Bump dompdf/dompdf from 0.6.1 to 0.6.2 by dependabot[bot] · Pull Request #2

Bump dompdf/dompdf from 0.6.1 to 0.6.2 by dependabot[bot] · Pull Request #2 · DecabyteProject/MepContCR

Bumps dompdf/dompdf from 0.6.1 to 0.6.2.

Release notes

Sourced from dompdf/dompdf's releases.

DOMPDF 0.6.2

This release is superseded by version 0.7.0

This is a security-focused release that addresses a number of vulnerabilities that can expose your system to exploitation. In tandem with this release we have also posted a document to the wiki with advice for securing dompdf. Please read the new document and take appropriate measures to protect your systems.

We urge all users to upgrade to this release if you are using dompdf 0.6.1 or earlier.

Change Summary for 0.6.2

This update addresses the following announced vulnerabilities:

Vulnerability Reference Type Severity

Remote Code Execution (complement of CVE-2014-2383) CVE-2014-5013 Remote Code Execution Low; Critical (depending on configuration)

Denial Of Service Vector CVE-2014-5012 Information Disclosure Medium

Information Disclosure CVE-2014-5011 Information Disclosure Medium

Arbitrary file read in dompdf using PHP stream filters CVE-2014-2383 Information Disclosure Medium

Change Summary for 0.6.1

Removed pre-processing of PHP code when DOMPDF_ENABLE_PHP is true (this does not affect embedded script).

Prior to this release dompdf was vulnerable to an information disclosure vulnerability. Thanks to Portcullis Computer Security Ltd. for reporting the issue. See the security advisory for additional details: Arbitrary file read in dompdf.

This update addresses the following announced vulnerabilities:

Vulnerability Reference Type Severity

Arbitrary file read in dompdf using PHP stream filters CVE-2014-2383 Information Disclosure Medium

PHP remote file inclusion vulnerability in dompdf.php CVE-2010-4879 Remote File Inclusion Low; Critical (depending on configuration)

Change Summary for 0.6.0

Fonts: Full Unicode support (with embedded fonts); DejaVu fonts pre-installed; php-font-lib now provides font handling and sub-setting

CSS: float support, border radius, transparency, @page, @font-face, generated content, fixed-positioning, transformations

HTML: HTML5 Parser cleans your HTML syntax

Images: Expanded image handling (including alpha transparency); added support for Data-URI image sources

Performance improvements

The project is now hosted on GitHub (the Google Code project is being temporarily maintained).

Download Instructions

Click the link labeled "dompdf-0.6.2.zip" to download the packaged release. The two buttons labeled "Source code" are auto-generated by github and do not include all the necessary files.

Vulnerability	Reference	Type	Severity
Remote Code Execution (complement of CVE-2014-2383)	CVE-2014-5013	Remote Code Execution	Low; Critical (depending on configuration)
Denial Of Service Vector	CVE-2014-5012	Information Disclosure	Medium
Information Disclosure	CVE-2014-5011	Information Disclosure	Medium
Arbitrary file read in dompdf using PHP stream filters	CVE-2014-2383	Information Disclosure	Medium

Vulnerability	Reference	Type	Severity
Arbitrary file read in dompdf using PHP stream filters	CVE-2014-2383	Information Disclosure	Medium
PHP remote file inclusion vulnerability in dompdf.php	CVE-2010-4879	Remote File Inclusion	Low; Critical (depending on configuration)

Commits

cc06008 Restrict access to sensitive www content to authenticated users
aa3d3a2 Remove support for loading document using the data-uri protocol
adeb2b8 Update dompdf_config.inc.php
a0eb016 Remove donation note from 'Limitations' section
ab40683 Merge branch '0.6.2-hotfix'
b09e8e9 Use lowercase protocol strings
f50826e Prettify font family cache export
bd729c7 Limit www content access
240c2f2 Limit supported at-font-face font formats
50e1ba7 Simplify rendered image processing error message
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.