[CVE-2017-16100] Use a patched version of dns-sync
#7811
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AMoo-Miki
requested review from
ananzh,
kavilla,
ashwin-pc,
joshuarrrr,
abbyhu2000,
zengyan-amazon,
zhongnansu,
manasvinibs,
ZilongX,
Flyingliuhub,
curq,
bandinib-amzn,
SuZhou-Joe,
ruanyl,
BionIT,
xinruiba,
zhyuanqi,
mengweieric,
LDrago27,
virajsanghvi,
sejli and
joshuali925
as code owners
ZilongX
previously approved these changes
Aug 22, 2024
opensearch-changeset-bot bot
added a commit
to AMoo-Miki/OpenSearch-Dashboards
that referenced
this pull request
Aug 22, 2024
AMoo-Miki
force-pushed
the
fix-2017-16100
branch
from
868f9a2 to
01007c1
Compare
opensearch-changeset-bot bot
added a commit
to AMoo-Miki/OpenSearch-Dashboards
that referenced
this pull request
Aug 22, 2024
AMoo-Miki
force-pushed
the
fix-2017-16100
branch
from
460c434 to
4a2328f
Compare
ruanyl
approved these changes
Aug 23, 2024
ruanyl
reviewed
Aug 23, 2024
| @@ -190,7 +190,7 @@ | |||
| "core-js": "^3.6.5", | |||
| "deep-freeze-strict": "^1.1.1", | |||
| "del": "^6.1.1", | |||
| "dns-sync": "^0.2.1", | |||
| "dns-sync": "npm:@amoo-miki/dns-sync@^0.2.1", | |||
There was a problem hiding this comment.
@AMoo-Miki I have been thinking why not publishing under @opensearch-project? Or do we have the plan to move these forked packages to @opensearch-project?
There was a problem hiding this comment.
While we could, publishing them under the project name would create an expectation of ownership and support which we don't have the bandwidth for.
There was a problem hiding this comment.
the only concern is it might not be scale to put on personal repo just for one fix. but it should be ok if we don't have other option.
seraphjiang
approved these changes
Aug 23, 2024
seraphjiang
approved these changes
Aug 23, 2024
| @@ -190,7 +190,7 @@ | |||
| "core-js": "^3.6.5", | |||
| "deep-freeze-strict": "^1.1.1", | |||
| "del": "^6.1.1", | |||
| "dns-sync": "^0.2.1", | |||
| "dns-sync": "npm:@amoo-miki/dns-sync@^0.2.1", | |||
There was a problem hiding this comment.
the only concern is it might not be scale to put on personal repo just for one fix. but it should be ok if we don't have other option.
seraphjiang
reviewed
Aug 23, 2024
| @@ -0,0 +1,2 @@ | |||
| security: | |||
There was a problem hiding this comment.
not related to this PR.
in 2.14 we proved we could generate release note without changelog file. the maintainers should consider deprecate the needs of this file and simplify the contribution process
There was a problem hiding this comment.
This is the auto-generated one.
ZilongX
approved these changes
Aug 23, 2024
There are many [abandoned] packages that use my patched releases :) |
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-1.3 1.3
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-1.3
# Create a new branch
git switch --create backport/backport-7811-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 dcd170aa7d6ee0d09bbd0f8d397a93e5a73d8f67
# Push it to GitHub
git push --set-upstream origin backport/backport-7811-to-1.3
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-1.3Then, create a pull request where the |
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-2.x 2.x
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-2.x
# Create a new branch
git switch --create backport/backport-7811-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 dcd170aa7d6ee0d09bbd0f8d397a93e5a73d8f67
# Push it to GitHub
git push --set-upstream origin backport/backport-7811-to-2.x
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-2.xThen, create a pull request where the |
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Sep 10, 2024
* [CVE-2017-16100] Use a patched version of `dns-sync` Signed-off-by: Miki <miki@amazon.com> * Changeset file for PR #7811 created/updated --------- Signed-off-by: Miki <miki@amazon.com> Co-authored-by: opensearch-changeset-bot[bot] <154024398+opensearch-changeset-bot[bot]@users.noreply.github.com> Co-authored-by: ZilongX <99905560+ZilongX@users.noreply.github.com> (cherry picked from commit dcd170a) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
|
The backport to To backport manually, run these commands in your terminal: # Navigate to the root of your repository
cd $(git rev-parse --show-toplevel)
# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add ../.worktrees/OpenSearch-Dashboards/backport-1.3 1.3
# Navigate to the new working tree
pushd ../.worktrees/OpenSearch-Dashboards/backport-1.3
# Create a new branch
git switch --create backport/backport-7811-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 dcd170aa7d6ee0d09bbd0f8d397a93e5a73d8f67
# Push it to GitHub
git push --set-upstream origin backport/backport-7811-to-1.3
# Go back to the original working tree
popd
# Delete the working tree
git worktree remove ../.worktrees/OpenSearch-Dashboards/backport-1.3Then, create a pull request where the |
AMoo-Miki
added a commit
to AMoo-Miki/OpenSearch-Dashboards
that referenced
this pull request
Sep 10, 2024
|
Manually backported to 1.3. |
AMoo-Miki
added a commit
that referenced
this pull request
Sep 10, 2024
AMoo-Miki
pushed a commit
that referenced
this pull request
Sep 11, 2024
* [CVE-2017-16100] Use a patched version of `dns-sync` * Changeset file for PR #7811 created/updated --------- (cherry picked from commit dcd170a) Signed-off-by: Miki <miki@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: opensearch-changeset-bot[bot] <154024398+opensearch-changeset-bot[bot]@users.noreply.github.com> Co-authored-by: ZilongX <99905560+ZilongX@users.noreply.github.com>
opensearch-trigger-bot bot
pushed a commit
that referenced
this pull request
Sep 11, 2024
* [CVE-2017-16100] Use a patched version of `dns-sync` * Changeset file for PR #7811 created/updated --------- (cherry picked from commit dcd170a) Signed-off-by: Miki <miki@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: opensearch-changeset-bot[bot] <154024398+opensearch-changeset-bot[bot]@users.noreply.github.com> Co-authored-by: ZilongX <99905560+ZilongX@users.noreply.github.com> (cherry picked from commit a8fca1c) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
ashwin-pc
pushed a commit
that referenced
this pull request
Sep 13, 2024
…8145) * [CVE-2017-16100] Use a patched version of `dns-sync` * Changeset file for PR #7811 created/updated --------- (cherry picked from commit dcd170a) (cherry picked from commit a8fca1c) Signed-off-by: Miki <miki@amazon.com> Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> Co-authored-by: opensearch-changeset-bot[bot] <154024398+opensearch-changeset-bot[bot]@users.noreply.github.com> Co-authored-by: ZilongX <99905560+ZilongX@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
[CVE-2017-16100] Use a patched version of
dns-syncdns-sync
The library hasn't been updated in years. Even though an upstream PR was created, due to the criticality of the CVE, until upstream package is updated a patched version is employed.
Changelog
dns-syncdependencyCheck List
yarn test:jestyarn test:jest_integration