Open 389-ds-bot opened 4 years ago
Comment from spichugi (@droideck) at 2019-07-16 00:47:14
Comment from spichugi (@droideck) at 2019-07-16 00:47:15
Metadata Update from @droideck:
Comment from mreynolds (@mreynolds389) at 2019-08-08 17:26:06
Metadata Update from @mreynolds389:
Comment from vashirov (@vashirov) at 2019-08-23 09:53:49
NPM audit report JSON:
{
"actions": [
{
"action": "update",
"resolves": [
{
"id": 1118,
"path": "eslint>eslint-utils",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1118,
"path": "eslint-plugin-node>eslint-plugin-es>eslint-utils",
"dev": true,
"optional": false,
"bundled": false
},
{
"id": 1118,
"path": "eslint-plugin-node>eslint-utils",
"dev": true,
"optional": false,
"bundled": false
}
],
"module": "eslint-utils",
"target": "1.4.2",
"depth": 3
}
],
"advisories": {
"1118": {
"findings": [
{
"version": "1.3.1",
"paths": [
"eslint>eslint-utils",
"eslint-plugin-node>eslint-plugin-es>eslint-utils",
"eslint-plugin-node>eslint-utils"
]
}
],
"id": 1118,
"created": "2019-08-20T15:17:53.538Z",
"updated": "2019-08-22T18:54:18.136Z",
"deleted": null,
"title": "Arbitrary Code Execution",
"found_by": {
"link": "",
"name": "Toru Nagashima"
},
"reported_by": {
"link": "",
"name": "Toru Nagashima"
},
"module_name": "eslint-utils",
"cves": [],
"vulnerable_versions": ">=1.2.0 <1.4.1",
"patched_versions": ">=1.4.1",
"overview": "Versions of `eslint-utils` >=1.2.0 or <1.4.1 are vulnerable to Arbitrary Code Execution. The `getStaticValue` does not properly sanitize user input allowing attackers to supply malicious input that executes arbitrary code during the linting process. The `getStringIfConstant` and `getPropertyName` functions are not affected.",
"recommendation": "Upgrade to version 1.4.1 or later.",
"references": "- [ESLint release](https://eslint.org/blog/2019/08/eslint-v6.2.1-released)\n- [eslint-utils advisory](https://github.com/mysticatea/eslint-utils/security/advisories/GHSA-3gx7-xhv7-5mx3)",
"access": "public",
"severity": "critical",
"cwe": "CWE-94",
"metadata": {
"module_type": "",
"exploitability": 3,
"affected_components": ""
},
"url": "https://npmjs.com/advisories/1118"
}
},
"muted": [],
"metadata": {
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 0,
"high": 0,
"critical": 3
},
"dependencies": 2883,
"devDependencies": 7047,
"optionalDependencies": 280,
"totalDependencies": 10113
},
"runId": "1dbb03fb-3b04-452f-8254-4440e9691b7b"
}
Failed security audit due to critical vulnerabilities.
Exiting...
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! 389-console@1.0.0 audit-ci: `audit-ci --config audit-ci.json`
npm ERR! Exit status 1
npm ERR!
npm ERR! Failed at the 389-console@1.0.0 audit-ci script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
npm ERR! A complete log of this run can be found in:
npm ERR! /root/.npm/_logs/2019-08-23T07_50_04_578Z-debug.log
Comment from spichugi (@droideck) at 2019-08-23 10:17:33
Comment from mreynolds (@mreynolds389) at 2019-09-27 23:25:01
Commit 2e85b4a3 relates to this ticket
Comment from mreynolds (@mreynolds389) at 2019-09-27 23:26:45
Fixes npm "handlebar" audit alert
Commit 2e85b4a relates to this ticket
67d69bf61..4f84db6ed 389-ds-base-1.4.1 -> 389-ds-base-1.4.1
Comment from spichugi (@droideck) at 2019-11-04 22:18:19
Commit 5202ad8b relates to this ticket
Comment from spichugi (@droideck) at 2019-11-04 22:24:02
Fixes npm "handlebar" audit alert - again
129914357..5202ad8b2 master -> master 9c210f7e1..49c704481 389-ds-base-1.4.1 -> 389-ds-base-1.4.1
Comment from mreynolds (@mreynolds389) at 2019-11-15 17:04:44
Commit b1d67c11 relates to this ticket
Comment from spichugi (@droideck) at 2019-11-20 12:21:19
Commit 9f475988 relates to this ticket
Comment from vashirov (@vashirov) at 2019-12-11 16:02:58
Commit 80e0ce24 relates to this ticket a9fa0add3..d61990570 389-ds-base-1.4.1 -> 389-ds-base-1.4.1
Comment from spichugi (@droideck) at 2020-03-09 22:46:50
Commit a66fe152 relates to this ticket
Comment from spichugi (@droideck) at 2020-03-09 22:50:06
bf8b4af68..a66fe1526 master -> master 74046abb8..1cda41b8a 389-ds-base-1.4.1 -> 389-ds-base-1.4.1 610d2f5c6..88b5cd3d0 389-ds-base-1.4.2 -> 389-ds-base-1.4.2
Comment from vashirov (@vashirov) at 2020-03-18 08:48:31
@droideck, nightly build failed due to https://www.npmjs.com/advisories/1179
"vulnerabilities": {
"info": 0,
"low": 0,
"moderate": 126,
"high": 0,
"critical": 0
},
Could you please take a look?
Comment from vashirov (@vashirov) at 2020-03-19 11:19:03
The build now works, since the vulnerability got lower severity, but it still needs to be fixed.
"vulnerabilities": {
"info": 0,
"low": 126,
"moderate": 0,
"high": 0,
"critical": 0
},
Comment from mreynolds (@mreynolds389) at 2020-04-24 17:02:07
Fixed latest audit issues, updated existing npm packages, and removed unused packages...
Comment from mreynolds (@mreynolds389) at 2020-04-24 18:38:14
Commit 53e9d9f9 relates to this ticket
Comment from vashirov (@vashirov) at 2020-05-14 08:58:13
Nightly build failed due to npm audit ci:
"vulnerabilities": {
"info": 0,
"low": 8,
"moderate": 17,
"high": 0,
"critical": 0
},
https://npmjs.com/advisories/1500 https://npmjs.com/advisories/1518
Comment from mreynolds (@mreynolds389) at 2020-05-15 16:06:39
Commit 9afa6694 relates to this ticket
Comment from mreynolds (@mreynolds389) at 2020-05-15 16:08:41
Commit 9afa669 relates to this ticket
d3ae07a8d..d4118370a 389-ds-base-1.4.3 -> 389-ds-base-1.4.3
703d85749..14c7a3c89 389-ds-base-1.4.2 -> 389-ds-base-1.4.2
41e0f4bc2..62cc505f2 389-ds-base-1.4.1 -> 389-ds-base-1.4.1
Comment from vashirov (@vashirov) at 2020-05-27 12:27:16
Another one https://www.npmjs.com/advisories/1522 (high)
b6d8de51f..f5b2cfb35 master -> master 66bbfee82..e3104967d 389-ds-base-1.4.4 -> 389-ds-base-1.4.4 45b370d5c..e83500b13 389-ds-base-1.4.3 -> 389-ds-base-1.4.3
dc565fdac..c18a14d96 main -> origin/main 949a8fb14..4a78dfdd0 389-ds-base-2.2 -> 389-ds-base-2.2 510274c32..fe028fd58 389-ds-base-2.1 -> 389-ds-base-2.1 52c88fa9c..4dee31f87 389-ds-base-2.0 -> 389-ds-base-2.0 fcfa9a402..e882746f2 389-ds-base-1.4.4 -> 389-ds-base-1.4.4 3114f52f7..b9226a28b 389-ds-base-1.4.3 -> 389-ds-base-1.4.3
a4561f4c1..e568180d1 389-ds-base-1.4.3 -> 389-ds-base-1.4.3 e07780678..65bcca75a 389-ds-base-2.0 -> 389-ds-base-2.0 cccc9ef4a..1cdd011eb 389-ds-base-2.1 -> 389-ds-base-2.1 48834f141..7fbf7bbbd 389-ds-base-2.2 -> 389-ds-base-2.2 a8f062ef9..9e6979e31 389-ds-base-2.3 -> 389-ds-base-2.3
9a782144d..176b5b559 389-ds-base-2.3 -> 389-ds-base-2.3 4285cee19..f62be2526 389-ds-base-2.2 -> 389-ds-base-2.2 64bdd6d1f..68334000d 389-ds-base-2.1 -> 389-ds-base-2.1 fe7d7dfa8..2aac04b86 389-ds-base-2.0 -> 389-ds-base-2.0 dc743d0b0..2ded1971d 389-ds-base-1.4.3 -> 389-ds-base-1.4.3
651d44ff1..2bd4534d1 389-ds-base-2.5 -> 389-ds-base-2.5 a7dda32f7..ca252e8ee 389-ds-base-2.4 -> 389-ds-base-2.4 5016907af..b6c65f857 389-ds-base-2.3 -> 389-ds-base-2.3 9c61eab66..d1a24ff71 389-ds-base-2.2 -> 389-ds-base-2.2 7103aea66..c8810ccd2 389-ds-base-2.1 -> 389-ds-base-2.1 89d592856..2dc008ed6 389-ds-base-2.0 -> 389-ds-base-2.0 be7c2b829..0577a1195 389-ds-base-1.4.3 -> 389-ds-base-1.4.3
b3b72a333..812d058e5 389-ds-base-3.0 -> 389-ds-base-3.0 776f0e253..4de8658f0 389-ds-base-2.5 -> 389-ds-base-2.5 7bdd19c38..593fabaa9 389-ds-base-2.4 -> 389-ds-base-2.4 ebdbf2e3d..2b06fd210 389-ds-base-2.3 -> 389-ds-base-2.3 e11fb32a8..0a3eeac6e 389-ds-base-2.2 -> 389-ds-base-2.2 66550f03d..b6523e37e 389-ds-base-2.1 -> 389-ds-base-2.1 27daab136..4a13e4d7b 389-ds-base-2.0 -> 389-ds-base-2.0 0c184e168..09fb5006c 389-ds-base-1.4.3 -> 389-ds-base-1.4.3
Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/50499
Issue Description
New vulnerabilities can arise from time to time in
npm audit
reports and they should be addressed by runningnpm audit fix
. Sometimes it can require manual intrusion.The PRs can be linked to this issue.