Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Fix" CVE-2024-49761 by just ignoring rexml for now #7104

Merged
merged 1 commit into from
Nov 1, 2024
Merged

"Fix" CVE-2024-49761 by just ignoring rexml for now #7104

merged 1 commit into from
Nov 1, 2024

Conversation

buggmagnet
Copy link
Contributor

@buggmagnet buggmagnet commented Oct 30, 2024
edited by faern
Loading

This PR fixes CVE-2024-49761 by upgrading rexml

This change is Reviewable

@buggmagnet buggmagnet added the iOS Issues related to iOS label Oct 30, 2024
@buggmagnet buggmagnet requested review from faern and mojganii October 30, 2024 09:37
@buggmagnet buggmagnet self-assigned this Oct 30, 2024
@linear Linear
Copy link

linear bot commented Oct 30, 2024

IOS-910 Fix rexml - the boogaloo empire strikes back

@buggmagnet buggmagnet force-pushed the fix-rexml-the-boogaloo-empire-strikes-back-ios-910 branch from 7b836aa to 1d980eb Compare October 30, 2024 09:55
@pinkisemils
Copy link
Collaborator

Would it not be better to ignore rexml in it's entirety?

buggmagnet
buggmagnet commented Oct 31, 2024
View reviewed changes
Copy link
Contributor Author

@buggmagnet buggmagnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can also do that, yes. I'll make the change

Reviewable status: 0 of 4 files reviewed, all discussions resolved

@buggmagnet buggmagnet force-pushed the fix-rexml-the-boogaloo-empire-strikes-back-ios-910 branch from 1d980eb to bc77ad1 Compare October 31, 2024 15:27
@faern
Copy link
Member

faern commented Oct 31, 2024

You still need an expiry date. I pointed this out on slack. No ignore is allowed to be indefinite. See instructions at top of root osv-scanner.toml

@buggmagnet buggmagnet force-pushed the fix-rexml-the-boogaloo-empire-strikes-back-ios-910 branch from bc77ad1 to 2eb7337 Compare November 1, 2024 08:32
buggmagnet
buggmagnet commented Nov 1, 2024
View reviewed changes
Copy link
Contributor Author

@buggmagnet buggmagnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@faern no matter what I tried yesterday, I couldn't get osv-scanner to ignore the vulnerability when I was using an expiry date, the tool was just complaining about an invalid format.
Clearly I was doing something wrong, cause today it worked immediately.
Should be fixed now.

Reviewable status: 0 of 4 files reviewed, all discussions resolved

pinkisemils
pinkisemils previously approved these changes Nov 1, 2024
View reviewed changes
Copy link
Collaborator

@pinkisemils pinkisemils left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewed 2 of 4 files at r2, 2 of 2 files at r4, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

@buggmagnet buggmagnet force-pushed the fix-rexml-the-boogaloo-empire-strikes-back-ios-910 branch 2 times, most recently from 154ba23 to d4d6a19 Compare November 1, 2024 10:32
faern
faern previously approved these changes Nov 1, 2024
View reviewed changes
Copy link
Member

@faern faern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed 2 of 2 files at r5, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

ci/ios/upload-vm/osv-scanner.toml line 2 at r5 (raw file):

[[PackageOverrides]]
effectiveUntil = 2025-04-01

An ignore longer than three months should ideally have a comment about why. But not critical.

@faern
Copy link
Member

faern commented Nov 1, 2024

I'm trying to clarify the rules around ignoring entire packages with this PR: #7115

@buggmagnet buggmagnet force-pushed the fix-rexml-the-boogaloo-empire-strikes-back-ios-910 branch from d4d6a19 to 542b921 Compare November 1, 2024 11:00
@faern faern changed the title Fix CVE-2024-49761 by upgrading rexml "Fix" CVE-2024-49761 by just ignoring rexml for now Nov 1, 2024
faern
faern approved these changes Nov 1, 2024
View reviewed changes
Copy link
Member

@faern faern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:lgtm:

Reviewed 2 of 2 files at r6, all commit messages.
Reviewable status: :shipit: complete! all files reviewed, all discussions resolved

@buggmagnet buggmagnet merged commit 74d4fd9 into main Nov 1, 2024
8 checks passed
@buggmagnet buggmagnet deleted the fix-rexml-the-boogaloo-empire-strikes-back-ios-910 branch November 1, 2024 11:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@faern faern faern approved these changes

@pinkisemils pinkisemils pinkisemils left review comments

@mojganii mojganii Awaiting requested review from mojganii

@raksooo raksooo Awaiting requested review from raksooo raksooo is a code owner

@albin-mullvad albin-mullvad Awaiting requested review from albin-mullvad albin-mullvad is a code owner

Assignees

@buggmagnet buggmagnet

Labels
iOS Issues related to iOS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@buggmagnet @pinkisemils @faern