drupalに脆弱性あり至急対応

スポンサーリンク

当サイトでは、drupal 8.6.1を使用しているため対応が必要です。
そのため、drupal 8.6.2にアップデートしたいわけですが、あることが原因でアップデートができないケースがあります。
それが今回の記事の内容です。

更新チェック

まず、更新のチェックを行います。

$ composer outdated drupal/*
    1/11:       https://packages.drupal.org/8/drupal/provider-2017-1$6a0ffee803074f85507b3157dea63fd79a714a7ae35585d52e2c66c2f6bb1904.json
    2/11:       https://packages.drupal.org/8/drupal/provider-2017-2$b963545f90f1a7a8084354e75480677c0d07fbe898820ef17402a9c9608dfb90.json
    3/11:       https://packages.drupal.org/8/drupal/provider-2016-1$c5f76227a6e8a6aba67288ea480dbc8e606c009b0a8964641edcb390ea1d098a.json
    4/11:       https://packages.drupal.org/8/drupal/provider-2016-4$4eb5e8e839b5db22ba51092da9d0724e07be905dee0ae4741f7f2f6c9495a914.json
    5/11:       https://packages.drupal.org/8/drupal/provider-2017-4$582058e1f6453cebebcb496f990906b77b455309c48dcfa2b528b11d2dae0fce.json
    6/11:       https://packages.drupal.org/8/drupal/provider-2015-3$1bc624a4ce7a0b2ffb956e1eb79b5e2124774253bd73cc3eb37299bdbd1e9c56.json
    7/11:       https://packages.drupal.org/8/drupal/provider-2016-3$f4a583d3275ee55f8e2dcc21e36b758e26031ed841203f85f0a58872e1fc1488.json
    8/11:       https://packages.drupal.org/8/drupal/provider-2018-1$c1c25bb3987a4e50dbe7377bb4473aac5c5aaf8f8b0ebfffcdd4bad1371aae29.json
    9/11:       https://packages.drupal.org/8/drupal/provider-2017-3$c867e183eb759b6da332822bc6da597caa7b69df1f67ce19021d19ec5f644bd6.json
    10/11:      https://packages.drupal.org/8/drupal/provider-2018-2$642fe23a8cf12ab6fa83a6bfa0fb0673fb1cf612e71ae8f4e8dcc1d6c40df29a.json
    11/11:      https://packages.drupal.org/8/drupal/provider-2018-3$0fdf69b8cdcf06d79678756c961aa066a185bcda1549f6d40b2a5fc1e27a9377.json
    Finished: success: 11, skipped: 0, failure: 0, total: 11
    1/11:       https://packagist.jp/p/provider-archived$0354f87676e19d823da761d51965b0314596022b4811df4888f45c14d37b154f.json
    2/11:       https://packagist.jp/p/provider-2018-10$be19068489fc5866a0a3a02cff1d4bc18598ab3c1056cc78d13208d354fd8ac4.json
    3/11:       https://packagist.jp/p/provider-2013$d27cd1aa6c7201cfe13c2133f98499487407365cdab2d9abbbb28fd917589eaf.json
    4/11:       https://packagist.jp/p/provider-2014$f0f70c9abc35d7a4d992c44dc56205ab957aabc850ce95958c8f78acc41fb141.json
    5/11:       https://packagist.jp/p/provider-2018-01$2b51efe41f8a526d787ce7025b47075be4890237e67d52e4ad4405fd92b1aedb.json
    6/11:       https://packagist.jp/p/provider-latest$5542f55fd84d02d0f02d876c8597f5078c5d043864cbd10f311557267cc2759e.json
    7/11:       https://packagist.jp/p/provider-2018-04$d13edbe8867e05832bb19089e980d778191613fda08f359edc09487247f64e6c.json
    8/11:       https://packagist.jp/p/provider-2015$8b09f92ad791bcee7a38c1a3984fb75240cd5b179a1e261700ded2613954e889.json
    9/11:       https://packagist.jp/p/provider-2018-07$3d07a42fb32a246027a73c04c1d1650462b8450112a3566ddce2efa5ee3e6ca3.json
    10/11:      https://packagist.jp/p/provider-2016$2355f2ad371a820c19dabd66200f81aefa59f6bbcba80e3c09e7898bc4860815.json
    11/11:      https://packagist.jp/p/provider-2017$5e9c2b9756acfaff25ff04d9d6d3eadc16bd5120970cb56d5f43976620d5177a.json
    Finished: success: 11, skipped: 0, failure: 0, total: 11
drupal/core     8.6.1           8.6.2           Drupal is an open source content management plat...
drupal/insert   2.x-dev 126ab17 2.x-dev 239404b Assists in inserting files, images, or other med...
drupal/redirect 1.2.0           1.3.0           Allows users to redirect from old URLs to new URLs.

今回のようなセキュリティアップデートの更新チェックは以下のコマンドでも確認できます。

$ drush pm:security
 [warning] One or more of your dependencies has an outstanding security update. Please apply update(s) immediately.
 [notice] Try running: composer require drupal/core:^8.6.2 --update-with-dependencies
 [notice] If that fails due to a conflict then you must update one or more root dependencies.
+-------------+-------------------+-------------------+
| Name        | Installed Version | Suggested version |
+-------------+-------------------+-------------------+
| drupal/core | 8.6.1             | 8.6.2             |
+-------------+-------------------+-------------------+

アップデートの実行

[notice]にあるコマンドを実行してアップデートを実行してみます。

$ composer require drupal/core:^8.6.2 --update-with-dependencies
    1/4:        https://packages.drupal.org/8/drupal/provider-2018-1$f34c775e37faa628c1a1fe9ccc6f16cd0fea8108decd031e7e1083b7f64dfbcf.json
    2/4:        https://packages.drupal.org/8/drupal/provider-2017-2$3ff35647977f22e6ab98a676052b1e52cc96693edbfd9f0f7016e5b07d1ca303.json
    3/4:        https://packages.drupal.org/8/drupal/provider-2016-2$a1f7834c3371200ce5e089b8d15de8d796ef19a3c00e4bd7d6fd916d2b244b99.json
    4/4:        https://packages.drupal.org/8/drupal/provider-2018-3$d5cea34c92017282de229303467235c4482f9d4d8aa41f373baf77924d6af822.json
    Finished: success: 4, skipped: 0, failure: 0, total: 4
    1/9:        https://packagist.jp/p/provider-2013$6fc8fd2aaad51ea5a9d5da53013a811cc0369e10fefec4c377d25f50b31aa9dc.json
    2/9:        https://packagist.jp/p/provider-2014$2113e34a438b421ef95182384cd179602dcda68cbf3ff5e3f430f1fe8fea5066.json
    3/9:        https://packagist.jp/p/provider-2018-04$979a721deff28b00eeff139d820cf0f606bf4f1c677d86cc25fc765e02dfe67f.json
    4/9:        https://packagist.jp/p/provider-2018-10$bfdb3aa4aee180ebd3f91ef3f76e0e39874caf7ceb204641aebf968f854e5e1b.json
    5/9:        https://packagist.jp/p/provider-latest$9a2a5fddfaedffc30e818c2c734bcfe13c5e6a60a7a688dbe9480587de974479.json
    6/9:        https://packagist.jp/p/provider-2016$1961901705b8860b6437e0f945f3aead57b4500d5372a1414d78749eefa9a7ba.json
    7/9:        https://packagist.jp/p/provider-2018-01$8b1e8ed6f55056cc86343f7e338b8c205d52a9d3411de876cede4ca3325d4c84.json
    8/9:        https://packagist.jp/p/provider-2018-07$c1d3b3946e2d0417e4b5150e2407eb3e33bbf80fd1237c11a7fe2abffc409c88.json
    9/9:        https://packagist.jp/p/provider-2017$727799aed3196576c46bc320761e463772728bc507375149f1653c9edbb59727.json
    Finished: success: 9, skipped: 0, failure: 0, total: 9
./composer.json has been updated
> DrupalProjectcomposerScriptHandler::checkComposerVersion
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - webflo/drupal-core-require-dev 8.6.1 requires drupal/core 8.6.1 -> satisfiable by drupal/core[8.6.1] but these conflict with your requirements or minimum-stability.
    - webflo/drupal-core-require-dev 8.6.1 requires drupal/core 8.6.1 -> satisfiable by drupal/core[8.6.1] but these conflict with your requirements or minimum-stability.
    - webflo/drupal-core-require-dev 8.6.1 requires drupal/core 8.6.1 -> satisfiable by drupal/core[8.6.1] but these conflict with your requirements or minimum-stability.
    - Installation request for webflo/drupal-core-require-dev (locked at 8.6.1, required as ^8.6) -> satisfiable by webflo/drupal-core-require-dev[8.6.1].


Installation failed, reverting ./composer.json to its original content.

結果は失敗。

$ composer require drupal/core:8.6.2 --update-with-dependencies
    1/3:        https://packagist.jp/p/provider-latest$2cf79dffb21ecd4e12ed5db055ad2a36e0f1d7285f40dad96db39f090ed65628.json
    2/3:        https://packagist.jp/p/provider-2018-04$e0c8bed6a6f523063c41ab90130e3091a1cde284969f4d2a389a42fde617ac9f.json
    3/3:        https://packagist.jp/p/provider-2018-07$8096ccbc1f511cefbf6ca9fd3f15d3d31db0431c3979416d4254754225b39e3c.json
    Finished: success: 3, skipped: 0, failure: 0, total: 3
./composer.json has been updated
> DrupalProjectcomposerScriptHandler::checkComposerVersion
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - webflo/drupal-core-require-dev 8.6.1 requires drupal/core 8.6.1 -> satisfiable by drupal/core[8.6.1] but these conflict with your requirements or minimum-stability.
    - webflo/drupal-core-require-dev 8.6.1 requires drupal/core 8.6.1 -> satisfiable by drupal/core[8.6.1] but these conflict with your requirements or minimum-stability.
    - webflo/drupal-core-require-dev 8.6.1 requires drupal/core 8.6.1 -> satisfiable by drupal/core[8.6.1] but these conflict with your requirements or minimum-stability.
    - Installation request for webflo/drupal-core-require-dev (locked at 8.6.1, required as ^8.6) -> satisfiable by webflo/drupal-core-require-dev[8.6.1].


Installation failed, reverting ./composer.json to its original content.

これも失敗。

以下のコマンドでも試してみますが、

$ composer update drupal/core webflo/drupal-core-require-dev symfony/* --with-dependencies
> DrupalProjectcomposerScriptHandler::checkComposerVersion
Package "symfony/*" listed for update is not installed. Ignoring.
Loading composer repositories with package information
Updating dependencies (including require-dev)
Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - webflo/drupal-core-require-dev 8.6.2 requires drupal/core 8.6.2 -> satisfiable by drupal/core[8.6.2] but these conflict with your requirements or minimum-stability.
    - Conclusion: remove drupal/core 8.6.1
    - Conclusion: don't install drupal/core 8.6.1
    - webflo/drupal-core-require-dev 8.6.x-dev requires drupal/core 8.6.x-dev -> satisfiable by drupal/core[8.6.x-dev].
    - webflo/drupal-core-require-dev 8.7.x-dev requires drupal/core 8.7.x-dev -> satisfiable by drupal/core[8.7.x-dev].
    - Can only install one of: drupal/core[8.6.x-dev, 8.6.1].
    - Can only install one of: drupal/core[8.7.x-dev, 8.6.1].
    - Installation request for drupal/core 8.6.1 -> satisfiable by drupal/core[8.6.1].
    - Installation request for webflo/drupal-core-require-dev ^8.6.2 -> satisfiable by webflo/drupal-core-require-dev[8.6.2, 8.6.x-dev, 8.7.x-dev].

ご覧のように失敗です。

composer.jsonの内容を修正

この実行結果のメッセージにヒントがあり、どちらもバージョンが”8.6.1″に固定されているのが原因のようです。
それでは、composer.jsonの内容をチェックしてみましょう。
WEBルートディレクトリにあるプロジェクトのセットアップファイルであるcomposer.jsonをご覧いただき以下のようにバージョンが”8.6.1″のように固定になっているとアップデートが失敗します。

その1

requireキー
“drupal/core”: “8.6.1”,

その2

require-devキー
“webflo/drupal-core-require-dev”: “8.6.1”

この2か所を”8.6.1″から”^8.6″に修正します。

アップデートを実行

修正後のcomposer.jsonでアップデートを実行します。

$ composer update drupal/core webflo/drupal-core-require-dev symfony/* --with-dependencies
    1/1:        https://packages.drupal.org/8/drupal/provider-2018-3$80d7e040ac1ea4286d2eed2bae6f2ab7b4db10f96daf2a65f2b0448fed33c5b8.json
    Finished: success: 1, skipped: 0, failure: 0, total: 1
    1/1:        https://packagist.jp/p/provider-latest$709b324fd74a816cbff6dc1ab64335194e42b3b5f9a01d9c0fd4c1ee2226795f.json
    Finished: success: 1, skipped: 0, failure: 0, total: 1
> DrupalProjectcomposerScriptHandler::checkComposerVersion
Package "symfony/*" listed for update is not installed. Ignoring.
Loading composer repositories with package information
Updating dependencies (including require-dev)
    1/2:        https://codeload.github.com/webflo/drupal-core-require-dev/legacy.zip/3fa727e875f73906f7e9325619b540f7012876ee
    2/2:        https://codeload.github.com/drupal/core/legacy.zip/356292934802bb1aecc478e88a3cba77442d7c62
    Finished: success: 2, skipped: 0, failure: 0, total: 2
Package operations: 0 installs, 2 updates, 0 removals
  - Updating drupal/core (8.6.1 => 8.6.2):  Checking out 3562929348
Writing lock file
Generating autoload files
  - Downloading 1/16: https://cgit.drupalcode.org/drupal/plain/web.config
  - Downloading 2/16: https://cgit.drupalcode.org/drupal/plain/sites/example.settings.local.php
  - Downloading 3/16: https://cgit.drupalcode.org/drupal/plain/sites/default/default.services.yml
  - Downloading 4/16: https://cgit.drupalcode.org/drupal/plain/robots.txt
  - Downloading 5/16: https://cgit.drupalcode.org/drupal/plain/sites/default/default.settings.php
  - Downloading 6/16: https://cgit.drupalcode.org/drupal/plain/.htaccess
  - Downloading 7/16: https://cgit.drupalcode.org/drupal/plain/index.php
  - Downloading 8/16: https://cgit.drupalcode.org/drupal/plain/update.php
  - Downloading 9/16: https://cgit.drupalcode.org/drupal/plain/sites/development.services.yml
  - Downloading 10/16: https://cgit.drupalcode.org/drupal/plain/sites/example.sites.php
  - Downloading 11/16: https://cgit.drupalcode.org/drupal/plain/.gitattributes
  - Downloading 12/16: https://cgit.drupalcode.org/drupal/plain/.eslintrc.json
  - Downloading 13/16: https://cgit.drupalcode.org/drupal/plain/.ht.router.php
  - Downloading 14/16: https://cgit.drupalcode.org/drupal/plain/.eslintignore
  - Downloading 15/16: https://cgit.drupalcode.org/drupal/plain/.editorconfig
  - Downloading 16/16: https://cgit.drupalcode.org/drupal/plain/.csslintrc
> DrupalProjectcomposerScriptHandler::createRequiredFiles

今度は成功しました。

なぜバージョン固定になるのか?

まず考えられるのが前回のアップデートでバージョン固定でアップデートを行ったのが原因だと思います。
次に考えられるのは、直接composer.jsonを編集してバージョン固定にした可能性です。

以上、composer.jsonの内容で依存関係がチェックされアップデートができないことがあるという事例でした。

※webflo/drupal-core-require-devをアンインストールすれば依存関係でアップデートできなくなることはなくなると思いますが特別な理由がないのであればおすすめしません。

タイトルとURLをコピーしました