CVE-2020-8927 Versioning #345

Closed
opened 2026-01-29 20:42:19 +00:00 by claunia · 3 comments
Owner

Originally created by @LorenzNickel on GitHub (Sep 15, 2020).

I have a question regarding the versioning because I want to know which versions are vulnerable to CVE-2020-8927. From my understanding, the fixing commit has been part of 1.0.8 and the description of this release also mentions that this issue has been fixed. Version 1.0.9 has the same description and only a textual commit has been made between those two versions. The ReadMe of this project currently states that 1.0.9 should be used, while the NVD description refers to 1.0.8 as fixed version.

Could you maybe explain why this re-release happened and which version should be referred to as the fixing version (and with that which ones are vulnerable)?

Thanks a lot

Originally created by @LorenzNickel on GitHub (Sep 15, 2020). I have a question regarding the versioning because I want to know which versions are vulnerable to CVE-2020-8927. From my understanding, the [fixing commit](https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6) has been part of [1.0.8](https://github.com/google/brotli/releases/tag/v1.0.8) and the description of this release also mentions that this issue has been fixed. Version [1.0.9](https://github.com/google/brotli/releases/tag/v1.0.9) has the same description and only a [textual commit](https://github.com/google/brotli/compare/v1.0.8...v1.0.9) has been made between those two versions. The [ReadMe](https://github.com/google/brotli/blob/e61745a6b7add50d380cfd7d3883dd6c62fc2c71/README.md#security-note) of this project currently states that 1.0.9 should be used, while the [NVD description](https://nvd.nist.gov/vuln/detail/CVE-2020-8927) refers to 1.0.8 as fixed version. Could you maybe explain why this re-release happened and which version should be referred to as the fixing version (and with that which ones are vulnerable)? Thanks a lot
Author
Owner

@karnaerrande commented on GitHub (Sep 18, 2020):

Looks like 1.08 onward is secured against the overflow vulnerability and the 1.09 re-release was just tidying up the bindings and build file.

Will be keeping an eye on NVD pending the ongoing analysis.

@karnaerrande commented on GitHub (Sep 18, 2020): Looks like 1.08 onward is secured against the overflow vulnerability and the 1.09 re-release was just tidying up the bindings and build file. Will be keeping an eye on NVD pending the ongoing analysis.
Author
Owner

@eustas commented on GitHub (Sep 21, 2020):

v1.0.8 tag was moved to later commit after the initial release. To avoid problems with git caches additional tag / version (v1.0.9) was added.

@eustas commented on GitHub (Sep 21, 2020): v1.0.8 tag was moved to later commit after the initial release. To avoid problems with git caches additional tag / version (v1.0.9) was added.
Author
Owner

@874461762 commented on GitHub (Nov 3, 2023):

NVD reports CVE-2020-8927 about brotli versions before 1.0.8 - but it's not specific to native or java releases.

Can anyone clarify if this CVE applies to the org.brotli.dec-0.1.2 java release due to org.brotli.dec-0.1.2 is the latest one in maven repository? If so, is there a brotli java release planned to rectify this?

@874461762 commented on GitHub (Nov 3, 2023): NVD reports [CVE-2020-8927](https://nvd.nist.gov/vuln/detail/cve-2020-8927) about brotli versions before 1.0.8 - but it's not specific to native or java releases. Can anyone clarify if this CVE applies to the org.brotli.dec-0.1.2 java release due to [org.brotli.dec](https://mvnrepository.com/artifact/org.brotli/dec)-0.1.2 is the latest one in maven repository? If so, is there a brotli java release planned to rectify this?
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/brotli#345