New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(plugin-auth-backend): resolve CVE-2021-39171 #7095
Conversation
This comment has been minimized.
This comment has been minimized.
ebab4c1
to
f8f0034
Compare
🦋 Changeset detectedLatest commit: 21ce17d The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
2d22340
to
bb715e5
Compare
Signed-off-by: Andrew Ellis <awellis89@gmail.com>
bb715e5
to
21ce17d
Compare
cert: config.getOptionalString('cert'), | ||
privateCert: config.getOptionalString('privateKey'), | ||
cert: config.getString('cert'), | ||
privateKey: config.getOptionalString('privateKey'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
privateCert
was deprecated, and removed, here.
Hi! Thanks for looking at this. Haven't reviewed yet, but see #7015 which addresses the same. Due to the stability level of this package and the breaking change that this implies, it's awaiting merge a little longer. |
@freben I'm wondering if because it's a CVE do we not just merge the fix and get it out sooner rather than later and just accept that we broke the stability index because of a security issue? Not really sure what other projects do here tbf. |
@freben your change is identical. I don't know why I couldn't find it before I did this work ha. Yours has a better change log message too, so I'll close this out in favor of yours. 🍻 |
Hey, I just made a Pull Request!
passport-saml@^2.0.0
installs a version that flags code scans with CVE-2021-39171. This bumps the package to3.1.0
, which includes a resolution for this CVE.Due to the
2.0.0
->3.1.2
upgrade, theauth.saml.cert
config parameter is now required.Signed-off-by
line in the message. (more info)