New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MH-13069, Update problematic admin interface libraries #406

Merged
merged 1 commit into from Sep 6, 2018

Conversation

Projects
None yet
3 participants
@lkiesow
Copy link
Member

lkiesow commented Sep 2, 2018

A few admin interface libraries have known security vulnerabilities.
Luckily, these are only used while building/testing Opencast making them
more or less uncritical.

  • https-proxy-agent (CVE-2018-3736):
    https-proxy-agent passes unsanitized options to Buffer(arg) resulting
    in DoS and uninitialized memory leak.

  • url-parse (CVE-2018-3774):
    Incorrect parsing in url-parse <1.4.3 returns wrong hostname which
    leads to multiple vulnerabilities such as SSRF, Op...

There are newer versions but I refrained from doing any larger updates on the release branch, even though these are libs used for building/testing.

MH-13069, Update problematic admin interface libraries
A few admin interface libraries have known security vulnerabilities.
Luckily, these are only used while building/testing Opencast making them
more or less uncritical.

- https-proxy-agent (CVE-2018-3736):
  https-proxy-agent passes unsanitized options to Buffer(arg) resulting
  in DoS and uninitialized memory leak.

- url-parse (CVE-2018-3774):
  Incorrect parsing in url-parse <1.4.3 returns wrong hostname which
  leads to multiple vulnerabilities such as SSRF, Op...

@staubesv staubesv self-requested a review Sep 2, 2018

@staubesv staubesv self-assigned this Sep 2, 2018

lkiesow added a commit to lkiesow/opencast that referenced this pull request Sep 2, 2018

Merge t/mh-13069-update-problematic-js-libs
iThis is a merge of pull request opencast#406

@staubesv staubesv merged commit 3dcb4a2 into opencast:r/5.x Sep 6, 2018

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment