Skip to content

[NPM] [CVE] Resolve CVE-2025-6020 #3763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 27, 2025
Merged

[NPM] [CVE] Resolve CVE-2025-6020 #3763

merged 1 commit into from
Jun 27, 2025

Conversation

@rayaisaiah
Copy link
Contributor

@rayaisaiah rayaisaiah commented Jun 27, 2025

Reason for Change:
Resolves CVE-2025-6020 present in the current v1.6.26 version.

mcr.microsoft.com/containernetworking/azure-npm:v1.6.26 (ubuntu 24.04)
======================================================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌────────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────┬───────────────────────────────────────────┐
│      Library       │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version   │                   Title                   │
├────────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────┼───────────────────────────────────────────┤
│ libpam-modules     │ CVE-2025-6020 │ MEDIUM   │ fixed  │ 1.5.3-5ubuntu5.1  │ 1.5.3-5ubuntu5.4 │ linux-pam: Linux-pam directory Traversal  │
│                    │               │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2025-6020 │
├────────────────────┤               │          │        │                   │                  │                                           │
│ libpam-modules-bin │               │          │        │                   │                  │                                           │
│                    │               │          │        │                   │                  │                                           │
├────────────────────┤               │          │        │                   │                  │                                           │
│ libpam-runtime     │               │          │        │                   │                  │                                           │
│                    │               │          │        │                   │                  │                                           │
├────────────────────┤               │          │        │                   │                  │                                           │
│ libpam0g           │               │          │        │                   │                  │                                           │
│                    │               │          │        │                   │                  │                                           │
└────────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────┴───────────────────────────────────────────┘

acnpublic.azurecr.io/azure-npm:v1.6.27Testing (ubuntu 24.04)
============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Issue Fixed:

Requirements:

Notes:

Copilot AI review requested due to automatic review settings June 27, 2025 16:43
@rayaisaiah rayaisaiah requested a review from a team as a code owner June 27, 2025 16:43
@rayaisaiah rayaisaiah requested a review from matmerr June 27, 2025 16:43
@rayaisaiah rayaisaiah added npm Related to NPM. linux labels Jun 27, 2025
Copilot AI reviewed Jun 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses CVE-2025-6020 by updating the Ubuntu packages in the Dockerfile to their fixed versions.

  • Update the package versions for libpam-modules, libpam-modules-bin, libpam-runtime, and libpam0g in the Dockerfile.
  • Ensure the container image is free from the Vulnerability based on the updated dependency versions.
Comments suppressed due to low confidence (1)

npm/linux.Dockerfile:11

  • The Dockerfile correctly pins the vulnerable libpam packages to their fixed versions. Double-check that these fixed versions are available for Ubuntu 24.04 to maintain compatibility in future updates.
RUN apt-get update && apt-get install -y libsystemd0=255.4-1ubuntu8.8 libudev1=255.4-1ubuntu8.8 libpam-modules=1.5.3-5ubuntu5.4 libpam-modules-bin=1.5.3-5ubuntu5.4 libpam-runtime=1.5.3-5ubuntu5.4 libpam0g=1.5.3-5ubuntu5.4 iptables ipset ca-certificates && apt-get autoremove -y && apt-get clean

@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Jun 27, 2025

/azp run Azure Container Networking PR

@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Jun 27, 2025

/azp run NPM Conformance Tests

@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Jun 27, 2025

/azp run NPM Scale Test

@azure-pipelines
Copy link

azure-pipelines bot commented Jun 27, 2025

Azure Pipelines successfully started running 1 pipeline(s).

2 similar comments
@azure-pipelines
Copy link

azure-pipelines bot commented Jun 27, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@azure-pipelines
Copy link

azure-pipelines bot commented Jun 27, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@rayaisaiah rayaisaiah merged commit dda6b0c into release/v1.6 Jun 27, 2025
31 of 36 checks passed
@rayaisaiah rayaisaiah deleted the isaiahraya/npm-fix-CVE-2025-6020 branch June 27, 2025 21:08
rayaisaiah added a commit that referenced this pull request Jun 27, 2025
@rayaisaiah
[NPM] [CVE] Resolve CVE-2025-6020 (#3763)
91bbe53 
fixed cve CVE-2025-6020
This was referenced Jun 27, 2025
Merged
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jul 1, 2025
@rayaisaiah
[Forwardport] [NPM] [CVE] Resolve CVE-2025-6020 (#3766)
6494e4c 
[NPM] [CVE] Resolve CVE-2025-6020 (#3763)

fixed cve CVE-2025-6020
NihaNallappagari pushed a commit to NihaNallappagari/azure-container-networking that referenced this pull request Sep 4, 2025
@rayaisaiah @NihaNallappagari
[Forwardport] [NPM] [CVE] Resolve CVE-2025-6020 (Azure#3766)
7a92f2f 
[NPM] [CVE] Resolve CVE-2025-6020 (Azure#3763)

fixed cve CVE-2025-6020
sivakami-projects pushed a commit that referenced this pull request Oct 23, 2025
@rayaisaiah
[Forwardport] [NPM] [CVE] Resolve CVE-2025-6020 (#3766)
a4c40a5 
[NPM] [CVE] Resolve CVE-2025-6020 (#3763)

fixed cve CVE-2025-6020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@vakalapa vakalapa vakalapa approved these changes

@matmerr matmerr Awaiting requested review from matmerr matmerr is a code owner automatically assigned from Azure/acn-npm-reviewers

Assignees

No one assigned

Labels

linux npm Related to NPM.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rayaisaiah @vakalapa