From 6670d6c6235d597b0a0efffb46d332ceef098c03 Mon Sep 17 00:00:00 2001 From: James Rawlings Date: Sun, 24 Nov 2024 23:19:58 +0000 Subject: [PATCH] opensearch-dashboards-2/cve-2024-21534: remediation Signed-off-by: James Rawlings --- opensearch-dashboards-2.yaml | 6 +++++- opensearch-dashboards-2/cve-2024-21538.patch | 12 ++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 opensearch-dashboards-2/cve-2024-21538.patch diff --git a/opensearch-dashboards-2.yaml b/opensearch-dashboards-2.yaml index 25b6d46f1c7..dd4dd665802 100644 --- a/opensearch-dashboards-2.yaml +++ b/opensearch-dashboards-2.yaml @@ -1,7 +1,7 @@ package: name: opensearch-dashboards-2 version: 2.17.1 # when updating please check if we can remove the patched package.json for the reporting plugin - epoch: 1 + epoch: 2 description: Open source visualization dashboards for OpenSearch copyright: - license: Apache-2.0 @@ -63,6 +63,10 @@ pipeline: cherry-picks: | main/5e19749ec40230316ba2688c38e5c62f74ddb71d: CVE-2024-37890 + - uses: patch + with: + patches: cve-2024-21538.patch + - runs: | # Workaround for "OpenSearch Dashboards should not be run as root. Use --allow-root to continue." # This change will add the --allow-root when running the build_ts_refs and register_git_hook scripts diff --git a/opensearch-dashboards-2/cve-2024-21538.patch b/opensearch-dashboards-2/cve-2024-21538.patch new file mode 100644 index 00000000000..23bede8ea40 --- /dev/null +++ b/opensearch-dashboards-2/cve-2024-21538.patch @@ -0,0 +1,12 @@ +diff --git a/package.json b/package.json +index 6cb7fec4e..c4c724f9c 100644 +--- a/package.json ++++ b/package.json +@@ -187,6 +187,7 @@ + "**/async": "^3.2.3", + "**/cpy/globby": "^10.0.1", + "**/d3-color": "^3.1.0", ++ "**/cross-spawn": "^7.0.5", + "**/flat": "^5.0.2", + "**/elasticsearch/agentkeepalive": "^4.5.0", + "**/es5-ext": "^0.10.63", \ No newline at end of file