search

aws-samples / aws-proton-cloudformation-sample-templates

Sample templates for AWS Proton
https://aws.amazon.com/proton
MIT No Attribution
277 stars 440 forks source link

fix(schema.yaml): fix Nginx CVE-2021-23017 #41

Closed lloydchang closed 3 years ago

lloydchang commented 3 years ago

Change Nginx from 1.19.5 to 1.21.0 to fix CVE-2021-23017 https://nvd.nist.gov/vuln/detail/CVE-2021-23017 https://nginx.org/en/security_advisories.html

CVE-2021-23017

lloydchang commented 3 years ago

After 13+ hours without a reply to my pull request... I re-read this repository and noticed the instructions in https://github.com/aws-samples/aws-proton-sample-templates/blob/main/CONTRIBUTING.md#security-issue-notifications

Security issue notifications If you discover a potential security issue in this project we ask that you notify AWS/Amazon Security via our vulnerability reporting page. Please do not create a public github issue.

Commentary about the generic "do not create a public GitHub issue" boilerplate: • Creating this pull request appears to be an effective and efficient approach to address the vulnerability in https://github.com/aws-samples/aws-proton-sample-templates repository because the vulnerability and exploit are already publicly known, disclosed, and documented months ago in:

  1. May 25, 2021 by Nginx at https://nginx.org/en/security_advisories.html
  2. May 25, 2021 by Nginx at http://mailman.nginx.org/pipermail/nginx-announce/2021/000300.html
  3. June 1, 2021 by NVD NIST at https://nvd.nist.gov/vuln/detail/CVE-2021-23017
  4. June 1, 2021 by Amazon Linux Security Center at https://alas.aws.amazon.com/ALAS-2021-1507.html

I've read https://aws.amazon.com/security/vulnerability-reporting/

Reporting Suspected Vulnerabilities Amazon Web Services (AWS): If you would like to report a vulnerability or have a security concern regarding AWS cloud services or open source projects, please email aws-security@amazon.com. If you wish to protect your email, you may use our PGP key.

I've emailed aws-security@amazon.com as follows:

From: Lloyd Chang \lloydchang@gmail.com\ Date: Fri, Jul 2, 2021 at 10:12 PM PDT Subject: Please kindly review and merge a pull request that I created:fix(schema.yaml): fix Nginx CVE-2021-23017 #41 aws-samples / aws-proton-sample-templates at https://github.com/aws-samples/aws-proton-sample-templates/pull/41 To: aws-security@amazon.com

Hi, aws-security@amazon.com and team, Please kindly review and merge a pull request that I created:fix(schema.yaml): fix Nginx CVE-2021-23017 #41 aws-samples / aws-proton-sample-templates at https://github.com/aws-samples/aws-proton-sample-templates/pull/41

Thank you, Lloyd