Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v6: CVE-2021-23386: update dns-packet #75

Closed
apepper opened this issue May 26, 2021 · 10 comments
Closed

v6: CVE-2021-23386: update dns-packet #75

apepper opened this issue May 26, 2021 · 10 comments

Comments

@apepper
Copy link

apepper commented May 26, 2021

Thank you for bumping dns-packet in #74 for version 7.

Could you also release a security bump for version 6? This currently affects webpack-dev-server via a different (no longer maintained) library, that still makes use of multicast-dns version 6:

https://github.com/watson/bonjour/blob/bdc467a4f3c7b9fe8bc54468b6fc4d80b8f1c098/package.json#L11

More details can be found at webpack/webpack-dev-server#3340.
@apepper apepper mentioned this issue May 26, 2021
Closed
2 tasks
@mafintosh
Copy link
Owner

It's already fixed for v6 if you reinstall deps, I backported it on dns-packet to the version multicast-dns 6 is tracking :)

@bobvandevijver
Copy link

@mafintosh If you could make that known to the advisory, it might work. See https://www.npmjs.com/advisories/1745/versions

@mafintosh
Copy link
Owner

I already did

@apepper
Copy link
Author

apepper commented May 26, 2021

It's already fixed for v6 if you reinstall deps, I backported it on dns-packet to the version multicast-dns 6 is tracking :)

Sounds great! Is this already available on npm? At least for me npm show multicast-dns@6 version does not list 6.2.4 or newer to me. The last version 6 release that I can see on npm is three years old: https://www.npmjs.com/package/multicast-dns/v/6.2.3

@mafintosh
Copy link
Owner

dns-packet is where the update is. multicast-dns v6 tracks v1 which is where i backported the fix. do you know if i need to backport a version bump to multicast-dns as well for this security sillyness to stop?

@mafintosh
Copy link
Owner

fyi this is the dns-packet backport https://github.com/mafintosh/dns-packet/tree/v1

@apepper
Copy link
Author

apepper commented May 26, 2021

dns-packet is where the update is.

Ah, awesome. Thank your for fixing it at the very source!

@apepper apepper closed this as completed May 26, 2021
@mafintosh
Copy link
Owner

I sent SNYK an email bump now also to get them to update the advisory

@jmthibault79 jmthibault79 mentioned this issue May 26, 2021
Merged
8 tasks
@jp94 jp94 mentioned this issue May 26, 2021
Closed
@ghost ghost mentioned this issue May 26, 2021
Closed
@radium-v radium-v mentioned this issue May 26, 2021
Merged
9 tasks
@apepper apepper mentioned this issue Jun 14, 2021
Closed
@jaredbeck
Copy link

fyi this is the dns-packet backport https://github.com/mafintosh/dns-packet/tree/v1

I sent SNYK an email bump now also to get them to update the advisory

Can you please confirm that

  1. dns-packet 1.3.4 fixes the vulnerability (specifically mafintosh/dns-packet@ac57872), and
  2. the advisory has not yet been updated accordingly

Thanks.

@mafintosh
Copy link
Owner

advisory is updated, just checked

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@apepper @mafintosh @jaredbeck @bobvandevijver