Release 0.32.0 of Spellcheck (GitHub) Action - a security patch release

Jonas Brømsø - May 18 '23 - - Dev Community

I have uploaded version 0.32.0 of the Spellcheck GitHub action to the GitHub Marketplace and DockerHub.

The release is aimed at patching a security vulnerability in one of the dependencies listed in requirements.txt which is the manifest for the used Python dependencies used and usable by the action.

The vulnerability is labelled as CVE-2023-32309 has been located in: pymdown-extensions and has been patched with release: 10.0

The vulnerability allowed for consumption of a any file on the filesystem accessible to the code using the component, since the component could include/inline other components from the file system.

Like so:

--8<--"/etc/passwd"

Example lifted from NIST

Perhaps the use of the vulnerability would be limited in GitHub context, but there is no reason to leave the vulnerability open, so the action has been updated.

As outlined in the post on release 0.31.0 I am behind on patching or lifting users of versions which are end of life to more contemporary versions.

With this release I have indicated that an update is recommended (as I recommend in my post on writing change logs), but I am not sure I have the bandwidth to create PRs for all using repositories leading up to release 0.32.0 and I will stick to releases from 0.24.0 and below, since these are EOL.

Even though I am not so into the idea of using the canonical version of v0 etc. it could also be an approach and I will mention this in my PRs.

Luckily today in a national holiday in Denmark, so I could sit down a do this in a nice and quite manner, security issues are always a bit stressfull.

Change log for 0.32.0

0.32.0, 2023-05-18, security patch release, update recommended

  • @dependabot raised an alert for the used dependency: pymdown-extensions. The vulnerability is labelled as CVE-2023-32309. The issue has been present in pymdown-extensions since version 1.5.0 and is patched in version 10.0.

  • Snyk has provided a patch via PR #158, which has been tested and no regressions has been observed, even with a version leap for pymdown-extensions. from version 8.2 to 10.0. The GitHub Action has been updated to use the patched version, even though there are no direct use of the vulnerable code in the action, but we do not want to be the source of a vulnerability.

  • pymdown-extensions was increased to version 10.0.1, since a bug fix was released to follow up on the security patch.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .