Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE-2022-24999] impact on 2.x and 1.x #3449

Closed
ananzh opened this issue Feb 17, 2023 · 3 comments
Closed

[CVE-2022-24999] impact on 2.x and 1.x #3449

ananzh opened this issue Feb 17, 2023 · 3 comments
Assignees
@ananzh
Labels
cve Security vulnerabilities detected by Dependabot or Mend v2.6.0

Comments

@ananzh
Copy link
Member

ananzh commented Feb 17, 2023

Description

https://access.redhat.com/security/cve/cve-2022-24999

This still affects 2.x and 1.x
@ananzh ananzh added cve Security vulnerabilities detected by Dependabot or Mend v2.6.0 labels Feb 17, 2023
@ananzh ananzh self-assigned this Feb 17, 2023
@ananzh
Copy link
Member Author

ananzh commented Feb 17, 2023 

=> Found "qs@6.11.0"
info Has been hoisted to "qs"
info Reasons this module exists
   - "workspace-aggregator-fcd13c05-7ace-4db5-8723-a423437734e1" depends on it
   - Hoisted from "_project_#supertest#superagent#qs"
   - Hoisted from "_project_#supertest#superagent#formidable#qs"
info Disk size without dependencies: "204KB"
info Disk size with unique dependencies: "256KB"
info Disk size with transitive dependencies: "768KB"
info Number of shared dependencies: 7
=> Found "request#qs@6.5.3"
info This module exists because "_project_#@osd#optimizer#node-sass#request" depends on it.
info Disk size without dependencies: "176KB"
info Disk size with unique dependencies: "176KB"
info Disk size with transitive dependencies: "176KB"
info Number of shared dependencies: 0
Done in 1.05s.

From above, we can see that qs is request node-sass and supertest.

  • For supertest, 2.x is patched via #3220.
  • For node-sass, it depends on qs@6.5.3. node-sass is deprecated and only upgraded in main. We replaced node-sass to dart-sass via #2054. Since it is a breaking change, we can't backport it to 2.x. Therefore, the only option is to resolve qs.

ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Feb 17, 2023
@ananzh
[CVE-2022-24999] resolve qs to 6.11.0 in 2.x
7f291e3 
Issue resolved:
opensearch-project#3449

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
@ananzh ananzh mentioned this issue Feb 17, 2023
Merged
8 tasks
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Feb 17, 2023
@ananzh
[CVE-2022-24999] resolve qs to 6.11.0 in 2.x
62f5fe8 
Issue resolved:
opensearch-project#3449

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Feb 17, 2023
@ananzh
[CVE-2022-2499][backport 1.x] Resolve qs to 6.11.0 in 1.x
4606d61 
Issue Resolved:
opensearch-project#3449

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
@ananzh ananzh mentioned this issue Feb 17, 2023
Merged
8 tasks
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Feb 17, 2023
@ananzh
[CVE-2022-2499][backport 1.x] Resolve qs to 6.11.0 in 1.x
dceac61 
Issue Resolved:
opensearch-project#3449

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this issue Feb 17, 2023
@ananzh
[CVE-2022-24999] resolve qs to 6.11.0 in 2.x
4c69cde 
Issue resolved:
opensearch-project#3449

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
@joshuarrrr
Copy link
Member

@ananzh Can this be closed? It looks like both backports have been merged.

@ananzh
Copy link
Member Author

ananzh commented Feb 20, 2023

close it. Thanks josh

@ananzh ananzh closed this as completed Feb 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ananzh ananzh

Labels
cve Security vulnerabilities detected by Dependabot or Mend v2.6.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshuarrrr @ananzh