Priya, Aishwarya
2024-Jun-26 17:03 UTC
[R] Regarding the Security Vulnerability CVE 2024 - 27322
Dear R Foundation Team, I hope this message finds you well. I am reaching out to seek your guidance on addressing the security vulnerability CVE-2024-27322. As I understand, a security fix for this vulnerability has been available starting from v4.4.0. This issue affects all versions from 1.4.0 to 4.3.3. During our testing phase, we encountered a challenge while attempting to upgrade to the secure version. Our devices were running version 4.3.3 and below, and we tried to install version 4.4.0, hoping the installer would detect the older version and perform an in-place upgrade. However, we observed that the new version was installed alongside the older version rather than replacing it. Consequently, this approach did not mitigate the security vulnerability. To address this issue effectively, it appears that we need to first uninstall the existing older version before installing the latest version. This process should ensure that the security vulnerability is adequately resolved. Could you please confirm if this is the recommended approach for handling this specific security issue? Additionally, if there are any alternative methods or best practices you could suggest for performing this upgrade seamlessly, we would greatly appreciate your insights. Thank you for your support and assistance in this matter. Thanks & Regards, Aishwarya Priyadarshini TMX Software Delivery, Virtualization & Telemetry Dell Digital | Team Member eXperience Aishwarya_Priya at Dell.com<mailto:Aishwarya_Priya at Dell.com> Internal Use - Confidential [[alternative HTML version deleted]]
Ivan Krylov
2024-Jun-26 20:25 UTC
[R] Regarding the Security Vulnerability CVE 2024 - 27322
Dear Aishwarya Priyadarshini, Welcome to R-help! Most people here aren't affiliated with R Foundation. ? Wed, 26 Jun 2024 17:03:37 +0000 "Priya, Aishwarya via R-help" <r-help at r-project.org> ?????:> I am reaching out to seek your guidance on addressing the security > vulnerability CVE-2024-27322.> To address this issue effectively, it appears that we need to first > uninstall the existing older version before installing the latest > version. This process should ensure that the security vulnerability > is adequately resolved.What's your threat model? If you need the CVE fix purely because you are required to install it by some sort of regulations, installing R-4.4.0 and removing all older versions of R is definitely the right thing to do. If you actually need to be secure against untrusted *.rds or *.rda files, R-4.4.0 or any other version of R will be of no help to you. There are too many ways to make an R object dangerous to use, and the *.rds and *.rda files will faithfully represent the trapped R object even in the absence of any vulnerabilities in the parser: https://aitap.github.io/2024/05/02/unserialize.html If you only process *.rds and *.rda files you trust, you've never been in danger from this so-called vulnerability. Feel free to keep running older versions of R. -- Best regards, Ivan