Bug 1824523 - cockpit is affected by multiple CVEs
Summary: cockpit is affected by multiple CVEs
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: cockpit-ovirt
Classification: oVirt
Component: Generic
Version: 0.14.3
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ovirt-4.4.0
: ---
Assignee: Aviv Turgeman
QA Contact: Wei Wang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-04-16 10:25 UTC by Gal Zaidman
Modified: 2020-05-20 20:00 UTC (History)
14 users (show)

Fixed In Version: ovirt-engine-nodejs-modules-2.0.27-1 ,cockpit-ovirt-0.14.6
Clone Of:
Environment:
Last Closed: 2020-05-20 20:00:38 UTC
oVirt Team: Integration
Embargoed:
michal.skrivanek: ovirt-4.4?
sbonazzo: planning_ack?
sbonazzo: devel_ack+
weiwang: testing_ack+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 108464 0 master MERGED fix-github-secure-alert 2020-08-11 06:55:57 UTC
oVirt gerrit 108468 0 master ABANDONED version-update-2.0.25 update includes: * Upgrade minimist to version 1.2.3 or later * Upgrade acorn to version 6.4.1 or ... 2020-08-11 06:55:57 UTC

Description Gal Zaidman 2020-04-16 10:25:35 UTC 
Github sent an CVE alert on the following:
* Upgrade minimist to version 1.2.3 or later
* Upgrade acorn to version 6.4.1 or later
* Upgrade kind-of to version 6.0.3 or later

to fix it you need to:
1. cd to dashboard dir
2. run "yarn update"
3. create patches:
cockpit-ovirt:  https://gerrit.ovirt.org/#/c/105504/
ovirt-engine-nodejs-modules : https://gerrit.ovirt.org/#/c/106388/

IMPORTANT
This is an indirect dep, the package which gets installed at the end are the good packages.
yarn lock file just needs an update so that github will not complain.
Comment 2 Michal Skrivanek 2020-04-17 06:27:39 UTC 
sharon's addressing that in nodejs-modules. check with her, it may need just a rebuild then
Comment 5 Sandro Bonazzola 2020-05-20 20:00:38 UTC 
This bugzilla is included in oVirt 4.4.0 release, published on May 20th 2020.

Since the problem described in this bug report should be
resolved in oVirt 4.4.0 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.