-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
paramiko PYSEC-2022-166 was fixed in 2.9.3 #100
Conversation
According to https://www.paramiko.org/changelog.html CVE-2022-24302 was fixed in 2.9.3. This PR removes unaffected 2.9.* versions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ktosiek ! You'll also need to update the affected ranges to be something like this:
events:
- introduced: '0'
- fixed: 2.9.3
- introduced: 2.10.0
- fixed: 2.10.1
@westonsteimel Is there some way to check syntax after such change? Removing some lines was trivial, but this looks more involved ( |
Unfortunately I don't think there are any specific actions yet that check the syntax, but we use the OSV schema. The quotes around the versions won't really matter here and the automation that runs after a commit is probably going to change it anyways (python and go don't agree on the default yaml string syntax and our automation uses a combination of both so it'll end up with whatever runs last.) If you were to only remove the versions from the version array the automation will run and insert them back in because it looks at the affected version ranges and then queries PyPI to get all versions that fall in that range and inserts them into that array |
You could refer to PYSEC-2020-160 as an example with multiple affected version ranges. |
Another option would be to submit the improvement request to GitHub's advisory database using their nice UI: https://github.com/advisories/GHSA-f8q4-jwww-x3wv/improve and then you could look at the json it generates in the PR and use that to update the YAML here (they render as OSV in the json files) |
Unfortunately we don't yet have automation to pull updates from GitHub Advisory database in automatically. It's on the wishlist though: google/osv.dev#254 |
Thank you for the explaination! I've added the change you've suggested, and opened a PR on github/advisory-database too: github/advisory-database#668 |
Thanks so much for the contributions! |
According to https://www.paramiko.org/changelog.html CVE-2022-24302 was fixed in 2.9.3. This PR removes unaffected 2.9.* versions.