Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update bwa to post-january 2019 version #7

Open
sndrtj opened this issue Jul 4, 2019 · 1 comment
Open

Update bwa to post-january 2019 version #7

sndrtj opened this issue Jul 4, 2019 · 1 comment

Comments

@sndrtj
Copy link
Contributor

sndrtj commented Jul 4, 2019

There's a CVE for BWA that allows an attacker to execute arbitrary code by providing a malicious .alt file: https://nvd.nist.gov/vuln/detail/CVE-2019-10269#vulnCurrentDescriptionTitle

This has been fixed in BWA in lh3/bwa#232

However, there is no official BWA release since October 2017. Bioconda, and therefore biocontainers, also use the latest official release.

@rhpvorderman @Redmar-van-den-Berg Thoughts? Probably make our own container based off most recent BWA master branch?
@rhpvorderman
Copy link
Member

I would do the following:

  • Ask lh3 to make a new release with the patch.

If that does not work:

  • create a fork
  • Go to the latest official release tag.
  • Apply the patch for the fix. Only the fix.
  • Give this a new version number. 0.7.17.1 for example.
  • Release on github.
  • Adapt the recipe on bioconda and ask for a review of bioconda/core + recent maintainers of BWA recipe.

If they do not accept this we can resort to building our own container.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sndrtj @rhpvorderman