We're Hiring!

Mattermost, Inc.

"All" affected versions in the mattermost advisory

Hello
I’m looking at the mattermost advisory page at /security-updates/ on the mattermost website. I cannot post a link to that as it gets automatically flagged for some reason.
I’ve encountered “all” as affected version at many places in the page. At first glance, it appears that all the packages before the fixed version are affected but I am unsure what to make of “All” when fixed versions are v5.18.1, 5.17.3, 5.16.5, 5.9.8 in case of MMSA-2020-0001 dated 2020-01-08. Can anyone please clarify ?

Thank you for reporting this, we can start doing this moving forward.

Hello.
Can you please elaborate what is to be done moving forward?
Also, can you tell me the meaning of “all” in above context as well?

In the future we’d want to say, e.g. <v5.32.0 instead of “All”.
“All” means that the issue affects all versions, expect the version where it’s fixed (and versions beyond the fix version).

Can you tell me what does in mean in case of MMSA-2020-0001 where the fixed versions are 5.18.1, 5.17.3, 5.16.5, 5.9.8 ?
Does it mean 5.10.0 to 5.15.0 were not affected ?
Can you please give me affected version ranges for this particular advisory ? It appears to be only advisory with “all” and multiple versions in the fixed column. It is hard to make sense of it.

Not affected:

  • 5.18.1, 5.17.3, 5.16.5, 5.9.8 are not affected.
  • Also v5.19.0 is not affected as the same fix was applied to that version later in January 16th, 2020. This means dot releases 5.19.1-5.19.3 are also not affected. (Link to changelog is here)
  • Also any versions newer than the fix versions are not affected, e.g. v5.20.0 and versions beyond that are not affected.
  • v5.18.2 is also not affected (a dot release we did after 5.18.1). (Link to changelog is here)

Affected:

  • 5.18.0, 5.17.0-5.17.2, 5.16.0-5.16.4, 5.9.0-5.9.7.
  • Basically all versions before 5.16.5 are affected, except 5.9.8.

Please note that 5.9 at the time was an Extended Support Release, so the fix was backported to that version as well.

1 Like

Thank you so much. This makes it a lot clearer.

@amy.blais Excuse me but does the “na” keyword also imply all the versions before the fixed one are affected or it is better to assume that the data is simply not available ?

“na” means that the information is not available. Starting in January 2020 we started to get consistent with our process by filling in all the information for each release and we also started to use a new format for the Issue Identifier (e.g. using “MMSA-2020-0001” instead of e.g. “5.17.2.4”).

1 Like