[GHSA-x9qq-236j-gj97] Canonical LXD documentation improvement to make clear restricted.devices.disk=allow without restricted.devices.disk.paths also allows shift=true

[gshanbhag525]

Updates

• Affected products

Comments
= 5.19 and = 5.20 is not a valid version.
Hence updating with respective release go commit pseudo version.

[github]

Hi there @tomponline! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[darakian]

Hey @gshanbhag525, thanks for the PR. It looks like we pulled in the versions from the source repo advisory
GHSA-x9qq-236j-gj97
and looking at the pseudo versions they seem to be cycling in and out on the go proxy
https://pkg.go.dev/github.com/canonical/lxd?tab=versions
I'm not sure it's the most useful thing to have an advisory that references versions no longer available, though I'm also unclear on how users are consuming this package. Thoughts?

[tomponline]

@eslerm i understood the go proxy admins had fixed this?

We dont want to use git commits as its not helpful for those comparing lxd release versions.

[gshanbhag525]

lxd has release version with prefix "lxd".
e.g lxd-5.19, lxd-5.20 link

Since its a go pkg and there are other advisories which use commit as version.
eg. GHSA-33m6-q9v5-62r7
I used release versions commits here.

[tomponline]

lxd has release version with prefix "lxd". e.g lxd-5.19, lxd-5.20 link

Since its a go pkg and there are other advisories which use commit as version. eg. GHSA-33m6-q9v5-62r7 I used release versions commits here.

Yes we could use the release tag names if that helps.

Whats the wider context here btw? The issue being linked to wasnt actually a security problem but required an improvement to the docs.

[gshanbhag525]

we follow semver spec for version parsing. link
But since 5.19 doesnot follow semver i.e. x.x.x
we were not able to parse it.
Converting it to go pseudo version. ie. 0.0.0-20231019094722-ff5926c3b519 would suffice or 5.19.0.

Yes this is improvement to docs.

[tomponline]

Ok 5.19.0 would be ok i think

The pseudo version is problematic as doesnt correlate with the release version reported by the binary

[github]

Hi there @tomponline! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[advisory-database]

Hi @gshanbhag525! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!