Skip to content

1.4.5

Latest
Latest

Choose a tag to compare

View all tags
@github-actions github-actions released this 26 May 15:11
· 50 commits to 1.5.x since this release
Immutable release. Only release title and notes can be modified.
1.4.5
This tag was signed with the committer’s verified signature.
asgrim James Titcumb
GPG key ID: 4172BCFABD873AE3
Verified
Learn about vigilant mode.
5d1485c
This commit was signed with the committer’s verified signature.
asgrim James Titcumb
GPG key ID: 4172BCFABD873AE3
Verified
Learn about vigilant mode.

This release contains vulnerability fixes for the following security advisories:

  • GHSA-h842-vjwg-pxxx - Sudo-elevated arbitrary file deletion via extra.pie-installed-binary metadata in UninstallUsingUnlink
  • GHSA-pm6p-666q-hvj5 - Sudo-elevated root code execution via TOCTOU between self-update verify and write
  • GHSA-f67f-c344-cqqr - PIE self-update accepts any historically-attested pie.phar (rollback gap)
  • GHSA-vcv4-gmjc-mxvq - php-ext.build-path traversal escapes PIE's vendor extract directory
  • GHSA-8xmh-xrvp-hwrf - WindowsInstall::copyExtraFile lacks destination containment check (Windows-only path traversal)
  • GHSA-p4j8-36rr-gjfq - Self-update attestation verification is scoped to --owner=php, not --repo=php/pie
Assets 8
Loading