Apply Patching on TestNG Older version (supports JDK8) to mitigate CVE-2022-4065 #2895
Comments
|
@kamal-kaur04 - There are no plans for this from the TestNG team. We would encourage you to upgrade to the latest released version |
|
what about project which cant upgrade to 7.7.1 because they use jdk8. Can we upgrade to 7.7.1 even though we use jdk8? |
|
@prashil-g 7.5 is the last version that runs on JDK8. I totally understand the predicament. It would be really great if you can upgrade. If not you can build and publish 7.5 patched version into your intranet. Alternatively you could also propose a PR that patches and we can see how we can have it released ( this is also just a suggestion. I dont know what all is needed to be changed in our CI to accommodate this ) |
|
Hi @krmahadevan thanks for prompt response, appreciate it ! :) I've cherry-picked the changes in my branch https://github.com/prashil-g/testng/tree/testng-7.5_zip-slip-vulnerability. Can you please create a branch out of 7.5 tag so I can raise a PR? patch: https://github.com/cbeust/testng/compare/7.5...prashil-g:testng-7.5_zip-slip-vulnerability?expand=1 |
|
@prashil-g - Here you go https://github.com/cbeust/testng/tree/release_7.5 |
|
Thanks @krmahadevan created #2899 . please let me know if anything else needed from my side! :) |
|
@prashil-g - I would still need to figure out how to get the release process sorted out. It will take sometime. Please bear with me on that. |
|
Sure @krmahadevan I will wait. Really appreciate your help 👍 |
|
Thanks @krmahadevan, Let me know if something needed from our side. |
|
@kamal-kaur04 - The fix is released into Maven central. Here's the release announcement https://groups.google.com/g/testng-users/c/71NlECG4AZ0/m/k64pMoFSAwAJ |
|
I can see new version got plublished. Thanks a lot @prashil-g for creating PR and @krmahadevan for releasing the version. I will give it a try. |
|
Hi @krmahadevan I see that 7.5.1 is now showing on maven but it's still marked as vulnerable. can you help mark CVE fix versions to include 7.5.1? |
Would you know how to get that done ? @JLLeitschuh - Any pointers on how we can get this sorted out? Basically we back ported your PR #2806 and released it as |
|
You're going to need to reach out to the CVE Numbering Authority (CNA) that issued the CVE to request that they update the CVE number. You can find out who the CNA is by checking the "source" field on the CVE listing, which can be found at the bottom of this page. https://nvd.nist.gov/vuln/detail/CVE-2022-4065 In this case the CNA is VulDB. You can find their contact information by searching the MITRE CVE site. https://www.cve.org/PartnerInformation/ListofPartners For VulDB, you can find their contact information here: https://www.cve.org/PartnerInformation/ListofPartners/partner/VulDB |
|
@JLLeitschuh - Thank you so much for sharing all that context. I have reached out to VulDB folks on the email that is listed. |
|
Perfect! Happy to help! I figured a show-and-tell model would be helpful for if this comes up for you with other potential vulnerability in the future 🙂 |
|
@krmahadevan Did you hear back from VulDB. 7.5.1 is still flagged wrongly for CVE |
|
Below is the response from VulDB folks I have reached out to Unfortunately I have not heard back from the folks at mvnrepository.com |
|
I haven't gotten responses from |
|
@prashil-g - Looks like mvnrepository has gotten updated 
|
|
@krmahadevan That's great news. I've written to synk.io update their DB to reflect testng 7.5.1 is not vulnerable:. |
Hello,
I'm reaching out here to know that if there is a way to apply the patch (released with version 7.7.0 for vulnerability) to older TestNG Version (v7.5) which supports JDK8 as I currently compile my project with JDK8, so can't bump the version to LTS. Currently, the vulnerability is reflecting on https://mvnrepository.com/ on our package.
Thanks.
The text was updated successfully, but these errors were encountered: