[Geoserver-devel] Reporting back on CVE-2023-35042 "update" via GitHub database

Follow up to this week’s meeting.

As research for GSIP-220 I have made second attempt to update CVE-2023-35042 via a pull request to GitHub advisory database.

As part of the pull-request review the following were updated:

CVE-2023-35042

And although I cannot quite tell what was changed the original jai-ext one was updated also:

CVE-2022-24816

The process was much more positive/successful then the attempt at working via MITRE.

···


Jody Garnett

Op 20-09-2023 om 03:39 schreef Jody Garnett:

Follow up to this week's meeting.

As research for GSIP-220 I have made second attempt to update CVE-2023-35042 via a pull request <https://github.com/github/advisory-database/pull/2721&gt; to GitHub advisory database.

As part of the pull-request review the following were updated:

CVE-2023-35042

  * https://github.com/advisories/GHSA-59x6-g4jr-4hxc
    <https://github.com/advisories/GHSA-59x6-g4jr-4hxc&gt;

And although I cannot quite tell what was changed the original jai-ext one was updated also:

CVE-2022-24816

  * https://github.com/advisories/GHSA-v92f-jx6p-73rx
    <https://github.com/advisories/GHSA-v92f-jx6p-73rx&gt;

The process was much more positive/successful then the attempt at working via MITRE.

The problem is that these changes don't propagate "up"'; unless GH is the CNA (CVE Numbering Authority == assigner of the CVE) the changes are on the GH side only and not in the MITRE database (https://www.cve.org/CVERecord?id=CVE-2023-35042) or the widely used NVD data/api's (https://nvd.nist.gov/vuln/detail/CVE-2023-35042)

I know the pain of trying to work with Mitre (and Sonatype as well) and unresponsive reporters; it's very discouraging at best.

Mark

Indeed,

I am not sure about working with MITRE after our initial poor experience. Maybe if we can push up a link to the project issue or something which we control?

Still the goal of GSIP-220 proposal is to use the GitHub security advisory database to request new CVE numbers. I think it is a worthwhile step for managing known issues and improving interactions.

Jody

On Wed, Sep 20, 2023 at 5:29 AM mark <mc.prins@anonymised.com> wrote:

Op 20-09-2023 om 03:39 schreef Jody Garnett:

Follow up to this week’s meeting.

As research for GSIP-220 I have made second attempt to update
CVE-2023-35042 via a pull request
<https://github.com/github/advisory-database/pull/2721> to GitHub
advisory database.

As part of the pull-request review the following were updated:

CVE-2023-35042

And although I cannot quite tell what was changed the original jai-ext
one was updated also:

CVE-2022-24816

The process was much more positive/successful then the attempt at
working via MITRE.

The problem is that these changes don’t propagate “up”'; unless GH is
the CNA (CVE Numbering Authority == assigner of the CVE) the changes are
on the GH side only and not in the MITRE database
(https://www.cve.org/CVERecord?id=CVE-2023-35042) or the widely used NVD
data/api’s (https://nvd.nist.gov/vuln/detail/CVE-2023-35042)

I know the pain of trying to work with Mitre (and Sonatype as well) and
unresponsive reporters; it’s very discouraging at best.

Mark


Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel