Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

paramiko PYSEC-2022-166 was fixed in 2.9.3 #100

Merged
merged 2 commits into from
Sep 13, 2022
Merged

paramiko PYSEC-2022-166 was fixed in 2.9.3 #100

merged 2 commits into from
Sep 13, 2022

Conversation

ktosiek
Copy link
Contributor

@ktosiek ktosiek commented Sep 13, 2022

According to https://www.paramiko.org/changelog.html CVE-2022-24302 was fixed in 2.9.3. This PR removes unaffected 2.9.* versions.

@ktosiek
paramiko PYSEC-2022-166 was fixed in 2.9.3
589ebf0 
According to https://www.paramiko.org/changelog.html CVE-2022-24302 was fixed in 2.9.3. This PR removes unaffected 2.9.* versions.
westonsteimel
westonsteimel requested changes Sep 13, 2022
View reviewed changes
Copy link
Collaborator

@westonsteimel westonsteimel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ktosiek ! You'll also need to update the affected ranges to be something like this:

    events:
    - introduced: '0'
    - fixed: 2.9.3
    - introduced: 2.10.0
    - fixed: 2.10.1

@ktosiek
Copy link
Contributor Author

ktosiek commented Sep 13, 2022

@westonsteimel Is there some way to check syntax after such change? Removing some lines was trivial, but this looks more involved (0 vs '0', multiple introduced/fixed pairs)

@westonsteimel
Copy link
Collaborator

@westonsteimel Is there some way to check syntax after such change? Removing some lines was trivial, but this looks more involved (0 vs '0', multiple introduced/fixed pairs)

Unfortunately I don't think there are any specific actions yet that check the syntax, but we use the OSV schema. The quotes around the versions won't really matter here and the automation that runs after a commit is probably going to change it anyways (python and go don't agree on the default yaml string syntax and our automation uses a combination of both so it'll end up with whatever runs last.)

If you were to only remove the versions from the version array the automation will run and insert them back in because it looks at the affected version ranges and then queries PyPI to get all versions that fall in that range and inserts them into that array

@westonsteimel
Copy link
Collaborator

You could refer to PYSEC-2020-160 as an example with multiple affected version ranges.

@westonsteimel
Copy link
Collaborator

Another option would be to submit the improvement request to GitHub's advisory database using their nice UI: https://github.com/advisories/GHSA-f8q4-jwww-x3wv/improve and then you could look at the json it generates in the PR and use that to update the YAML here (they render as OSV in the json files)

@westonsteimel
Copy link
Collaborator

Unfortunately we don't yet have automation to pull updates from GitHub Advisory database in automatically. It's on the wishlist though: google/osv.dev#254

@ktosiek
Copy link
Contributor Author

ktosiek commented Sep 13, 2022

Thank you for the explaination! I've added the change you've suggested, and opened a PR on github/advisory-database too: github/advisory-database#668

@westonsteimel westonsteimel merged commit 9c1d4b5 into pypa:main Sep 13, 2022
@westonsteimel
Copy link
Collaborator

Thanks so much for the contributions!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@westonsteimel westonsteimel westonsteimel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ktosiek @westonsteimel