Contrib.social

TFA branch 2 reported by drupal.org as affected by SA-CONTRIB-2023-030

Open on Drupal.org β†’
Created on 3 October 2024, 7 months ago

I was looking at the security release, and I'm not 100% sure what's going on, but on the 2.0.0-alpha-2 release, it is marked as "Insecure, vulnerable to SA-CONTRIB-2023-030" which I'm guessing is an issue with the calculation "Affected versions: ^1 <= 1.0.0"

Also, is 2.x affected by SA-CONTRIB-2024-043?

πŸ’¬ Support request
Status

Active

Version

2.0

Component

Documentation

Created by

πŸ‡ͺπŸ‡ΈSpain pcambra Asturies

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @pcambra
  • Comment 7 months ago β†’
    πŸ‡΅πŸ‡ΉPortugal jcnventura

    2.0 alpha is somewhat affected by some known security issues. And the fix for the most recent one hasn't been merged in yet, so that is another issue still pending.

  • Comment 7 months ago β†’
    πŸ‡΅πŸ‡ΉPortugal jcnventura

    Marking this as a duplicate of πŸ“Œ Public followup for SA-CONTRIB-2024-043 Postponed

  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Regarding SA-CONTRIB-2023-030.

    First and foremost the 2.x branch should only be used in dev labs for contributing to the future of TFA. It is not production ready.

    Yes the Alpha release of 2.x is impacted, fixes have been merged into the Dev branch, however at this time there are no plans for another alpha release in the near future until other overhauls are completed.

    The Drupal Security team explicitly refuses to honor maintainer requests to mention the 2.x branches at the time of that security advisory. A Security Team member removed mentions regarding 2.x that I had placed in the draft versions.

    The release note warning regarding 2.0.0-alpha2 is the best I could do (other than publishing a kill site release of 2.x) to distribute the warning while the Drupal Security Team continues to take explicit actions to prevent the distribution of information to site owners.

    The Drupal Security Team is the reason the constraint is only ^1 <= 1.0.0.

    Regarding 2.x and SA-CONTRIB-2024-043:

    Yes the alpha is impacted as well. A fix for the 2.x dev branch was committed on October 2nd around the time the SA was made public. We will need to make sure we do not re-introduce the fault in 2.x going forward as we work on other aspects of the module. The public followup releasing tests should help prevent this.

  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States greggles Denver, Colorado, USA

    Regarding #4, it looks like the project page doesn't explain which branch to use for which scenarios. Including a little explanation on the project page seems to me to be a pretty common way to get this information across. It would also be useful to folks at the moment of installation, which seems like the optimal moment to share the information. The release notes for 2.0.0-alpha2 mention it is vulnerable to an issue from 2023, but you could add subsequent issues as well to help get the idea across accurately and completely.

  • Comment 7 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States cmlara

    Regarding #4, it looks like the project page doesn't explain which branch to use for which scenarios. Including a little explanation on the project page seems to me to be a pretty common way to get this information across.

    Good point, we have been relying solely on the 'recommended' vs 'not recommended' symbology. Updated module page to include more details.

    but you could add subsequent issues as well to help get the idea across accurately and completely.

    Also a good point, I had flagged the release with "do not use" however never considered going back to amend the release notes to include the additional vulnerabilities. This has also been updated.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024