On Tuesday, January 24, we’ll be releasing version 7.2.2 of xblock-lti-consumer. This release will contain a Low level security fix as determined using CVSS.
Affected repository: xblock-lti-consumer.
Vulnerability Score: Low (CVSS Score).
Patch release date & time: 2023-01-24 (time TBD).
This post will be updated with the vulnerability details after the patch is released.
This is planned to be released at 10am EST on 2023-01-24.
Note for maintainers: The package name is lti-consumer-xblock, which differs from the repo name.
As far as the master/main branches of the edx and openedx orgs are concerned, I only see it as a direct dependency in edx/edx-exams and openedx/edx-platform.
The details of this patch are now published at: Vulnerability in LTI 1.3 Grade Pass Back Implementation · Advisory · openedx/xblock-lti-consumer · GitHub
lti-consumer-xblock version 7.2.2 is now available with a fix for this issue.
I’m seeing this topic just now. The version of the xblock that ships with Olive is 4.5.0. Is version 4.5.0 affected by the vulnerability? If yes, can we safely upgrade to 7.2.2? In my understanding there are at least three breaking changes between 4.5.0 and 7.2.2, so it seems unlikely that we can upgrade without any problem in Olive.
@regis All versions that have LTI 1.3 Assignments and Grades Services (LTI-AGS) are affected (I think it was implemented around version 2.x).
Cherry-picking this commit or creating a new one with just the changes starting on this line fixes the issue.
Cherry-picking a commit in a 3rd-party dependency of edx-platform is really not convenient – not just in Tutor but everywhere. Can you please make a 4.5.1 release with the patch? If not then we will have to fork the dependency and I would really like to avoid doing that. It’s crucial that we make security releases for the current supported Open edX release, and that’s Olive.
I just added a security playbook for this situation: https://openedx.atlassian.net/wiki/spaces/COMM/pages/3664314392/Security+Playbooks#🩹-Applying-a-security-patch-to-a-package
Right now we’re at step 4a in that playbook: an older package release needs to be made (4.5.1) so that the package can be fixed in Olive edx-platform.
I prepared a backport of the fix to 4.5.0 here: Merge pull request from GHSA-7j9p-67mm-5g87 by mtyaka · Pull Request #10 · open-craft/xblock-lti-consumer · GitHub
If someone with commit permissions could review and release 4.5.1 with the fix, that’d be great 