Improve GHSA-gwrp-pvrq-jmwv #3442
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The 2 vulnerable versions just added in cda19d9 result from manual checks, with results in https://github.com/jensdietrich/xshady-release/tree/main/CVE-2021-29425/VULN-CONFIRMED-MANUALLY. |
GHSA-22cq-cq7f-8jm3 GHSA-q868-g69p-72cw GHSA-qfcf-2jfw-4cm8 GHSA-j2m5-w7qp-hqg7 GHSA-23vj-5jhc-26rp GHSA-3m5x-qv26-v6mr GHSA-6c6g-97p2-3xrq GHSA-9jrj-9rp7-5gh2 GHSA-c774-q93c-r26f GHSA-hg4h-2m22-83j4 GHSA-j6rc-chh6-q5hw GHSA-prfg-cph5-wq68 GHSA-xm85-mgcm-6w3f GHSA-4742-9c9c-4wf7 GHSA-7x7g-p6hc-7cp3 GHSA-98mf-83qw-2xg8 GHSA-c254-v996-g238 GHSA-68mg-jchw-j7f7 GHSA-h9fx-g2cp-w46c GHSA-mgj3-mgvf-x3r8 GHSA-m293-hr45-hwwr GHSA-mmc3-qp8j-6fpj GHSA-wj9m-8xm4-fx2j GHSA-x848-fc4r-xcw9
|
Thanks @darakian, the discussion link was very helpful and also simplifies things on my end. I've dropped Something strange has happened with my latest push -- I'll close this PR and start a fresh one. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Updates
Comments
Several other components are also affected as a result of cloning (copying source code) or shading (copying source code and renaming packages). Proof-of-Vulnerability projects with tests to verify the presence of the CVE can be found here: https://github.com/jensdietrich/xshady-release/.
See #2258, especially #2258 (comment), for more details.
Note: Given that attempting to specify a multiple versions in a
versionsarray results in the error "Explicitly listing more than one affected version is not currently supported. Use range events instead", but using range events instead would lead to ambiguity for affected packages for which no fixed version yet exists, for each such package added in this PR, we instead add an affected package per version as suggested here. For the single affected package for which a fixed version does already exist (namely,org.checkerframework.annotatedlib:commons-io), arangesarray containing afixedentry was used instead of aversionsarray.