-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A high severity vulnerability introduced in your package #337
Labels
priority: p1
Important issue which blocks shipping the next release. Will be fixed prior to next release.
type: bug
Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Comments
@paimon0715 thanks! Is this an automated report? For security issues, in the future, please have a look at our security policy and reporting guidelines: |
chingor13
added
priority: p1
Important issue which blocks shipping the next release. Will be fixed prior to next release.
type: bug
Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
labels
Jul 20, 2021
gcf-merge-on-green bot
pushed a commit
that referenced
this issue
Jul 20, 2021
🤖 I have created a release \*beep\* \*boop\* --- ### [2.0.5](https://www.github.com/googleapis/google-p12-pem/compare/v2.0.4...v2.0.5) (2021-07-20) ### Bug Fixes * **deps:** update node-forge to 0.10.0 ([#341](https://www.github.com/googleapis/google-p12-pem/issues/341)) ([201f9c3](https://www.github.com/googleapis/google-p12-pem/commit/201f9c3405a14633c35b99b1f14e3e89db6b6aae)), closes [#297](https://www.github.com/googleapis/google-p12-pem/issues/297) [#337](https://www.github.com/googleapis/google-p12-pem/issues/337) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
@JustinBeckwith This is not a bot. Thank you so much for your help! @chingor13 @JustinBeckwith |
We backported the dependency bump into 1.0.5 and 2.0.5 and released them to npm. |
This was referenced Jul 30, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
priority: p1
Important issue which blocks shipping the next release. Will be fixed prior to next release.
type: bug
Error or flaw in code with unintended results or allowing sub-optimal usage patterns.
Hi ,@JustinBeckwith, I’d like to report a high severity vulnerability in your package google-p12-pem:
Issue Description
A vulnerability CVE-2020-7720 (high severity) detected in package node-forge<0.10.0 is directly referenced by google-p12-pem@2.0.4 and @1.0.4. We noticed that such a vulnerability has been removed since google-p12-pem@3.0.3.
However, google-p12-pem's popular previous versions google-p12-pem@2.0.4 (428,436 downloads per week) and google-p12-pem@1.0.4 (464,605 downloads per week) are still transitively referenced by a large amount of latest versions of active and popular downstream projects.Taking google-p12-pem@2.0.4 as an example ,there are about 1,260 downstream projects, e.g., @blossm/cli 0.0.1837, psi 4.1.0, @sentrei/common 1.131.0, @firebaseextensions/firestore-bigquery-change-tracker 1.1.12, @sentrei/web 1.131.0, @blossm/cli@0.0.1837, @fonos/sdk@0.1.8-alpha.0, botium-connector-google-assistant@0.0.8, etc..
As such, issue CVE-2020-7720 can be propagated into these downstream projects and expose security threats to them.
These projects cannot easily upgrade google-p12-pem from version 2.0.4 or 1.0.4 to 3.*.* . For instance, google-p12-pem@2.0.4 and @1.0.4 are introduced into the above projects via the following package dependency paths:
(1)
@blossm/cli@0.0.1837 ➔ @blossm/gcp-secret@0.0.55 ➔ @blossm/gcp-storage@0.0.11 ➔ @google-cloud/storage@3.5.0 ➔ @google-cloud/common@2.4.0 ➔ google-auth-library@5.10.1 ➔ gtoken@4.1.4 ➔ google-p12-pem@2.0.4 ➔ node-forge@0.9.2
(2)
@fonos/sdk@0.1.8-alpha.0 ➔ @fonos/funcs@0.1.8-alpha.0 ➔ container-image-builder@3.2.0 ➔ google-auth-library@5.10.1 ➔ gtoken@4.1.4 ➔ google-p12-pem@2.0.4 ➔ node-forge@0.9.2
(3)
botium-connector-google-assistant@0.0.8 ➔ actions-on-google-testing@0.4.0 ➔ google-auth-library@5.10.1 ➔ gtoken@4.1.4 ➔ google-p12-pem@2.0.4 ➔ node-forge@0.9.2
(4)
@backstage/plugin-techdocs-backend@0.8.6 ➔ @backstage/techdocs-common@0.6.7 ➔ pkgcloud@2.2.0 ➔ @google-cloud/storage@2.5.0 ➔ @google-cloud/common@0.32.1 ➔ google-auth-library@3.1.2 ➔ gtoken@2.3.3 ➔ google-p12-pem@1.0.4 ➔ node-forge@0.8.5
(5)
@backstage/techdocs-common@0.6.7 ➔ pkgcloud@2.2.0 ➔ @google-cloud/storage@2.5.0 ➔ @google-cloud/common@0.32.1 ➔ google-auth-library@3.1.2 ➔ gtoken@2.3.3 ➔ google-p12-pem@1.0.4 ➔ node-forge@0.8.5
......
The projects such as @blossm/gcp-storage, container-image-builder, actions-on-google-testing and pkgcloud etc. which introduced google-p12-pem@2.0.4 or @1.0.4, are not maintained anymore. These unmaintained packages can neither upgrade google-p12-pem nor be easily migrated by the large amount of affected downstream projects.
On behalf the downstream users, could you help us remove the vulnerability from packages google-p12-pem@2.0.4 and @1.0.4?
Suggested Solution
Since these unactive projects set a version constaint ~2.0. or ~1.0.** for google-p12-pem on the vulnerable dependency paths, if google-p12-pem removes the vulnerability from @2.0.4 and @1.0.4 and releases new patched versions google-p12-pem@2.0.5 and google-p12-pem@1.0.5, such a vulnerability patch can be automatically propagated into the affected downstream projects.
In google-p12-pem@2.0.5, you can kindly try to perform the following upgrade:
node-forge ^0.9.0 ➔ ^0.10.0
;Note:
node-forge@0.10.0 (>=0.10.0) has fixed the vulnerability CVE-2020-7720
In google-p12-pem@1.0.5, you can kindly try to perform the following upgrade:
node-forge ^0.8.0 ➔ ^0.10.0
;Note:
node-forge@0.10.0 (>=0.10.0) has fixed the vulnerability CVE-2020-7720
Thank you for your contributions.
Sincerely yours,
Paimon
The text was updated successfully, but these errors were encountered: