[ganeti] A security advisory on underscore affects at least one of your repositories (fwd)
30 views
Skip to first unread message
Sascha Lucas
May 11, 2021, 11:59:20 AM5/11/21
to ganeti...@googlegroups.com
Hi List,
GitHub has identified the a security issue in the ganeti/docs[1]
repository.
I don't know much about this web things, so I'm sharing my thoughts here,
to get some feedback on how to handle this.
GitHub suspects that we use the underscore JavaScript library in a npm
project? I understand this as a server side vulnerability? However the
docs are static content generated by sphinx, which basically means, if
there is any risk, it's client side. Does anybody know if there is a risk
with clients? If so, we need to change it in every Ganeti version.
I can't find any information on how this vulnerability was discovered.
Does GitHub just look for the version? If so, it won't even detect a
Debian fixed version[2]
Thanks, Sascha.
[1] https://docs.ganeti.org/
[2] https://sources.debian.org/patches/underscore/1.9.1%7Edfsg-1+deb10u1/CVE-2021-23358.patch/
---------- Forwarded message ----------
Date: Fri, 07 May 2021 04:05:53 +0000 (UTC)
From: GitHub <notifi...@github.com>
Reply-To: ganeti/GHSA-cf4h-3jhx-xvhq <nor...@github.com>
To: ganeti/GHSA-cf4h-3jhx-xvhq <GHSA-cf4h...@noreply.github.com>
Cc: Security alert <securit...@noreply.github.com>
Subject: [ganeti] A security advisory on underscore affects at least one of your
repositories
1 repository in your ganeti organization might be affected by a security vulnerability in underscore
Arbitrary Code Execution in underscore (high severity)
underscore (npm) used in 1 repository:
- ganeti/docs
- Vulnerability found in _static/underscore.js https://github.com/ganeti/docs/security/dependabot/_static/underscore.js/underscore/open
---
Learn more about the security advisory here: https://github.com/advisories/GHSA-cf4h-3jhx-xvhq/dependabot?query=user:ganeti
GitHub has identified the a security issue in the ganeti/docs[1]
repository.
I don't know much about this web things, so I'm sharing my thoughts here,
to get some feedback on how to handle this.
GitHub suspects that we use the underscore JavaScript library in a npm
project? I understand this as a server side vulnerability? However the
docs are static content generated by sphinx, which basically means, if
there is any risk, it's client side. Does anybody know if there is a risk
with clients? If so, we need to change it in every Ganeti version.
I can't find any information on how this vulnerability was discovered.
Does GitHub just look for the version? If so, it won't even detect a
Debian fixed version[2]
Thanks, Sascha.
[1] https://docs.ganeti.org/
[2] https://sources.debian.org/patches/underscore/1.9.1%7Edfsg-1+deb10u1/CVE-2021-23358.patch/
---------- Forwarded message ----------
Date: Fri, 07 May 2021 04:05:53 +0000 (UTC)
From: GitHub <notifi...@github.com>
Reply-To: ganeti/GHSA-cf4h-3jhx-xvhq <nor...@github.com>
To: ganeti/GHSA-cf4h-3jhx-xvhq <GHSA-cf4h...@noreply.github.com>
Cc: Security alert <securit...@noreply.github.com>
Subject: [ganeti] A security advisory on underscore affects at least one of your
repositories
1 repository in your ganeti organization might be affected by a security vulnerability in underscore
Arbitrary Code Execution in underscore (high severity)
underscore (npm) used in 1 repository:
- ganeti/docs
- Vulnerability found in _static/underscore.js https://github.com/ganeti/docs/security/dependabot/_static/underscore.js/underscore/open
---
Learn more about the security advisory here: https://github.com/advisories/GHSA-cf4h-3jhx-xvhq/dependabot?query=user:ganeti
Reply all
Reply to author
Forward
0 new messages