"All" affected versions in the mattermost advisory

hrtk · March 24, 2021, 11:38am

Hello
I’m looking at the mattermost advisory page at /security-updates/ on the mattermost website. I cannot post a link to that as it gets automatically flagged for some reason.
I’ve encountered “all” as affected version at many places in the page. At first glance, it appears that all the packages before the fixed version are affected but I am unsure what to make of “All” when fixed versions are v5.18.1, 5.17.3, 5.16.5, 5.9.8 in case of MMSA-2020-0001 dated 2020-01-08. Can anyone please clarify ?

amy.blais · March 24, 2021, 1:02pm

Thank you for reporting this, we can start doing this moving forward.

hrtk · March 24, 2021, 2:03pm

Hello.
Can you please elaborate what is to be done moving forward?
Also, can you tell me the meaning of “all” in above context as well?

amy.blais · March 24, 2021, 2:18pm

In the future we’d want to say, e.g. <v5.32.0 instead of “All”.
“All” means that the issue affects all versions, expect the version where it’s fixed (and versions beyond the fix version).

hrtk · March 24, 2021, 2:29pm

Can you tell me what does in mean in case of MMSA-2020-0001 where the fixed versions are 5.18.1, 5.17.3, 5.16.5, 5.9.8 ?
Does it mean 5.10.0 to 5.15.0 were not affected ?
Can you please give me affected version ranges for this particular advisory ? It appears to be only advisory with “all” and multiple versions in the fixed column. It is hard to make sense of it.

amy.blais · March 24, 2021, 2:46pm

Not affected:

5.18.1, 5.17.3, 5.16.5, 5.9.8 are not affected.
Also v5.19.0 is not affected as the same fix was applied to that version later in January 16th, 2020. This means dot releases 5.19.1-5.19.3 are also not affected. (Link to changelog is here)
Also any versions newer than the fix versions are not affected, e.g. v5.20.0 and versions beyond that are not affected.
v5.18.2 is also not affected (a dot release we did after 5.18.1). (Link to changelog is here)

Affected:

5.18.0, 5.17.0-5.17.2, 5.16.0-5.16.4, 5.9.0-5.9.7.
Basically all versions before 5.16.5 are affected, except 5.9.8.

Please note that 5.9 at the time was an Extended Support Release, so the fix was backported to that version as well.

hrtk · March 24, 2021, 3:20pm

Thank you so much. This makes it a lot clearer.

hrtk · March 24, 2021, 10:06pm

@amy.blais Excuse me but does the “na” keyword also imply all the versions before the fixed one are affected or it is better to assume that the data is simply not available ?

amy.blais · March 24, 2021, 10:23pm

“na” means that the information is not available. Starting in January 2020 we started to get consistent with our process by filling in all the information for each release and we also started to use a new format for the Issue Identifier (e.g. using “MMSA-2020-0001” instead of e.g. “5.17.2.4”).

Topic		Replies	Views
Connot update to version 9 Troubleshooting	1	288	October 4, 2023
Upgrading from 5.25.0 to Current (6.0.0) Docs - Help Wanted	2	710	December 22, 2021
Mattermost 5.25.7 Version Number Troubleshooting	5	605	December 9, 2020
Confusion regarding Mattermost version number Troubleshooting	9	1201	December 9, 2020
Mattermost upgrade Troubleshooting	1	2023	October 23, 2015

"All" affected versions in the mattermost advisory

Related Topics