diff options
| author | Sheogorath | 2019-08-07 09:38:12 +0200 |
|---|---|---|
| committer | Sheogorath | 2019-08-15 23:14:48 +0200 |
| commit | c4053ea7ce359ec03773763fbf3fcb2be192778b (patch) | |
| tree | ba00b95a3985df85a4c30357b40c9212d9c46905 /lib/web/middleware/tooBusy.js | |
| parent | 57cfbcbd470c794d667dc7bdb91f9bb27245db94 (diff) | |
Update meta-marked to latest version
Meta-marked 0.4.4 which we used from our git repository contains a
RegexDOS attack in the marked dependency. The dependency was already
updated in our meta-marked repository, but not updated in yarn.
This made us still vulnerable to this ReDOS which was able to cause a
DOS attack on the server when updating a note.
For Details:
https://github.com/markedjs/marked/releases/tag/v0.7.0
https://github.com/markedjs/marked/pull/1515
What is a ReDOS?
A ReDOS attack is a DOS attack where an attacker targets a
not-well-written Regular Expression. Regular expressions try to build a
tree of all possibilities it can match in order to figure out if the
given statement is valid or not. A ReDOS attack abuses this concept by
providing a statement that doesn't match but causes extremly huge trees
that simply lead to exhausting CPU usage.
For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
Credit:
Huge thanks to @bitinerant for finding this and handling it with a
responsible disclosure.
Also thanks to the `marked`-team for fixing things already.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions