Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability roundup 92: terraform-0.13.0: 1 advisory [9.8] #96829

Closed
1 task
ckauhaus opened this issue Aug 31, 2020 · 5 comments
Closed
1 task

Vulnerability roundup 92: terraform-0.13.0: 1 advisory [9.8] #96829

ckauhaus opened this issue Aug 31, 2020 · 5 comments
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one

Comments

@ckauhaus
Copy link
Contributor

search, files

Scanned versions: nixos-unstable: c59ea8b.

Cc @Chili-Man
Cc @babariviere
Cc @kalbasit
Cc @marsam
Cc @peterhoeg
Cc @zimbatm
@ckauhaus ckauhaus added the 1.severity: security Issues which raise a security issue, or PRs that fix one label Aug 31, 2020
@ckauhaus
Copy link
Contributor Author

See also: #94014, #93260

@arianvp
Copy link
Member

arianvp commented Sep 3, 2020

Bit of a confusing report on NVD. It's not terraform that's vulnerable but terraform-provider-aws which has a different versioning scheme

@ckauhaus
Copy link
Contributor Author

ckauhaus commented Sep 7, 2020

To the best of my knowledge, we don't package terraform-provider-aws.

@ckauhaus ckauhaus closed this as completed Sep 7, 2020
@sarcasticadmin
Copy link
Member

@ckauhaus The aws provider is package by nixpkgs:

nixpkgs/pkgs/applications/networking/cluster/terraform-providers/data.nix

Lines 75 to 82 in 241eef1

aws =
{
owner = "terraform-providers";
repo = "terraform-provider-aws";
rev = "v2.65.0";
version = "2.65.0";
sha256 = "005vs1qd6payicxldc9lr4w6kzr58xw9b930j52g1q7hlddl5mbb";
};

This issue should still be closed since according to NVD report it looks like its referencing a pretty old version of the aws provider:

aws/resource_aws_iam_user_login_profile.go in the HashiCorp Terraform Amazon Web Services (AWS) provider through v1.12.0

@ckauhaus
Copy link
Contributor Author

@sarcasticadmin Thank you for the pointer. I did not find the thing somehow.

@ckauhaus ckauhaus mentioned this issue Sep 21, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
1.severity: security Issues which raise a security issue, or PRs that fix one
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arianvp @ckauhaus @sarcasticadmin