
  • Updated Tideways to version 5.30.0 (from 5.22.2)
  • Updated Composer to version 2.8.12 (from 2.8.10)
  • Updated Blackfire to version 1.92.48 (from 1.92.28)
  • Alpine 3.22: tightened build dependencies (openssl/zlib/scdoc), included an APK tools build v3.0.0_rc7 from source for compatibility, and cleaned temporary artifacts.

Security Fixes

  • CVE-2025-47907: Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
  • CVE-2025-47906: If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Steps before you submit a PR

  • Please add tests for the code you add if it's possible.
  • Please check out our contribution guide: https://docs.spryker.com/docs/dg/dev/code-contribution-guide.html
  • Add a contribution-license-agreement.txt file with the following content:
    I hereby agree to Spryker\'s Contribution License Agreement in https://github.com/spryker/docker-php/blob/HASH_OF_COMMIT_YOU_ARE_BASING_YOUR_BRANCH_FROM_MASTER_BRANCH/CONTRIBUTING.md.

This is a mandatory step to make sure you are aware of the license agreement and agree to it. HASH_OF_COMMIT_YOU_ARE_BASING_YOUR_BRANCH_FROM_MASTER_BRANCH is a hash of the commit you are basing your branch from the master branch. You can take it from commits list of master branch before you submit a PR.

Checklist

  • I agree with the Code Contribution License Agreement in CONTRIBUTING.md

pushokwhite and others added 4 commits November 6, 2025 09:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pushokwhite @vrugiu