-
Notifications
You must be signed in to change notification settings - Fork 197
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[security] core: undirectional routing wasn't respected in some cases
When creating a context using Router.method(via=somechild), unidirectional mode was set on the new child correctly, however if the child were to call Router.method(), due to a typing mistake the new child would start without it. This doesn't impact the Ansible extension, as only forked tasks are started directly by children, and they are not responsible for routing messages. Add test so it can't happen again.
- Loading branch information
Showing
2 changed files
with
36 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
5924af1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the fix on this @dw.
I'm on the security team at GitHub and we were notified that a CVE was published for this vulnerability yesterday. I'd love to know:
Any feedback you can give on how GitHub can help in dealing with security-related issues would be very appreciated. You can reach me on greysteil@github.com if you'd rather not leave a public comment.
5924af1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
5924af1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack, that sucks, and isn't the first time we've heard that feedback.
CVE issuance is a big marketing tool for some companies, and in some cases employees are incentivised to get them assigned and skip parts of the process (like informing the maintainer...).
One thing we're planning at GitHub is to become a CVE-issuing entity (a CNA) ourselves, which should allow us to help improve the process and guard against situations like this. In the meantime I'll ping our vulnerability curation team and see what we can do about removing / flagging this in our database.
5924af1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's possible the package gets more attention because it is in multiple downstream package repositories nowadays, I hadn't considered people might be watching the changelog in this way. I assumed it might have been an enthusiastic user who filed it, not sure. No harm done in any case, just a curious amount of unfortunate noise to round off many months of hard work :)