Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(host-metrics): bump minimum systeminformation version to 5.21.20 (security) #1868

Merged
merged 3 commits into from
Dec 19, 2023
Merged

fix(host-metrics): bump minimum systeminformation version to 5.21.20 (security) #1868

merged 3 commits into from
Dec 19, 2023

Conversation

yoanyomba2023
Copy link
Contributor

…n vulnerability in systeminformation

Which problem is this PR solving?

In the current version of the systeminformation library used by the host metrics package, a pretty serious vulnerability exists. That being the arbitrary command injection. This pull request addresss that by bumping the version of the library.

Short description of the changes

This changes is only comprised of a version bump.

@yoanyomba2023
chore: bump system info version to address arbitrary command injectio…
5b33b83 
…n vulnerability in systeminformation

Signed-off-by: yyomba <yyomba@salesforce.com>
@yoanyomba2023 yoanyomba2023 requested a review from a team December 18, 2023 18:58
@linux-foundation-easycla Linux Foundation: EasyCLA
Copy link

linux-foundation-easycla bot commented Dec 18, 2023
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@github-actions github-actions bot requested a review from legendecas December 18, 2023 18:58
@pichlermarc
Copy link
Member

Hi @yoanyomba2023 thanks for opening this PR and letting us know about this.

While this is not exploitable in the way we use it in the @opentelemetry/host-metrics package (we don't use any of the functions with direct user input), and we do pull in the latest version (as we use a caret-range for this package), I agree that we should bump the minimum supported version to what you proposed.

A side note: please use GitHub's Report a vulnerability button on the Security tab for any future vulnerability reports as outlined in our security policy. This opens a private communication channel where maintainers can review reports of any potential vulnerabilities before publicly disclosing them via a GitHub security advisory. It also allows us to work on a fix in a private fork to ensure we don't give malicious actors a head-start before a fix for our users is available, and it also notifies Maintainers in a different way a PR would. All this allows us to address fixes quicker than via a regular PR.

@pichlermarc pichlermarc changed the title chore: bump system info version to address arbitrary command injectio… fix(host-metrics): bump minimum systeminformation version to 5.21.20 (security) Dec 19, 2023
@pichlermarc
Copy link
Member

I took the liberty to sync the package-lock.json and changed the PR title so that release-please properly triggers a release. 🙂

@codecov Codecov
Copy link

codecov bot commented Dec 19, 2023
edited
Loading

Codecov Report

Merging #1868 (598f9f9) into main (7e335c7) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1868   +/-   ##
=======================================
  Coverage   91.45%   91.45%           
=======================================
  Files         144      144           
  Lines        7406     7406           
  Branches     1483     1483           
=======================================
  Hits         6773     6773           
  Misses        633      633

@pichlermarc pichlermarc merged commit c59e666 into open-telemetry:main Dec 19, 2023
19 checks passed
@dyladan dyladan mentioned this pull request Dec 19, 2023
Merged
david-luna pushed a commit to david-luna/opentelemetry-js-contrib that referenced this pull request Dec 27, 2023
@yoanyomba2023 @pichlermarc @david-luna
fix(host-metrics): bump minimum systeminformation version to 5.21.20 …
d569bda 
…(security) (open-telemetry#1868)

* chore: bump system info version to address arbitrary command injection vulnerability in systeminformation

Signed-off-by: yyomba <yyomba@salesforce.com>

* chore: sync package-lock.json

---------

Signed-off-by: yyomba <yyomba@salesforce.com>
Co-authored-by: Marc Pichler <marc.pichler@dynatrace.com>
@yoanyomba2023
Copy link
Contributor Author

I took the liberty to sync the package-lock.json and changed the PR title so that release-please properly triggers a release. 🙂

hey @pichlermarc than you so much for the approval. On the module (host metrics) npm page, the version is still 0.34.0 which was released a month ago. Please reference: https://www.npmjs.com/package/@opentelemetry/host-metrics.

I was wondering if the release failed by chance or didn't run?
Could you re-trigger the pipeline run if possilble?

@trentm
Copy link
Contributor

trentm commented Jan 4, 2024

I was wondering if the release failed by chance or didn't run?

@yoanyomba2023 There just hasn't yet been a release of packages in this repo since this issue was merged two weeks ago.
It will be included in the next release; see #1855
I don't know exactly when that will be released, but I'm guessing fairly soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pichlermarc pichlermarc pichlermarc approved these changes

@dyladan dyladan dyladan approved these changes

@legendecas legendecas Awaiting requested review from legendecas

Assignees

@legendecas legendecas

Labels
pkg:host-metrics
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@yoanyomba2023 @pichlermarc @trentm @dyladan @legendecas