Skip to content

[Forwardport] [NPM] [CVE] Resolve CVE-2025-6020 #3766

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 1, 2025
Merged

[Forwardport] [NPM] [CVE] Resolve CVE-2025-6020 #3766

merged 1 commit into from
Jul 1, 2025

Conversation

@rayaisaiah
Copy link
Contributor

@rayaisaiah rayaisaiah commented Jun 27, 2025

Reason for Change:
Resolves CVE-2025-6020 present in the current v1.6.26 version. Forward port of #3763.

mcr.microsoft.com/containernetworking/azure-npm:v1.6.26 (ubuntu 24.04)
======================================================================
Total: 4 (UNKNOWN: 0, LOW: 0, MEDIUM: 4, HIGH: 0, CRITICAL: 0)

┌────────────────────┬───────────────┬──────────┬────────┬───────────────────┬──────────────────┬───────────────────────────────────────────┐
│      Library       │ Vulnerability │ Severity │ Status │ Installed Version │  Fixed Version   │                   Title                   │
├────────────────────┼───────────────┼──────────┼────────┼───────────────────┼──────────────────┼───────────────────────────────────────────┤
│ libpam-modules     │ CVE-2025-6020 │ MEDIUM   │ fixed  │ 1.5.3-5ubuntu5.1  │ 1.5.3-5ubuntu5.4 │ linux-pam: Linux-pam directory Traversal  │
│                    │               │          │        │                   │                  │ https://avd.aquasec.com/nvd/cve-2025-6020 │
├────────────────────┤               │          │        │                   │                  │                                           │
│ libpam-modules-bin │               │          │        │                   │                  │                                           │
│                    │               │          │        │                   │                  │                                           │
├────────────────────┤               │          │        │                   │                  │                                           │
│ libpam-runtime     │               │          │        │                   │                  │                                           │
│                    │               │          │        │                   │                  │                                           │
├────────────────────┤               │          │        │                   │                  │                                           │
│ libpam0g           │               │          │        │                   │                  │                                           │
│                    │               │          │        │                   │                  │                                           │
└────────────────────┴───────────────┴──────────┴────────┴───────────────────┴──────────────────┴───────────────────────────────────────────┘

acnpublic.azurecr.io/azure-npm:v1.6.27Testing (ubuntu 24.04)
============================================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Issue Fixed:

Requirements:

Notes:

Copilot AI review requested due to automatic review settings June 27, 2025 21:11
@rayaisaiah rayaisaiah requested a review from a team as a code owner June 27, 2025 21:11
@rayaisaiah rayaisaiah requested a review from vakalapa June 27, 2025 21:11
Copilot AI reviewed Jun 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR forward-ports the fix for CVE-2025-6020 by pinning the vulnerable libpam packages in the Linux Docker image.

  • Adds specific libpam modules (libpam-modules, libpam-modules-bin, libpam-runtime, libpam0g) at version 1.5.3-5ubuntu5.4 to the apt-get install line.
  • Verifies the updated image has no remaining medium or higher security vulnerabilities.
Comments suppressed due to low confidence (1)

npm/linux.Dockerfile:10

  • [nitpick] Add a comment above the new apt-get install line to note that the pinned libpam-* packages address CVE-2025-6020 for future maintainers.
COPY --from=builder /usr/local/bin/azure-npm /usr/bin/azure-npm

@rayaisaiah rayaisaiah changed the title [Forwadport] [NPM] [CVE] Resolve CVE-2025-6020 [Forwardport] [NPM] [CVE] Resolve CVE-2025-6020 Jun 27, 2025
@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Jun 27, 2025

/azp run Azure Container Networking PR

@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Jun 27, 2025

/azp run NPM Conformance Tests

@azure-pipelines
Copy link

azure-pipelines bot commented Jun 27, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Jun 27, 2025

/azp run NPM Scale Test

@azure-pipelines
Copy link

azure-pipelines bot commented Jun 27, 2025

Azure Pipelines successfully started running 1 pipeline(s).

1 similar comment
@azure-pipelines
Copy link

azure-pipelines bot commented Jun 27, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@rayaisaiah
Copy link
Contributor Author

rayaisaiah commented Jun 30, 2025

Passed conformance: https://msazure.visualstudio.com/One/_build/results?buildId=128867597&view=results

@rayaisaiah rayaisaiah enabled auto-merge June 30, 2025 20:31
@rayaisaiah rayaisaiah added npm Related to NPM. linux labels Jun 30, 2025
@rayaisaiah rayaisaiah added this pull request to the merge queue Jul 1, 2025
Merged via the queue into master with commit 6494e4c Jul 1, 2025
35 of 36 checks passed
@rayaisaiah rayaisaiah deleted the isaiahraya/forward-port-npm-fix-CVE-2025-6020 branch July 1, 2025 19:17
NihaNallappagari pushed a commit to NihaNallappagari/azure-container-networking that referenced this pull request Sep 4, 2025
@rayaisaiah @NihaNallappagari
[Forwardport] [NPM] [CVE] Resolve CVE-2025-6020 (Azure#3766)
7a92f2f 
[NPM] [CVE] Resolve CVE-2025-6020 (Azure#3763)

fixed cve CVE-2025-6020
sivakami-projects pushed a commit that referenced this pull request Oct 23, 2025
@rayaisaiah
[Forwardport] [NPM] [CVE] Resolve CVE-2025-6020 (#3766)
a4c40a5 
[NPM] [CVE] Resolve CVE-2025-6020 (#3763)

fixed cve CVE-2025-6020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@matmerr matmerr matmerr approved these changes

@vakalapa vakalapa vakalapa approved these changes

Assignees

No one assigned

Labels

linux npm Related to NPM.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@rayaisaiah @matmerr @vakalapa