Ghosted on Security Report (LBSEC-20220806-1)

[mgabeler-lee-6rs]

Describe the bug

I started a responsible security disclosure back in February. Conversations proceeded reasonably and in late May, @achrinza informed me that a release to fix the issue was expected in roughly the following week.

In the roughly two months since, I have received no updates and no reply to my repeated requests for any updates on the issue.

I do not want to break from the responsible disclosure path, but being ghosted on this issue for nearly two months is becoming a major concern to me and my team.

I'm hoping this is just due to summer vacations or a misfiring spam filter or something like that, and that posting here will attract appropriate attention and resurrect the email thread to finish fixing this issue :crossed_fingers:

Logs

No response

Additional information

No response

Reproduction

https://github.com/loopbackio/loopback-next

[achrinza]

Hi @mgabeler-lee-6rs, thank you for bringing this to our attention. I apologise as I had not been able to properly manage and hand off this security report to the other maintainers, and that the security report ended up being ghosted.

Unfortunately I am not able to push the code until this weekend due to conscription, but I'll discuss internally with the other maintainers if they're willing to help push this earlier.

In the worst case, we'll work towards making an out-of-band release this weekend.

It's clear we still have a lot to work on towards improving the reporter's experience and workflow, and that the current email-only approach is not acceptable. This is something we are actively looking into.

[mgabeler-lee-6rs]

Thank you for following up @achrinza, I look forward to the release :)

[achrinza]

Hi @mgabeler-lee-6rs, I have lined up the security advisory draft and the fix for review by the rest of the LoopBack Security Team. In addition, we're working to get a CVE. Unfortunately this will take a bit more time. I'd expect to be able to wrap everything up by the end of this week.

Thanks again for being patient with us as we work through the report.

[achrinza]

Hi @mgabeler-lee-6rs, we are scheduling the following within the next 24-hours:

1. Patch release loopback-connector-postgresql@5.5.1
2. Public disclosure of vulnerability through GitHub, loopback.io, Slack, and mailing list

Credits on loopback.io will be given in accordance to what was discussed over email. Credits on the GitHub security advisory would be towards your GitHub account, @mgabeler-lee-6rs.

We're still working to get a CVE issued, but this is a non-blocker. I'll continue to post updates on the CVE here.

If there's any further inquiries, please don't hesitate to drop them here, through the email thread, or via Slack DM.

[mgabeler-lee-6rs]

Thank you for the update :+1:

[achrinza]

Hi @mgabeler-lee-6rs,

We've successfully published loopback-connector-postgresql@5.5.1 with the fix, and published the advisories:

• https://groups.google.com/g/loopbackjs-security/c/nfjevbIKcDA
• https://loopback.io/doc/en/sec/Security-advisory-08-06-2022.html
• https://github.com/loopbackio/loopback-connector-postgresql/security/advisories/GHSA-j259-6c58-9m58
• https://loopbackio.slack.com/archives/CE8CRBBFU/p1659754904703329
• https://loopbackio.slack.com/archives/C03SLNUME59/p1659754914680269

The GitHub Security Advisory may not be immediately available while it's undergoing review. Once this and the CVE issuance is completed, we'll post an update here as well.

Thanks again for working with us through the security report. We'll take this as an opportunity to improve how we track and manage future reports.

If there's any further inquiries, please don't hesitate to drop them here, through the email thread, or via Slack DM.

[mgabeler-lee-6rs]

Many thanks for completing this @achrinza.

[achrinza]

Hi @mgabeler-lee-6rs, GitHub has reviewed and approved the security advisory for compliance with the CVE rules.

The GitHub Security Advisory will be published, and a CVE number has been issued:

• https://github.com/advisories/GHSA-j259-6c58-9m58
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-35942

It may take some time for the changes to be reflected.

[mgabeler-lee-6rs]

@achrinza I think I found a typo in the GH security alert: It mentions allowExtendedProperties, but I think that is meant to say allowExtendedOperators?

[achrinza]

Thanks for bringing the typo up. I've went ahead and made the changes. It may take some time for it to be reflected.