GHSA-w7pm-9g55-mxfm
stigmem-node's unsigned plugin override could be enabled without a second explicit acknowledgment
상세
### Impact A single configuration flag could disable plugin signature enforcement. If an operator unintentionally carried that setting into an environment where plugin paths are writable by less-trusted users, unsigned plugin code could be loaded.
### Patches Patched in 0.9.0a2. Disabling plugin signature enforcement now requires a second explicit acknowledgment value.
### Workarounds Before upgrading, keep plugin signing required in all shared or production environments and ensure plugin directories are not writable by untrusted users.
### Upgrade Upgrade to the patched release:
```bash pip install --upgrade --pre stigmem-node ```
If developers install through the Stigmem meta-package instead, they should use the matching extra for deployments, for example:
```bash pip install --upgrade --pre 'stigmem[node]' ```
### Resources - Release: https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2 - Changelog: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35 - Security policy and posture: https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
참고
- https://github.com/eidetic-labs/stigmem/security/advisories/GHSA-w7pm-9g55-mxfm [WEB]
- https://github.com/eidetic-labs/stigmem [PACKAGE]
- https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/CHANGELOG.md#L14-L35 [WEB]
- https://github.com/eidetic-labs/stigmem/blob/v0.9.0a2/SECURITY.md [WEB]
- https://github.com/eidetic-labs/stigmem/releases/tag/v0.9.0a2 [WEB]