github
[GHSA-c438-8cvq-pxxx] Apache Tapestry Unsafe Object Storage
Updates
- Affected products
- References
Comments
Add a patch https://github.com/apache/tapestry-5/commit/95846b173d83c2eb42db75dae3e7d5e13a633946, of which the commit message claims TAP5-2008: Implement HMAC signatures on object streams stored on the client, which use the same commit msg with the existing patch commit in the current ref links.
Hi @MarkLee131, I'm not merging the addition because https://github.com/apache/tapestry-5/commit/95846b173d83c2eb42db75dae3e7d5e13a633946 is a duplicate reference. The advisory already has https://github.com/apache/tapestry-5/commit/5ad5257fdfacbad2c7c480fdf2afa15d9a37e6b0, the fix commit tagged for the 5.3 branch. There is no vulnerable version on the 5.4 branch that we're aware of, which makes https://github.com/apache/tapestry-5/commit/95846b173d83c2eb42db75dae3e7d5e13a633946 unnecessary as https://github.com/apache/tapestry-5/commit/5ad5257fdfacbad2c7c480fdf2afa15d9a37e6b0 is already present.
Hello @shelbyc,
Sorry for the delayed reply. I appreciate your perspective on this issue and understand the concern regarding duplicate references. However, I believe the commit apache/tapestry-5@95846b1, though appearing similar, offers additional value. This commit impacts a different version of the software, which could provide useful insights for users maintaining legacy systems or dealing with version-specific variations.
Could we consider annotating the existing entry to note the relevance of this commit to other versions, or discuss further the criteria used for evaluating patch commits? I'm keen to contribute effectively to the comprehensiveness of the GitHub Adversory Database and would value your guidance on how best to proceed.
Thank you for considering my viewpoint.
Hi @MarkLee131, in this case, there is only one fixed version, 5.3.6. Only versions prior to 5.3.6 are marked as vulnerable, so https://github.com/apache/tapestry-5/commit/95846b1 is not relevant to the vulnerable version range. The fix commit for 5.3.6 becomes a part of subsequent versions, so there is no need to add the commit as it appears in subsequent versions because those versions were never part of a vulnerable branch.
I checked https://mvnrepository.com/artifact/org.apache.tapestry/tapestry-core just in case there were any pre-release versions of 5.4 that were vulnerable, but the earliest versions of 5.4 I could find were released in 2014, after the patch was committed in 2012.
I'm keen to contribute effectively to the comprehensiveness of the GitHub Adversory Database and would value your guidance on how best to proceed.
This is a good point and we're happy to improve our community contribution guidance. 🙂 What specifically would be most helpful for you to have more guidance on?