Wrongly assigned CVE critical vulnerabilities to 16.16.0 #43946
Comments
CrlsMrls
added
the
feature request
|
Looking at our entries in Hacker 1 which is how we request/publish CVEs it does seems like there was a cut/paste error so that we reported it was fixed in 16.20.0 intead of 16.16.0. I could not find an option in H1 to update the CVE data so I've send a message asking how can can do this. Thanks for raising the issue. |
|
@RafaelGSS FYI. |
|
@mcollina FYI |
|
@mhdawson thanks for taking care of this. I made another typo too apparently in another one. We really need more eyes on them before hitting publish. |
|
One note: I'm not aware why those vulnerabilities were classified as critical by others. THEY ARE NOT. Update at your own pace, you are almost certainly not at risk as they apply only in very specific conditions with limited impact. |
|
No answer to my question on how to update yet and I'm out until next Tuesday. WIll check when I get back. |
|
We have got this report issue from Aqua-scan too.
|
|
@MylesBorins what would be the best way to notify the Github Security Advisories team about this change? |
|
https:/github/advisory-database#contributions suggests a couple of approaches that might help. |
|
Trying to follow up with a contact we have at H1 as I'm still waiting on a response through the help system. |
|
I checked and it's not possible to fix it via GitHub as the information is not copied in that registry. |
|
I reached out to our contact at H1 and they indicated they would help point me in the right direction. Will update here when I have more info. |
|
Hey guys, I was thinking to open similar issue, but found this one.
but the update from July 27th says vulnerability applicable:
Apart of that I would like to understand how did the above mentioned commit 1da22eb fix the issue? I found the line project(llhttp VERSION 6.0.5) in the Node.js 16.16.0 source code, but according to security release the fix is in Could you clarify what does the sticked |
|
I've gotten info on how to request an update to the CVEs. Adding here so that we have a record (although I'll think about whether we have a good place to PR into our docs/guidance as well) |
|
The link I think should be - https://hackerone.com/nodejs/cve_requests |
|
Ok updates are now submitted. They still need to be processed on the H1 side before we'll see the updates externally. |
|
Hey guys, Could you confirm that commit 1da22eb really fixed the issue?
Thank you in advance and be well. |
|
@aberezovski I think it is an artifact on how llhttp is updated for vulnerabilities. Since updating llhttp in advance would dislose the vulnerability, the commits for the security release were directly landed in the node repo. There was then a later llhttp release which incorporated the changes. I had to fix a similar issue in the past - https:/nodejs/node/pull/43029/files. It looks to me like Since https:/nodejs/node/blob/main/deps/llhttp/include/llhttp.h says 6.0.7 I think updating We still need to better document the update process for a security release to avoid the confusion. |
Refs: nodejs#43946 - Add instructions on updating llhttp version in file maintained only in Node.js repository as it needs to be kept in sync with what is copied from the llhttp repository when an update is made. Signed-off-by: Michael Dawson <[email protected]>
|
PR to add missing step to update the CMakeList.txt to llhttp update instructions. #44136 It may not have fixed this case where we do things a bit differently for security releases but still needed and will help avoid us missing it once we document the security release specific flow. |
|
@aberezovski if you believe my analysis is incorrect and we have actually missed something, please report through H1 so that we can handle as a additional/new vulnerability - see https:/nodejs/node/security/policy |
|
@mhdawson Yes, I do confirm it. llhttp is updated first in private, then incorporated in node and then released publicly. I'm trying to address this in nodejs/llhttp#173 |
Refs: nodejs#43946 - Add instructions on updating llhttp version in file maintained only in Node.js repository as it needs to be kept in sync with what is copied from the llhttp repository when an update is made. Signed-off-by: Michael Dawson <[email protected]>
|
There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment. For more information on how the project manages feature requests, please consult the feature request management document. |
|
Is it solved @ShogunPanda @mhdawson? In case not, how can I help? I think it should be updated in https:/nodejs/security-wg/blob/main/vuln/core/94.json as well. |
|
I had asked Hacker one how to best do this but never got an answer. We'll have to follow up again. |
|
I believe it is safe to close this ticket, as the version 16.16.0 is deprecated. Thank you all for your feedback and work. 🙇 |
After reading the contributing guidelines, in my opinion this is the best place I found to raise this issue. I understand this may not be correct though, sorry in advance for the inconvenience.
What is the problem this feature will solve?
There are multiple resources that (in my opinion) are wrongly assigning CVE critical vulnerabilities to node.js version 16.16.0.
The goal of this GitHub issue is to raise awareness in the Node.js community, so this situation is fixed.
Our security CICD pipelines are raising these critical vulnerabilities for the latest LTS version of node.js (version 16.16.0)
This seems wrong to me, because:
On the other hand, there are very well respected vulnerability databases stating this is not fixed yet:
I am not sure how to resolve these discrepancies. Until this is fixed, our security practices are blocking this node.js version, which means we cannot use version 16 at all.
What is the feature you are proposing to solve the problem?
Somebody from the Node.js organization contacts NATIONAL VULNERABILITY DATABASE to fix the issue.
The text was updated successfully, but these errors were encountered: