Skip to content

Commit a98aea1

Browse files
authored
Merge pull request #480 from nadezhdafilina/update-php-libs
ELSDOC-202, updated php libraries
2 parents 8a10646 + 2ac09c6 commit a98aea1

3 files changed

Lines changed: 174 additions & 0 deletions

File tree

docs/.vuepress/components/ELSTechnology.vue

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1343,6 +1343,11 @@ const techData = [
13431343
versions: "0.8.x | 1.2.x | 3.1.0",
13441344
link: "./dompdf/",
13451345
},
1346+
{
1347+
name: "php-svg-lib",
1348+
versions: "0.3.4",
1349+
link: "./php-svg-lib/",
1350+
},
13461351
{
13471352
name: "Firebase PHP-JWT",
13481353
versions: "6.11.1",

docs/.vuepress/config-client/sidebar.ts

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -247,6 +247,10 @@ export default {
247247
path: '/els-for-libraries/dompdf/',
248248
icon: '/images/dompdf-logo.webp',
249249
},
250+
{
251+
path: '/els-for-libraries/php-svg-lib/',
252+
icon: '/images/dompdf-logo.webp',
253+
},
250254
{
251255
path: '/els-for-libraries/cakephp/',
252256
icon: '/images/cakephp.webp',
Lines changed: 165 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,165 @@
1+
# php-svg-lib
2+
3+
Endless Lifecycle Support (ELS) for php-svg-lib from TuxCare provides security fixes for php-svg-lib versions that have reached their end-of-life. This allows you to continue running your applications without vulnerability concerns, even after official support has ended.
4+
5+
## Supported Versions
6+
7+
* **php-svg-lib** 0.3.4
8+
9+
Other versions upon request.
10+
11+
## Connection to ELS for php-svg-lib Repository
12+
13+
This guide outlines the steps needed to integrate the TuxCare ELS for php-svg-lib repository into your application. The repository provides trusted php-svg-lib packages that can be easily integrated into your **Composer** projects.
14+
15+
### Step 1: Get user credentials
16+
17+
You need a username and password in order to use TuxCare ELS for php-svg-lib repository. Anonymous access is disabled. To receive the credentials, please contact [sales@tuxcare.com](mailto:sales@tuxcare.com).
18+
19+
### Step 2: Configure Composer authentication
20+
21+
1. Create or edit the `auth.json` file for the user running Composer:
22+
23+
* **Linux/macOS**:
24+
25+
```text
26+
~/.composer/auth.json
27+
```
28+
29+
* **Windows**:
30+
31+
```text
32+
%APPDATA%\Composer\auth.json
33+
```
34+
35+
2. Use either the Composer CLI or edit `auth.json` directly to add your credentials for `nexus.repo.tuxcare.com`.
36+
37+
<CodeTabs :tabs="[
38+
{ title: 'Composer CLI', content: `composer config --global --auth http-basic.nexus.repo.tuxcare.com USERNAME PASSWORD` },
39+
{ title: 'auth.json', content: authjson }
40+
]" />
41+
42+
Replace `USERNAME` and `PASSWORD` with the credentials you received in [Step 1](#step-1-get-user-credentials).
43+
44+
### Step 3: Register the TuxCare repository
45+
46+
Add the `els_php` Composer repository either via CLI or by editing `composer.json`:
47+
48+
<CodeTabs :tabs="[
49+
{ title: 'Composer CLI', content: cli },
50+
{ title: 'composer.json', content: composerjson }
51+
]" />
52+
53+
### Step 4: Install php-svg-lib
54+
55+
Install the TuxCare-maintained php-svg-lib release that matches your project:
56+
57+
<CodeTabs :tabs="[
58+
{ title: 'Composer CLI', content: `composer require phenx/php-svg-lib:0.3.4-p1+tuxcare` },
59+
{ title: 'composer.json', content: pkgjson }
60+
]" />
61+
62+
**Check the exact version listed in your TuxCare Nexus account to ensure you receive the most recent patched release.**
63+
64+
If you edited `composer.json` manually, run `composer update` to install the package:
65+
66+
```text
67+
composer update
68+
```
69+
70+
Composer will resolve dependencies against the TuxCare repository and install the patched releases.
71+
72+
### Composer Repository Configuration
73+
74+
If you encounter dependency resolution errors like:
75+
76+
`packages from higher priority repository do not match your constraint`
77+
78+
it usually means your project requires a package version that is not yet available in the TuxCare repository.
79+
80+
**Solution**: Update your `composer.json` to set the TuxCare repository as non-canonical:
81+
82+
```
83+
{
84+
"repositories": [
85+
{
86+
"type": "composer",
87+
"url": "https://nexus.repo.tuxcare.com/repository/els_php/",
88+
"canonical": false
89+
}
90+
]
91+
}
92+
```
93+
94+
This allows Composer to fall back to Packagist for packages not available in the TuxCare repository, while still preferring TuxCare patches when available.
95+
96+
## Vulnerability Exploitability eXchange (VEX)
97+
98+
VEX is a machine-readable format that tells you if a known vulnerability is actually exploitable in your product. It reduces false positives and helps prioritize real risks.
99+
100+
TuxCare provides VEX for php-svg-lib ELS versions: [security.tuxcare.com/vex/cyclonedx/els_lang_php/phenx-php-svg-lib/](https://security.tuxcare.com/vex/cyclonedx/els_lang_php/phenx-php-svg-lib/).
101+
102+
## How to Upgrade to a Newer Version
103+
104+
If you have already installed a TuxCare php-svg-lib package and want to upgrade to a newer release, update the version string in your `composer.json` file or run the `composer require` command with the new version:
105+
106+
```text
107+
composer require phenx/php-svg-lib:VERSION-pN+tuxcare
108+
```
109+
110+
Then run `composer update` to apply the changes:
111+
112+
```text
113+
composer update
114+
```
115+
116+
## Resolved CVEs
117+
118+
Fixes for the following vulnerabilities are available in ELS for php-svg-lib from TuxCare:
119+
120+
| CVE ID | Severity | Library | Vulnerable Versions | Safe Version |
121+
| :-----------------: | :------: | :----------: | :-----------------: | :-----------------: |
122+
| CVE-2024-25117 | Medium | php-svg-lib | < 0.5.2 | 0.3.4-p1+tuxcare |
123+
| CVE-2023-50251 | High | php-svg-lib | < 0.5.1 | 0.3.4-p1+tuxcare |
124+
| GHSA-97m3-52wr-xvv2 | Critical | php-svg-lib | < 0.5.2 | 0.3.4-p1+tuxcare |
125+
126+
If you are interested in the TuxCare Endless Lifecycle Support, contact [sales@tuxcare.com](mailto:sales@tuxcare.com).
127+
128+
<script setup>
129+
130+
const authjson =
131+
`{
132+
"http-basic": {
133+
"nexus.repo.tuxcare.com": {
134+
"username": "USERNAME",
135+
"password": "PASSWORD"
136+
}
137+
}
138+
}`
139+
140+
const composerjson =
141+
`{
142+
"repositories": [
143+
{
144+
"type": "composer",
145+
"url": "https://nexus.repo.tuxcare.com/repository/els_php/",
146+
"options": {
147+
"http": {
148+
"verify": true
149+
}
150+
}
151+
}
152+
]
153+
}`
154+
155+
const cli =
156+
`composer config repositories.tuxcare '{"type":"composer","url":"https://nexus.repo.tuxcare.com/repository/els_php/","options":{"http":{"verify":true}}}' --json`
157+
158+
const pkgjson =
159+
`{
160+
"require": {
161+
"phenx/php-svg-lib": "0.3.4-p1+tuxcare"
162+
}
163+
}`
164+
165+
</script>

0 commit comments

Comments
 (0)