Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix CVE-2017-1000487 security alert #7173

Merged
merged 2 commits into from
Apr 1, 2021
Merged

Fix CVE-2017-1000487 security alert #7173

merged 2 commits into from
Apr 1, 2021

Conversation

xumia
Copy link
Collaborator

@xumia xumia commented Mar 29, 2021
edited
Loading

Why I did it

Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

How I did it

Upgrade to 3.0.16

How to verify it

Which release branch to backport (provide reason below if selected)

  • 201811
  • 201911
  • 202006
  • 202012

Description for the changelog

A picture of a cute animal (not mandatory but encouraged)

@xumia xumia requested a review from lguohan as a code owner March 29, 2021 06:06
@xumia
Copy link
Collaborator Author

xumia commented Mar 29, 2021
edited
Loading

See detail info in:
https://msazure.visualstudio.com/One/_componentGovernance/Networking-acs-buildimage/alert/4313895?typeId=5886054

@xumia xumia requested a review from qiluo-msft March 29, 2021 06:28
qiluo-msft
qiluo-msft reviewed Mar 29, 2021
View reviewed changes
src/thrift/patch/0002-cve-2017-1000487.patch Outdated
@@ -0,0 +1,11 @@
--- ./thrift-0.11.0/contrib/thrift-maven-plugin/pom.xml 2021-03-29 05:20:22.046039640 +0000
+++ ./thrift-0.11.0/contrib/thrift-maven-plugin/pom_new.xml 2021-03-29 05:48:30.725383841 +0000
Copy link
Collaborator

@qiluo-msft qiluo-msft Mar 29, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this a patch from upstream? If not, why did you change filename? #Closed

Copy link
Collaborator Author

@xumia xumia Mar 29, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@qiluo-msft , can we simply change ./thrift-0.11.0/contrib/thrift-maven-plugin/pom_new.xml to ./thrift-0.11.0/contrib/thrift-maven-plugin/pom.xml.
I have tested src/thrift/patch/0002-cve-2017-1000487.patch, there is no difference, when applying the patch by below command:
patch -p1 < ../patch/0002-cve-2017-1000487.patch

@qiluo-msft qiluo-msft merged commit 812d753 into sonic-net:master Apr 1, 2021
daall pushed a commit that referenced this pull request Apr 2, 2021
@xumia @daall
Fix CVE-2017-1000487 security alert (#7173)
63625fc 
#### Why I did it
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

#### How I did it
Upgrade to 3.0.16
abdosi pushed a commit that referenced this pull request Apr 8, 2021
@xumia @abdosi
Fix CVE-2017-1000487 security alert (#7173)
31849a5 
#### Why I did it
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

#### How I did it
Upgrade to 3.0.16
@yxieca
Copy link
Contributor

yxieca commented Apr 8, 2021

@xumia this change cannot be cherry-picked into 201811 branch cleanly. Can you create an PR for 201811 branch please?

xumia added a commit to xumia/sonic-buildimage-1 that referenced this pull request Apr 9, 2021
@xumia
Fix CVE-2017-1000487 security alert (sonic-net#7173)
dc1828d 
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

Upgrade to 3.0.16
raphaelt-nvidia pushed a commit to raphaelt-nvidia/sonic-buildimage that referenced this pull request May 23, 2021
@xumia @raphaelt-nvidia
Fix CVE-2017-1000487 security alert (sonic-net#7173)
2967e96 
#### Why I did it
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

#### How I did it
Upgrade to 3.0.16
xumia added a commit that referenced this pull request Jul 7, 2021
@xumia
Fix CVE-2017-1000487 security alert (#7173) (#7278)
29311dc 
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
carl-nokia pushed a commit to carl-nokia/sonic-buildimage that referenced this pull request Aug 7, 2021
@xumia
Fix CVE-2017-1000487 security alert (sonic-net#7173)
6f7a7af 
#### Why I did it
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

#### How I did it
Upgrade to 3.0.16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qiluo-msft qiluo-msft qiluo-msft approved these changes

@lguohan lguohan Awaiting requested review from lguohan lguohan is a code owner

Assignees
No one assigned
Labels
Included in 201911 Branch Included in 202012 Branch Request for 201911 Branch :shipit: Request for 202006 Branch Request for 202012 Branch Security 🛡️
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@xumia @yxieca @qiluo-msft @daall @abdosi