Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update lodash@^4.17.21:, dns-packet@^1.34: through dependencies resol… #4783

Merged
merged 4 commits into from
Jun 2, 2021
Merged

update lodash@^4.17.21:, dns-packet@^1.34: through dependencies resol… #4783

merged 4 commits into from
Jun 2, 2021

Conversation

Ibrahimmaga
Copy link
Contributor

Pull Request

📖 Description

CVE-2021-23386
high severity
Vulnerable versions: < 5.2.2
Patched version: 5.2.2
This affects the package dns-packet before 5.2.2. It creates buffers with allocUnsafe and does not always fill them before forming network packets. This can expose internal application memory over unencrypted network when querying crafted invalid domain names.

CVE-2021-23337
high severity
Vulnerable versions: < 4.17.21
Patched version: 4.17.21
lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

🎫 Issues

👩‍💻 Reviewer Notes

📑 Test Plan

✅ Checklist

General

  • I have included a change request file using $ yarn change
  • I have added tests for my changes.
  • I have tested my changes.
  • I have updated the project documentation to reflect my changes.
  • I have read the CONTRIBUTING documentation and followed the standards for this project.

Component-specific

⏭ Next Steps

@Ibrahimmaga Ibrahimmaga self-assigned this May 26, 2021
@Ibrahimmaga Ibrahimmaga added the area:dev-ops Pertains to build, CI, and other dev-ops work label May 26, 2021
@EisenbergEffect EisenbergEffect requested a review from radium-v May 26, 2021 18:08
@EisenbergEffect
Copy link
Contributor

Added @radium-v as a reviewer. I defer my "required" review to him.

@awentzel
Copy link
Collaborator

@Ibrahimmaga what is your testing process and how did you go about testing?

@Ibrahimmaga
Copy link
Contributor Author

Ibrahimmaga commented May 26, 2021
edited
Loading

The testing is done locally by running yarn after the update. The dependencies are also validated when running the pipeline on clean servers. An update through resolution means we will have both old versions and the new version on yarn.lock so things don't break because of the new update.

radium-v
radium-v requested changes May 26, 2021
View reviewed changes
package.json Outdated Show resolved Hide resolved
@Ibrahimmaga @radium-v
Update package.json
0656f31 
this can also do the trick.

Co-authored-by: John Kreitlow <[email protected]>
@awentzel
Copy link
Collaborator

The testing is done locally by running yarn after the update. The dependencies are also validated when running the pipeline on clean servers. An update through resolution means we will have both old versions and the new version on yarn.lock so things don't break because of the new update.

I would also get in the habit of running each script in the package.json file that's being updated to ensure there are no unforeseen breakages.

@radium-v radium-v mentioned this pull request Jun 2, 2021
Closed
@radium-v
Copy link
Collaborator

radium-v commented Jun 2, 2021

@Ibrahimmaga can you regenerate the lockfile and update the PR title now that dns-packet is resolving to ^1.3.4?

@Ibrahimmaga Ibrahimmaga changed the title update lodash@^4.17.21:, dns-packet@^5.2.2: through dependencies resol… update lodash@^4.17.21:, dns-packet@^1.34: through dependencies resol… Jun 2, 2021
@Ibrahimmaga Ibrahimmaga merged commit 525294d into master Jun 2, 2021
@Ibrahimmaga Ibrahimmaga deleted the users/v-imaga/update-security-with-high-severity branch June 2, 2021 22:46
@Ibrahimmaga Ibrahimmaga restored the users/v-imaga/update-security-with-high-severity branch June 3, 2021 00:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@radium-v radium-v radium-v approved these changes

@chrisdholt chrisdholt Awaiting requested review from chrisdholt

@EisenbergEffect EisenbergEffect Awaiting requested review from EisenbergEffect

@janechu janechu Awaiting requested review from janechu

@nicholasrice nicholasrice Awaiting requested review from nicholasrice

Assignees

@Ibrahimmaga Ibrahimmaga

Labels
area:dev-ops Pertains to build, CI, and other dev-ops work
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Ibrahimmaga @EisenbergEffect @awentzel @radium-v