Hi List, GitHub has identified the a security issue in the ganeti/docs[1] repository.
I don't know much about this web things, so I'm sharing my thoughts here, to get some feedback on how to handle this. GitHub suspects that we use the underscore JavaScript library in a npm project? I understand this as a server side vulnerability? However the docs are static content generated by sphinx, which basically means, if there is any risk, it's client side. Does anybody know if there is a risk with clients? If so, we need to change it in every Ganeti version. I can't find any information on how this vulnerability was discovered. Does GitHub just look for the version? If so, it won't even detect a Debian fixed version[2] Thanks, Sascha. [1] https://docs.ganeti.org/ [2] https://sources.debian.org/patches/underscore/1.9.1%7Edfsg-1+deb10u1/CVE-2021-23358.patch/ ---------- Forwarded message ---------- Date: Fri, 07 May 2021 04:05:53 +0000 (UTC) From: GitHub <[email protected]> Reply-To: ganeti/GHSA-cf4h-3jhx-xvhq <[email protected]> To: ganeti/GHSA-cf4h-3jhx-xvhq <[email protected]> Cc: Security alert <[email protected]> Subject: [ganeti] A security advisory on underscore affects at least one of your repositories 1 repository in your ganeti organization might be affected by a security vulnerability in underscore Arbitrary Code Execution in underscore (high severity) underscore (npm) used in 1 repository: - ganeti/docs - Vulnerability found in _static/underscore.js https://github.com/ganeti/docs/security/dependabot/_static/underscore.js/underscore/open --- Learn more about the security advisory here: https://github.com/advisories/GHSA-cf4h-3jhx-xvhq/dependabot?query=user:ganeti -- You received this message because you are subscribed to the Google Groups "ganeti-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ganeti-devel/alpine.DEB.2.22.394.2105111726050.153312%40eyu.loc.
