Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: update CVEs fixed on 3.0.2 and 2.1.3 #26308

Merged
merged 1 commit into from
Dec 20, 2023
Merged

docs: update CVEs fixed on 3.0.2 and 2.1.3 #26308

merged 1 commit into from
Dec 20, 2023

Conversation

dpgaspar
Copy link
Member

SUMMARY

Update CVEs fixed on 3.0.2 and 2.1.3 on our documentation

BEFORE/AFTER SCREENSHOTS OR ANIMATED GIF

TESTING INSTRUCTIONS

ADDITIONAL INFORMATION

  • Has associated issue:
  • Required feature flags:
  • Changes UI
  • Includes DB Migration (follow approval process in SIP-59)
    • Migration is atomic, supports rollback & is backwards-compatible
    • Confirm DB migration upgrade and downgrade tested
    • Runtime estimates and downtime expectations provided
  • Introduces new feature or API
  • Removes existing feature or API

michael-s-molina
michael-s-molina reviewed Dec 19, 2023
View reviewed changes
docs/docs/security/cves.mdx
#### Version 3.0.2, 2.1.3

| CVE | Title | Affected |
|:---------------|:------------------------------------------------------------|---------------------------:|
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dpgaspar We can assume that all fixes in 2.1.3 are present in 3.0.2. I suggest moving these to the 2.1.3 block and keep the incremental version order.

Copy link
Member Author

@dpgaspar dpgaspar Dec 19, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could give the wrong impression that these fixes are included on 3.0.0 and 3.0.1

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right! Should we copy/duplicate them and keep the version order? It looks weird that 2.1.3 is defined twice.

michael-s-molina
michael-s-molina approved these changes Dec 19, 2023
View reviewed changes
Copy link
Member

@michael-s-molina michael-s-molina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Left a non-blocking comment.

eschutho
eschutho reviewed Dec 20, 2023
View reviewed changes
docs/docs/security/cves.mdx
| CVE | Title | Affected |
|:---------------|:------------------------------------------------------------------------|---------:|
| CVE-2023-42504 | Lack of rate limiting allows for possible denial of service | < 2.1.3 |

Copy link
Member

@eschutho eschutho Dec 20, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can also add if needed- if you're including dependency package bumps.
CVE-2023-30608
CVE-2023-30861

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not, we should track and patch these in an automated fashion

eschutho
eschutho approved these changes Dec 20, 2023
View reviewed changes
Copy link
Member

@eschutho eschutho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.. left a comment but not a blocker.

@dpgaspar dpgaspar merged commit 8c32c6d into apache:master Dec 20, 2023
29 checks passed
@dpgaspar dpgaspar deleted the docs/update-cves branch December 20, 2023 03:39
sfirke pushed a commit to sfirke/superset that referenced this pull request Mar 22, 2024
@dpgaspar @sfirke
docs: update CVEs fixed on 3.0.2 and 2.1.3 (apache#26308)
fabaaf6
@mistercrunch mistercrunch added 🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels 🚢 4.0.0 labels Apr 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eschutho eschutho eschutho approved these changes

@michael-s-molina michael-s-molina michael-s-molina approved these changes

Assignees
No one assigned
Labels
🏷️ bot A label used by `supersetbot` to keep track of which PR where auto-tagged with release labels size/S 🚢 4.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dpgaspar @eschutho @michael-s-molina @mistercrunch