Vulnerability roundup 89: electron-5.0.13: 1 advisory [6.8]

[ckauhaus]

search, files

• CVE-2020-15096 CVSSv3=6.8 (nixos-20.03, nixos-unstable)

Scanned versions: nixos-20.03: dabbc5a; nixos-unstable: c71518e. May contain false positives.

Cc @manveru
Cc @prusnak
Cc @travisbhartwell

[prusnak]

both master and nixos-20.03 contain electron 5.0.13 which is the latest from the 5.x series

[ckauhaus]

We have currently Electron 3, 4, 5, 6, 7, 8, and 9 in master. The default is still Electron 4. AFAICS Electron 3, 4, and 5 are not supported anymore upstream. In my opinion the default should be set to a supported version and Electron <= 5 should be marked as insecure in master.

[prusnak]

I sent a PR to upgrade the electron to latest in June - it is still waiting to be merged: #89758

Once this is merged I agree we should mark Electron <=5 as insecure.

I can even include this change into #89758 if that is desired.

[prusnak]

Marked electron < 6 insecure in 1499874 (part of #89758)

[ckauhaus]

thanks - what a pity that unmerged PRs are sometimes lingering to long