-
-
Notifications
You must be signed in to change notification settings - Fork 78.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Github considers bootstrap 3.4.0 as insecure #27915
Comments
I guess someone should submit info that this was also fixed in 3.4.0. |
I've sent this off to NIST, who I believe is the responsible party for vulnerable version information:
|
Thanks @bardiharborow, let us know how it goes. |
Does GitHub still warn about this? |
NIST got back to me 9 hours ago with:
@XhmikosR, do you know why https://snyk.io/vuln/npm:bootstrap:20160627 says |
@bardiharborow: nope. I don't know where they get the info from. One of the two is wrong :P |
Hey there, hoping to get an additional update added here. A member of the Debian LTS team checked out earlier versions of bootstrap (one of which we are using) and declared it did not contain the vulnerability: #26627 (comment) Compare that to the current vulnerability entry: https://nvd.nist.gov/vuln/detail/CVE-2018-14041#VulnChangeHistorySection Specifically, my company is still using 3.3.7 and is not prepared to upgrade. Github's vulnerability tracker uses this database to notify us that our project is insecure, however based on what I've seen that is not the case. If a member of the team could confirm the statement by the Debian team member, as well as contact [email protected] regarding any updates, I'm sure many developers would appreciate removing a warning from their Github repos and other security auditing tools using this database. |
3.3.7 is affected. 3.4.0 is not. |
I have some more info for you guys, Snyk seems to get their info from CVE database at https://cve.mitre.org so they need to be contacted as well. |
https://nvd.nist.gov/vuln/detail/CVE-2018-14040 and https://nvd.nist.gov/vuln/detail/CVE-2018-14042 still show bootstrap 3.4.0 as affected, but I can see the updated changes for https://nvd.nist.gov/vuln/detail/CVE-2018-14041. If the above is correct, @bardiharborow can you please intimate the same to NIST for 14040 and 14042 as well. Thanks! |
Okay, I've worked out what's happening here:
|
|
Email to NIST:
|
I have coordinated with MITRE to issue three new CVEs as above, and have edited a number of pull requests to make clear which CVEs are involved in which. I'm waiting for confirmation from NIST/NVD on a few things, and then will be in touch with Synk to sort out their database. |
@bardiharborow: is this sorted out? |
I still need to confirm that GitHub has updated their database. Perhaps @GeyseR could check on their end? |
hey @bardiharborow, |
OK, so I guess we can close this for now. If it's not fixed, let us know with a comment. |
Github considers Bootstrap 3.4.0 an insecure dependency via its security vulnerability alerts tool. It points to the NVD CVE-2018-14041 page, which shows that only >4.1.2 is secure. Is 3.4.0 safe to use as it has a fix for the npm:bootstrap:20160627 vulnerability or it is something different?
A screenshot from one of our private projects:
The text was updated successfully, but these errors were encountered: