mirror of
https://github.com/google/brotli.git
synced 2026-07-08 17:56:58 +00:00
CVE-2020-8927 Versioning #345
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @LorenzNickel on GitHub (Sep 15, 2020).
I have a question regarding the versioning because I want to know which versions are vulnerable to CVE-2020-8927. From my understanding, the fixing commit has been part of 1.0.8 and the description of this release also mentions that this issue has been fixed. Version 1.0.9 has the same description and only a textual commit has been made between those two versions. The ReadMe of this project currently states that 1.0.9 should be used, while the NVD description refers to 1.0.8 as fixed version.
Could you maybe explain why this re-release happened and which version should be referred to as the fixing version (and with that which ones are vulnerable)?
Thanks a lot
@karnaerrande commented on GitHub (Sep 18, 2020):
Looks like 1.08 onward is secured against the overflow vulnerability and the 1.09 re-release was just tidying up the bindings and build file.
Will be keeping an eye on NVD pending the ongoing analysis.
@eustas commented on GitHub (Sep 21, 2020):
v1.0.8 tag was moved to later commit after the initial release. To avoid problems with git caches additional tag / version (v1.0.9) was added.
@874461762 commented on GitHub (Nov 3, 2023):
NVD reports CVE-2020-8927 about brotli versions before 1.0.8 - but it's not specific to native or java releases.
Can anyone clarify if this CVE applies to the org.brotli.dec-0.1.2 java release due to org.brotli.dec-0.1.2 is the latest one in maven repository? If so, is there a brotli java release planned to rectify this?