Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[GHSA-m425-mq94-257g] gRPC-Go HTTP/2 Rapid Reset vulnerability #4643

Closed
wants to merge 1 commit into from

Conversation

neilcar
Copy link

@neilcar neilcar commented Jul 29, 2024

Updates

  • Affected products

Comments
CVE is CVE-2023-44487. CVE field is missing from this form to submit improvements.

@github
Copy link
Collaborator

github commented Jul 29, 2024

Hi there @dfawley! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

@dfawley
Copy link

dfawley commented Jul 29, 2024

@neilcar I'm not sure what to do with this. It doesn't appear to change anything and the checker failed (Processing advisory improvement — Could not process advisory improvement)

@neilcar
Copy link
Author

neilcar commented Jul 29, 2024

@dfawley The problem is that the field that needs updating isn't an option on the form for proposing an update (or I'm missing it).

image

The "CVE ID" field here is null but, based on the links, there's a CVE ID for this one. How do I propose a change to fill in the proper CVE ID?

@dfawley
Copy link

dfawley commented Jul 29, 2024

I'm not sure, but the security advisory in our repo shows the CVE ID linked correctly:

GHSA-m425-mq94-257g

@darakian
Copy link
Contributor

darakian commented Jul 29, 2024

Apologies about that but we have that CVE id linked over here
GHSA-qppj-fm5r-hxr3
Our system only allows for one GHSA to have any given CVE hence why
GHSA-m425-mq94-257g
shows up without the CVE linked.

@darakian darakian closed this Jul 29, 2024
@neilcar
Copy link
Author

neilcar commented Jul 29, 2024

@darakian Is there a discussion of this (only one GHSA can be linked to a CVE) anywhere? This seems deeply problematic for anybody who is parsing this data.

@darakian
Copy link
Contributor

We certainly do discuss it internally, but it's not an easy thing to "fix". There's more public discussion of it over here
#2869
which links out to other PRs like this one.

From a parsing perspective it's probably better to key off affected artifacts rather than CVE ids

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants