GHSA-9cxr-76pm-j3wf: more accurate version ranges #5234
Conversation
github-actions
bot
changed the base branch from
main
to
raboof/advisory-improvement-5234
raboof
force-pushed
the
fix-GHSA-9cxr-76pm-j3wf-version-ranges
branch
from
108b91c to
73b9d0d
Compare
Based on the machine-readable ranges in https://www.cve.org/CVERecord?id=CVE-2024-53299
raboof
force-pushed
the
fix-GHSA-9cxr-76pm-j3wf-version-ranges
branch
from
73b9d0d to
5648328
Compare
|
I'm not seeing the new fix versions your suggesting listed in the json |
I agree the notation for this one is a bit unusual, but since {
"status" : "affected",
"version" : "8.0.0-M1"
"lessThanOrEqual" : "8.16.*",
}as meaning 8.17.0 would be outside of this range (and outside the others as well) so once it gets released, it would be unaffected (https://github.com/CVEProject/cve-schema/blob/main/schema/docs/versions.md#version-status-decisions). What do you think? |
|
I can see that reasoning for sure, but |
|
The 8.17.0 release process is in progress (https://lists.apache.org/thread/2qjovt1b8pqmyng07j00nso7fsw46vkf). I'm not sure about 7.19.0, indeed that version line is EOL but if it'd ever get released presumably it'd have the fix. |
|
I think for 7.19.0 maybe we wait for an actual release to be made. For 8.17.0, do we know for certain that the bug is fixed? I took a quick look and the original mailing list link is sadly lacking in detail You don't have any other references that link the CVE to this jira ticket or which expand on the core issue do you? |
|
I'll ask, though possibly they kept that obscure intentionally in order to avoid making things too easy for malicious actors. I generally trust the advisory is likely accurate ;) |
|
If you know the author(s) and can provide some public reference that would be amazing 🙇 |
Based on the machine-readable ranges in
https://www.cve.org/CVERecord?id=CVE-2024-53299