downport CVE-2020-8244 to major version 1.x.x #89
Comments
|
yikes, we don't even have a 1.x branch, but I suppose this isn't unreasonable, 👍 I suppose |
|
I've cut a release but the CVE is not going to mention it unless someone gets it updated. I'm also not sure where the authoritative source of data on versions is these days that everyone (including GitHub) uses to determine safe versions and whether that can be easily updated. If someone wants to chase that down and reference #90 to get it updated that might be appreciated by some folks. Or @mcollina might just do it since he's plugged in to all that stuff. |
I ran into a very similar issue a couple weeks ago. https://twitter.com/trott/status/1295032015960412163 I'll see if using https://cveform.mitre.org/ works for this one too. |
|
@rvagg I've submitted the information to MITRE and included the two personal email addresses I have for you in the description field in case they had any questions. |
|
As for getting the version vulnerability updated by GitHub (so dependabot can get a break, or at least succeed in updating people automatically), I'm not sure how to do that, but I bet @andreeleuterio and/or @ruyadorno would be able to say.... |
|
Thanks @Trott ! |
|
Hey folks, I have updated the respective advisories in both github.com/advisories and npmjs.com/advisories: The CVE was requested through HackerOne so the update goes through them. Let me know if I can help with anything else! |
|
Thanks @andreeleuterio! |
Is it possible to downport the fix for CVE-2020-8244 to versions 1.x.x as many packages use it?
As far as I can see from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8244 it is fixed on 4.0.3, 3.0.1 and 2.2.1 already.
The text was updated successfully, but these errors were encountered: