Advisory: GHSA-2g5w-29q9-w6hx (CVE-2023-30620)
Claimed fixed version: 23.2.1.0
Correct first fixed version: 23.3.2.0
git merge-base --is-ancestor 4419b0f0019c000db390b54d8b9d06e1d3670039 v23.2.1.0 returns false. The fix commit was authored 2023-02-16 — two weeks after the v23.2.1.0 tag on 2023-02-02. The 23.2.1.0 artifact on PyPI ships mindsdb/api/http/utils.py and mindsdb/api/http/namespaces/file.py byte-identical to the pre-fix state (safe_extract() with path traversal protection is absent; raw tarfile.extractall() is used).
The fix first appears in 23.3.2.0. The advisory's fixed version should be corrected from 23.2.1.0 to 23.3.2.0.
Advisory: GHSA-2g5w-29q9-w6hx (CVE-2023-30620)
Claimed fixed version: 23.2.1.0
Correct first fixed version: 23.3.2.0
git merge-base --is-ancestor 4419b0f0019c000db390b54d8b9d06e1d3670039 v23.2.1.0returns false. The fix commit was authored 2023-02-16 — two weeks after the v23.2.1.0 tag on 2023-02-02. The 23.2.1.0 artifact on PyPI shipsmindsdb/api/http/utils.pyandmindsdb/api/http/namespaces/file.pybyte-identical to the pre-fix state (safe_extract()with path traversal protection is absent; rawtarfile.extractall()is used).The fix first appears in 23.3.2.0. The advisory's
fixedversion should be corrected from23.2.1.0to23.3.2.0.