security vulnerability in tar v6.2.0 #393
Comments
|
need to check the possibility to upgrade without loosing other systems. Essentially this is not an issue as the only thing where node-pre-gyp uses tar is when downloading the pre compiled binary from github. If you dont trust the tar file you also should not / never trust the binary as this might include arbitrary compiled code. TL;DR:
|
|
still a dev version. is this really that important that we should consider a not final dev version? this feels a bit odd to me. lets wait for a final. feel free to ping if its not a -dev version anymore. |
|
@julianhille major issue is because of vulnerability. "@mapbox/node-pre-gyp" is added as bundleDependencies and I cannot override the tar version. |
|
Afaik, the vulnerability is not exploitable by any other system then node-pre-gyp while installing muhammara (or updating the binary from github). What i try to say, this is not really an vulnerability which anyone can use to get access to your deployment or where ever / how ever this is running. Anyway there will be a fix shortly |
|
Fixed with: #366 |
|
@julianhille I tried npm update its not fixing the issue. When will muhammara release a version for this fix? |
|
as far is i fixed building issues |
|
no its not solved, i did npm install and npm update but its not resolving vulnerability issue |
|
i'm not sure what you are talking about exactly. Muhammara has not been released to npmjs, hence you can not update through npm with a version number and npmjs as source / repository for the versions. To check if this is still an issue you would need to install from github repository. |
|
@julianhille When will we have new version, any approx idea? |
|
can say, must investigate why electron is not building since v28 on ubuntu runners anymore. |
|
@julianhille Okay thanks but do you have any ETA for new version, we will need to raise 1 exception because of security vulnerability. |
|
by installing module from github directly resolving the security vulnerabilities. @mapbox/node-pre-gyp is loading with 1.0.11 version which resolve the CVE-2024-28863. lets hope this is published as soon as possible. |
i just wanted to state that again to make sure. This security vulnerability is just a security node not really exploitable. And to be one:
if these two issues happen at the same time this is one of the smaller issues you've got. :> Anyway im currently having issues in getting electron 32 and gcc and the ci to comply with building without failing. if that is solved, im currently put a lot of effort at night into it, i can release. |
|
Hi @julianhille |
|
I hope august bist think it will be September. But can't guarantee anything. I've got 5 kids, a full time job a house to renovate and not much from this project as in compensation, which is totally fine. This should just show that this is not on the very top of priority list and I'm trying to keep up and use my spare time here at the moment. Hope you can understand. |
|
@julianhille Thank you so much for providing new version. We don't have any vulnerability now but after the upgrade I am getting error : Error: /usr/lib/x86_64-linux-gnu/libstdc++.so.6: version `GLIBCXX_3.4.31' not found (required by /home/test/node_modules/muhammara/binding/muhammara.node) |
|
You need to install another glibc oder upgrade your docker container. |
|
@julianhille I am on lower docker image which is using "GLIBCXX_3.4.28". Is it possible to have only patch on previous version with vulnerability update only? |
|
will take a look |
|
ahh. no its not as far as i know. Thats why i had to do 5.0.0 because ubuntu 18.04 is not there as a runner anymore. |
|
@julianhille I am using docker image : node:18.20.4-bullseye-slim which is using OS (Debian GNU/Linux 11 (bullseye)). Earlier 4.1.0 version was working fine with this docker image. But now its failing with error : To make this version work, please let me know which OS will support this. Also, it will be a big challenge for us if I have to do a major OS upgrade just for this, is there no way a possibility that I can make this new version work in my node:18.20.4-bullseye-slim image? @imagineer-aman FYI |
|
you have some possibilities but there are rather limited:
I thought about a possible 4.x version but this is rather cumbersome and error prone as i would like to have to copy and move all the files around by hand. This takes hours and no one really can help there as this is a "this needs much trust" task which can only be done manually. |
|
@julianhille Yes, we are also facing challenges finding any solution. |
yes there is but that takes, as stated before, a whole bunch of manual effort. :/ |
|
btw you could switch to ubuntu 20.04 or later. node:18.20-alpine should work too |
|
@julianhille What is plan for #423 ? |
|
trying to get it running but this seems a whole lot of effort. |
|
@julianhille any updates about #423? |
|
Not easy as expected. Need to compile gcC 13 myself. Takes loads of time then misses cc command. |
We have a security vulnerability in tar which is in @mapbox/node-pre-gyp.
[email protected]
└─┬ @mapbox/[email protected]
└── [email protected]
@mapbox/node-pre-gyp has released an intermediate version resolving these issues : https://www.npmjs.com/package/@mapbox/node-pre-gyp/v/1.1.0-dev.1
Can we get an update in muhammara as well for this? We are getting security vulnerability issues due to this.
The text was updated successfully, but these errors were encountered: