diff options
| author | Sheogorath | 2019-08-07 09:38:12 +0200 |
|---|---|---|
| committer | Sheogorath | 2019-08-15 23:14:48 +0200 |
| commit | c4053ea7ce359ec03773763fbf3fcb2be192778b (patch) | |
| tree | ba00b95a3985df85a4c30357b40c9212d9c46905 | |
| parent | 57cfbcbd470c794d667dc7bdb91f9bb27245db94 (diff) | |
Update meta-marked to latest version
Meta-marked 0.4.4 which we used from our git repository contains a
RegexDOS attack in the marked dependency. The dependency was already
updated in our meta-marked repository, but not updated in yarn.
This made us still vulnerable to this ReDOS which was able to cause a
DOS attack on the server when updating a note.
For Details:
https://github.com/markedjs/marked/releases/tag/v0.7.0
https://github.com/markedjs/marked/pull/1515
What is a ReDOS?
A ReDOS attack is a DOS attack where an attacker targets a
not-well-written Regular Expression. Regular expressions try to build a
tree of all possibilities it can match in order to figure out if the
given statement is valid or not. A ReDOS attack abuses this concept by
providing a statement that doesn't match but causes extremly huge trees
that simply lead to exhausting CPU usage.
For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
Credit:
Huge thanks to @bitinerant for finding this and handling it with a
responsible disclosure.
Also thanks to the `marked`-team for fixing things already.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
| -rw-r--r-- | package.json | 4 | ||||
| -rw-r--r-- | yarn.lock | 16 |
2 files changed, 10 insertions, 10 deletions
diff --git a/package.json b/package.json index b495ed94..2649d5af 100644 --- a/package.json +++ b/package.json @@ -82,7 +82,7 @@ "mathjax": "~2.7.0", "mattermost": "^3.4.0", "mermaid": "~8.2.3", - "meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.2", + "meta-marked": "git+https://github.com/codimd/meta-marked#semver:^0.4.5", "method-override": "^2.3.7", "minimist": "^1.2.0", "minio": "^6.0.0", @@ -193,8 +193,8 @@ "mocha": "^5.2.0", "mock-require": "^3.0.3", "optimize-css-assets-webpack-plugin": "^5.0.0", - "sequelize-cli": "^5.4.0", "script-loader": "^0.7.2", + "sequelize-cli": "^5.4.0", "string-loader": "^0.0.1", "style-loader": "^0.21.0", "uglifyjs-webpack-plugin": "^1.2.7", @@ -7590,10 +7590,10 @@ markdown-table@^1.1.0: resolved "https://registry.yarnpkg.com/markdown-table/-/markdown-table-1.1.3.tgz#9fcb69bcfdb8717bfd0398c6ec2d93036ef8de60" integrity sha512-1RUZVgQlpJSPWYbFSpmudq5nHY1doEIv89gBtF0s4gW1GF2XorxcA/70M5vq7rLv0a6mhOUccRsqkwhwLCIQ2Q== -marked@~0.6.2: - version "0.6.2" - resolved "https://registry.yarnpkg.com/marked/-/marked-0.6.2.tgz#c574be8b545a8b48641456ca1dbe0e37b6dccc1a" - integrity sha512-LqxwVH3P/rqKX4EKGz7+c2G9r98WeM/SW34ybhgNGhUQNKtf1GmmSkJ6cDGJ/t6tiyae49qRkpyTw2B9HOrgUA== +marked@~0.7.0: + version "0.7.0" + resolved "https://registry.yarnpkg.com/marked/-/marked-0.7.0.tgz#b64201f051d271b1edc10a04d1ae9b74bb8e5c0e" + integrity sha512-c+yYdCZJQrsRjTPhUx7VKkApw9bwDkNbHUKo1ovgcfDjb2kc8rLuRbIFyXL5WOEUwzSSKo3IXpph2K6DqB/KZg== math-interval-parser@^1.1.0: version "1.1.0" @@ -7769,12 +7769,12 @@ messageformat@^0.3.1: nopt "~3.0.6" watchr "~2.4.13" -"meta-marked@git+https://github.com/codimd/meta-marked#semver:^0.4.2": - version "0.4.4" - resolved "git+https://github.com/codimd/meta-marked#04fd9775b38566e41b71e3e63bd78717d3eb4445" +"meta-marked@git+https://github.com/codimd/meta-marked#semver:^0.4.5": + version "0.4.5" + resolved "git+https://github.com/codimd/meta-marked#30852d0efa633418865df179f5956cd3df0fd0b3" dependencies: js-yaml "~3.13.1" - marked "~0.6.2" + marked "~0.7.0" method-override@^2.3.7: version "2.3.10" |