Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GHSA-c438-8cvq-pxxx] Apache Tapestry Unsafe Object Storage #4244

Open
wants to merge 1 commit into
base: MarkLee131/advisory-improvement-4244
Choose a base branch
from
Open

[GHSA-c438-8cvq-pxxx] Apache Tapestry Unsafe Object Storage #4244

wants to merge 1 commit into from

Conversation

MarkLee131
Copy link

Updates

  • Affected products
  • References

Comments
Add a patch apache/tapestry-5@95846b1, of which the commit message claims TAP5-2008: Implement HMAC signatures on object streams stored on the client, which use the same commit msg with the existing patch commit in the current ref links.

@github-actions github-actions bot changed the base branch from main to MarkLee131/advisory-improvement-4244 April 12, 2024 06:39
@shelbyc
Copy link

shelbyc commented Apr 16, 2024

Hi @MarkLee131, I'm not merging the addition because apache/tapestry-5@95846b1 is a duplicate reference. The advisory already has apache/tapestry-5@5ad5257, the fix commit tagged for the 5.3 branch. There is no vulnerable version on the 5.4 branch that we're aware of, which makes apache/tapestry-5@95846b1 unnecessary as apache/tapestry-5@5ad5257 is already present.

@MarkLee131
Copy link
Author

Hello @shelbyc,

Sorry for the delayed reply. I appreciate your perspective on this issue and understand the concern regarding duplicate references. However, I believe the commit apache/tapestry-5@95846b1, though appearing similar, offers additional value. This commit impacts a different version of the software, which could provide useful insights for users maintaining legacy systems or dealing with version-specific variations.

Could we consider annotating the existing entry to note the relevance of this commit to other versions, or discuss further the criteria used for evaluating patch commits? I'm keen to contribute effectively to the comprehensiveness of the GitHub Adversory Database and would value your guidance on how best to proceed.

Thank you for considering my viewpoint.

@shelbyc
Copy link

shelbyc commented Apr 29, 2024
edited

Hi @MarkLee131, in this case, there is only one fixed version, 5.3.6. Only versions prior to 5.3.6 are marked as vulnerable, so apache/tapestry-5@95846b1 is not relevant to the vulnerable version range. The fix commit for 5.3.6 becomes a part of subsequent versions, so there is no need to add the commit as it appears in subsequent versions because those versions were never part of a vulnerable branch.

I checked https://mvnrepository.com/artifact/org.apache.tapestry/tapestry-core just in case there were any pre-release versions of 5.4 that were vulnerable, but the earliest versions of 5.4 I could find were released in 2014, after the patch was committed in 2012.

I'm keen to contribute effectively to the comprehensiveness of the GitHub Adversory Database and would value your guidance on how best to proceed.

This is a good point and we're happy to improve our community contribution guidance. 🙂 What specifically would be most helpful for you to have more guidance on?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@MarkLee131 @shelbyc