[GHSA-2q4h-h5jp-942w] Firejail before 0.9.64.4 allows attackers to bypass...

[kmk3]

Updates

• Affected products
• Description
• References
• Source code location
• Summary

Comments
Add a few more relevant links and extend the description

[kmk3]

Notes:

The title is empty, but the title field is marked as required, so I tried to
come up with a good enough title, though I'm not sure how well it fits. Feel
free to change it.

Affected products -> Ecosystem is marked as required, but there is no valid
option. So I just set it to the first one (Composer) and put the
affected/patched versions in the description instead of their respective
fields.

I would suggest to avoid marking empty fields as required if the entry already
exists on the system, to make it easier to contribute.

[darakian]

Hey @kmk3 sorry but we only work on the advisories which fit into our ecosystem model for the moment.

[kmk3]

Hey @kmk3 sorry but we only work on the advisories which fit into our
ecosystem model for the moment.

Is there any way to at least link the source code repository to the advisory?

The GHSA page currently shows this:

• Source code: No known source code

Also, there are many CVEs attributed to firejail in the database:

• https://github.com/advisories?query=firejail

But currently none of them show up in the project's Security -> Advisories
section:

• https://github.com/netblue30/firejail/security/advisories

Edit: This issue is currently under discussion:

• Got feedback for our new open-source Advisory Database repository? #11 (comment)
• Include more details in "unreviewed" advisories #568

[darakian]

Is there any way to at least link the source code repository to the advisory?

Not at the moment sorry :(

[kmk3]

Is there any way to at least link the source code repository to the
advisory?

Not at the moment sorry :(

Alright, closing.