-
Notifications
You must be signed in to change notification settings - Fork 315
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GHSA-m4pq-fv2w-6hrw] Deno's deno_runtime vulnerable to interactive permission prompt spoofing via improper ANSI stripping #4515
Conversation
Hi there @Ry0taK! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
Ah, so perhaps the specific range for
I'll await feedback on the preference here. I think keeping it more precise makes sense if that is a reasonable method of extracting the correct versions for |
@westonsteimel Thank you for your research into which versions of |
@westonsteimel Thank you for making this pull request! @shelbyc I believe that version range makes sense, but I'd like to hear an opinion from @mmastrac, who handled this advisory on the Deno-side |
Apologies, I'm no longer at Deno and I've swapped the context on this report out. I suspect the version ranges were for the deno release itself. Unsure why deno_runtime was the component here. |
I see, I think it makes sense to update the version ranges/affected components then. I can update the original advisory on the denoland/deno repository if needed! |
c0790df
into
westonsteimel/advisory-improvement-4515
Hi @westonsteimel! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
Happy Monday, everyone! I've changed the affected products and vulnerable version ranges to the following:
Please let me know if this is not correct and the affected products or VVRs require further changes. 👍 @mmastrac With respect to @Ry0taK If I didn't correctly explain why |
@shelbyc Thank you! I believe that is the correct information, and I've updated the original advisory on the denoland/deno repository as well! |
Updates
Comments
The original advisory does indicate
deno_runtime
as the package; however, the version constraints do not appear to align with the available versions for deno_runtime since all publised versions for that particular crate are still pre-1.0, so it would seem that perhapsdeno
would be the better package name to use here given the current version ranges.Alternatively the version ranges could be updated to reflect the specific versioning for the
deno_runtime
sub-component, but I wasn't entirely sure how to figure that out