Title
#core
j

Juan Alvarez

03/10/2022, 3:17 PM
Hi all, I am not sure if this is the best channel for this, but i have opened this ticket a few days ago: https://github.com/osquery/osquery/issues/7494 . I would like to get your point of view on the criticality of those vulnerabilities and if you think they qualify to get a new release with those dependencies upgraded. Reading on the ASSURANCE.md document, i read that some of the vulnerabilities may not affect osquery for one or other reason but i am not smart enough to understand when they do or they not. The fact is that our tool (we are using SNYK) reports back 4 CRITICAL and 21 HIGH vulnerabilities which does not look really good. If they are so, would you be open to release a new osquery version sooner with those dependecies upgraded? Thanks!
Mike Myers

Mike Myers

03/14/2022, 8:08 PM
Hi Juan The maintainers are meeting tomorrow morning to discuss these. We've looked into the CVEs in these dependencies and don't yet see that they impact osquery, but you're not the only one to want to see the dependencies updated. Hopefully we can offer you a timeline for an update after tomorrow's office hours
j

Juan Alvarez

03/14/2022, 11:12 PM
Thank you 🙏
Mike Myers

Mike Myers

03/16/2022, 3:35 PM
As a follow-up, the plan is to update 2 to 4 of the dependencies immediately, then evaluate which of the others can be updated without affecting compatibility with older platforms. If needed, we can deprecate support for those. We scheduled the release of osquery for April 1
3:36 PM
the only known impact of any of the CVEs to osquery is a denial of service, where osquery would be shut down by its own watchdog and then the query would be denylisted
3:36 PM
No CVEs will be issued, but we will issue an advisory in the update notes
j

Juan Alvarez

03/16/2022, 3:42 PM
@Mike Myers thanks for the update, really appreciated