oss-sec mailing list archives
Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass
From: Phil Pennock <oss-security-phil () spodhuis org>
Date: Sun, 29 Oct 2023 15:51:53 -0400
On 2023-10-28 at 17:51 +0200, Salvatore Bonaccorso wrote:
On Thu, Oct 12, 2023 at 10:39:53PM -0400, Phil Pennock wrote:[ CVE has been requested, still waiting for assignment, so we're just inventing our own in-house numbering for advisories; we'll make sure this one continues to work after the CVE is issued ] NATS-advisory-ID: 2023-01 CVE: pending Date: 2023-10-12 Fixed in: 2.9.23, 2.10.2While I see the later NATS-advisory-ID 2023-02 has a CVE assigned, for the 2023-01 was above with CVE pending. has one been assigned in meanwhile?
No. For 2023-01 I went with our existing procedure and requested an assignment from MITRE, just as in all prior cases. I got the automated acknowledgement (on Thursday 28th Sep, request ID 1532633). I've yet to get a CVE assignment. So for the next one, I tried a new approach. I filled out the GitHub Security Advisory flow ahead of release, got a GHSA, and requested a CVE immediately. It looks like that was issued the next day. Going forward, the NATS project will be using GitHub's processes for requesting a CVE assignment. Our documented procedures have been updated. I'm adjusting our published text format to have known aliases near the top, to make it easier to cross-reference. For NATS advisory 2023-01, this is aka GHSA-fr2g-9hjm-wr23 and GO-2023-2133. -Phil
Attachment:
signature.asc
Description:
Current thread:
- NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 13)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Salvatore Bonaccorso (Oct 28)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 29)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 30)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 29)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Salvatore Bonaccorso (Oct 28)