diff options
| author | Sheogorath | 2019-08-07 09:38:12 +0200 |
|---|---|---|
| committer | Sheogorath | 2019-08-15 23:14:48 +0200 |
| commit | c4053ea7ce359ec03773763fbf3fcb2be192778b (patch) | |
| tree | ba00b95a3985df85a4c30357b40c9212d9c46905 /yarn.lock | |
| parent | 57cfbcbd470c794d667dc7bdb91f9bb27245db94 (diff) | |
Update meta-marked to latest version
Meta-marked 0.4.4 which we used from our git repository contains a
RegexDOS attack in the marked dependency. The dependency was already
updated in our meta-marked repository, but not updated in yarn.
This made us still vulnerable to this ReDOS which was able to cause a
DOS attack on the server when updating a note.
For Details:
https://github.com/markedjs/marked/releases/tag/v0.7.0
https://github.com/markedjs/marked/pull/1515
What is a ReDOS?
A ReDOS attack is a DOS attack where an attacker targets a
not-well-written Regular Expression. Regular expressions try to build a
tree of all possibilities it can match in order to figure out if the
given statement is valid or not. A ReDOS attack abuses this concept by
providing a statement that doesn't match but causes extremly huge trees
that simply lead to exhausting CPU usage.
For more details see: https://www.owasp.org/index.php/Regular_expression_Denial_of_Service_-_ReDoS
Credit:
Huge thanks to @bitinerant for finding this and handling it with a
responsible disclosure.
Also thanks to the `marked`-team for fixing things already.
Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
Diffstat (limited to 'yarn.lock')
| -rw-r--r-- | yarn.lock | 16 |
1 files changed, 8 insertions, 8 deletions
@@ -7590,10 +7590,10 @@ markdown-table@^1.1.0: resolved "https://registry.yarnpkg.com/markdown-table/-/markdown-table-1.1.3.tgz#9fcb69bcfdb8717bfd0398c6ec2d93036ef8de60" integrity sha512-1RUZVgQlpJSPWYbFSpmudq5nHY1doEIv89gBtF0s4gW1GF2XorxcA/70M5vq7rLv0a6mhOUccRsqkwhwLCIQ2Q== -marked@~0.6.2: - version "0.6.2" - resolved "https://registry.yarnpkg.com/marked/-/marked-0.6.2.tgz#c574be8b545a8b48641456ca1dbe0e37b6dccc1a" - integrity sha512-LqxwVH3P/rqKX4EKGz7+c2G9r98WeM/SW34ybhgNGhUQNKtf1GmmSkJ6cDGJ/t6tiyae49qRkpyTw2B9HOrgUA== +marked@~0.7.0: + version "0.7.0" + resolved "https://registry.yarnpkg.com/marked/-/marked-0.7.0.tgz#b64201f051d271b1edc10a04d1ae9b74bb8e5c0e" + integrity sha512-c+yYdCZJQrsRjTPhUx7VKkApw9bwDkNbHUKo1ovgcfDjb2kc8rLuRbIFyXL5WOEUwzSSKo3IXpph2K6DqB/KZg== math-interval-parser@^1.1.0: version "1.1.0" @@ -7769,12 +7769,12 @@ messageformat@^0.3.1: nopt "~3.0.6" watchr "~2.4.13" -"meta-marked@git+https://github.com/codimd/meta-marked#semver:^0.4.2": - version "0.4.4" - resolved "git+https://github.com/codimd/meta-marked#04fd9775b38566e41b71e3e63bd78717d3eb4445" +"meta-marked@git+https://github.com/codimd/meta-marked#semver:^0.4.5": + version "0.4.5" + resolved "git+https://github.com/codimd/meta-marked#30852d0efa633418865df179f5956cd3df0fd0b3" dependencies: js-yaml "~3.13.1" - marked "~0.6.2" + marked "~0.7.0" method-override@^2.3.7: version "2.3.10" |