dancefinder/dancefinder-app
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Activity

Build(deps): [security] bump moment-timezone from 0.5.34 to 0.5.37 #577

Merged
argoyle merged 1 commits from dependabot-npm_and_yarn-moment-timezone-0.5.37 into master 2022-08-31 10:45:19 +00:00
Conversation 3 Commits 1 Files Changed 1
+3 -3
argoyle commented 2022-08-31 04:43:25 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps moment-timezone from 0.5.34 to 0.5.37. This update includes security fixes.

Vulnerabilities fixed

Command Injection in moment-timezone

Impact

All versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.

  • if Alice uses tzdata pipeline to package moment-timezone on her own (for example via grunt data:2014d, where 2014d stands for the version of the tzdata to be used from IANA's website),
  • and Alice let's Mallory select the version (2014d in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task

Am I affected?

Do you build custom versions of moment-timezone with grunt?

If no, you're not affected.

Do you allow a third party to specify which particular version you want build?

If yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.

Description

Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint

... (truncated)

Patched versions: 0.5.35 Affected versions: >= 0.1.0, < 0.5.35

Cleartext Transmission of Sensitive Information in moment-timezone

Impact

  • if Alice uses grunt data (or grunt release) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website
  • and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)

Patches

Problem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.

Workarounds

Specify the exact version of tzdata (like 2014d, full command being grunt data:2014d, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.

Patched versions: 0.5.35 Affected versions: >= 0.1.0, < 0.5.35

Changelog

Sourced from moment-timezone's changelog.

0.5.37 2022.08-25

0.5.36 2022.08-25

  • IANA TZDB 2022c
  • improvements/fixes to data pipeline

0.5.35 2022-08-23

Thanks to the OpenSSF Alpha-Omega project for reporting these!

Commits
  • ffe6f34 Add changelog for 0.5.37
  • 450ca63 Bump version to 0.5.37
  • 95f1a9b Build moment-timezone 0.5.36
  • abba28c Add changelog for 0.5.36
  • ac6de03 Bump version to 0.5.36
  • 7a5cadf tests: Fix country tests for 2022c
  • 6754c75 data: generate 2022c data+tests
  • f74a364 bugfix: Wipe tests/zones before generation
  • e850f9f grunt: do not bundle zone and contry tests
  • f13e22b data: automatically create data/*/VERSION.json for latest
  • Additional commits viewable in compare view

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [moment-timezone](https://github.com/moment/moment-timezone) from 0.5.34 to 0.5.37. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Command Injection in moment-timezone</strong></p> <h3>Impact</h3> <p>All versions of moment-timezone from 0.1.0 contain build tasks vulnerable to command injection.</p> <ul> <li>if Alice uses tzdata pipeline to package moment-timezone on her own (for example via <code>grunt data:2014d</code>, where <code>2014d</code> stands for the version of the tzdata to be used from IANA's website),</li> <li>and Alice let's Mallory select the version (<code>2014d</code> in our example), then Mallory can execute arbitrary commands on the machine running the grunt task, with the same privilege as the grunt task</li> </ul> <h4>Am I affected?</h4> <h5>Do you build custom versions of moment-timezone with grunt?</h5> <p>If no, you're not affected.</p> <h5>Do you allow a third party to specify which particular version you want build?</h5> <p>If yes, you're vulnerable to command injection -- third party may execute arbitrary commands on the system running grunt task with the same privileges as grunt task.</p> <h3>Description</h3> <h4>Command Injection via grunt-zdownload.js and MITM on iana's ftp endpoint</h4> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> <blockquote> <p>Patched versions: 0.5.35 Affected versions: &gt;= 0.1.0, &lt; 0.5.35</p> </blockquote> <blockquote> <p><strong>Cleartext Transmission of Sensitive Information in moment-timezone</strong></p> <h3>Impact</h3> <ul> <li>if Alice uses <code>grunt data</code> (or <code>grunt release</code>) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website</li> <li>and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)</li> </ul> <h3>Patches</h3> <p>Problem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.</p> <h3>Workarounds</h3> <p>Specify the exact version of tzdata (like <code>2014d</code>, full command being <code>grunt data:2014d</code>, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.</p> <p>Patched versions: 0.5.35 Affected versions: &gt;= 0.1.0, &lt; 0.5.35</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/moment/moment-timezone/blob/develop/changelog.md">moment-timezone's changelog</a>.</em></p> <blockquote> <h3><code>0.5.37</code> <em>2022.08-25</em></h3> <ul> <li>Re-publish npm package, because of extra folder present in 0.5.36, check <a href="https://github.com/moment/moment-timezone/issues/999">moment/moment-timezone#999</a></li> </ul> <h3><code>0.5.36</code> <em>2022.08-25</em></h3> <ul> <li>IANA TZDB 2022c</li> <li>improvements/fixes to data pipeline</li> </ul> <h3><code>0.5.35</code> <em>2022-08-23</em></h3> <ul> <li>Fix command injection in data pipeline <a href="https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9">https://github.com/moment/moment-timezone/security/advisories/GHSA-56x4-j7p9-fcf9</a></li> <li>Fix cleartext transmission of sensitive information <a href="https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c">https://github.com/moment/moment-timezone/security/advisories/GHSA-v78c-4p63-2j6c</a></li> </ul> <p>Thanks to the OpenSSF Alpha-Omega project for reporting these!</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/moment/moment-timezone/commit/ffe6f340a6bdae6be1cbc1cbef4a4f2b87e2c63c"><code>ffe6f34</code></a> Add changelog for 0.5.37</li> <li><a href="https://github.com/moment/moment-timezone/commit/450ca6304ba62baf27817ed7840828eee4e3b0c5"><code>450ca63</code></a> Bump version to 0.5.37</li> <li><a href="https://github.com/moment/moment-timezone/commit/95f1a9b5cd3a15b8c75bd36029152ff1b43a5136"><code>95f1a9b</code></a> Build moment-timezone 0.5.36</li> <li><a href="https://github.com/moment/moment-timezone/commit/abba28c7b0e1faf7df8592806007fcb2753b3078"><code>abba28c</code></a> Add changelog for 0.5.36</li> <li><a href="https://github.com/moment/moment-timezone/commit/ac6de03cf34610068185961613d719bc050c7d2b"><code>ac6de03</code></a> Bump version to 0.5.36</li> <li><a href="https://github.com/moment/moment-timezone/commit/7a5cadf9cbece0a9c7b9da0ee244c21375eb33a6"><code>7a5cadf</code></a> tests: Fix country tests for 2022c</li> <li><a href="https://github.com/moment/moment-timezone/commit/6754c75f5be4fbb16e90e336c9decbad6b506388"><code>6754c75</code></a> data: generate 2022c data+tests</li> <li><a href="https://github.com/moment/moment-timezone/commit/f74a364b1aac2c96cedd0a8cf5c7188268b9bcde"><code>f74a364</code></a> bugfix: Wipe tests/zones before generation</li> <li><a href="https://github.com/moment/moment-timezone/commit/e850f9fa6d3b440c51ae0cda7d9d573627839167"><code>e850f9f</code></a> grunt: do not bundle zone and contry tests</li> <li><a href="https://github.com/moment/moment-timezone/commit/f13e22b069f9115eddad5294a4c0f5335c61590a"><code>f13e22b</code></a> data: automatically create data/*/VERSION.json for latest</li> <li>Additional commits viewable in <a href="https://github.com/moment/moment-timezone/compare/0.5.34...0.5.37">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle commented 2022-08-31 09:27:38 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 2 commits

  • b3feae02 - 1 commit from branch master
  • a9ced654 - Build(deps): [security] bump moment-timezone from 0.5.34 to 0.5.37

Compare with previous version

added 2 commits <ul><li>b3feae02 - 1 commit from branch <code>master</code></li><li>a9ced654 - Build(deps): [security] bump moment-timezone from 0.5.34 to 0.5.37</li></ul> [Compare with previous version](/unboundsoftware/dancefinder/dancefinder-app/-/merge_requests/528/diffs?diff_id=473570604&start_sha=78346363b18bb32ed7ea225b78efead813ad81ca)
argoyle commented 2022-08-31 09:40:33 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 2 commits

  • 48a718e4 - 1 commit from branch master
  • d959242c - Build(deps): [security] bump moment-timezone from 0.5.34 to 0.5.37

Compare with previous version

added 2 commits <ul><li>48a718e4 - 1 commit from branch <code>master</code></li><li>d959242c - Build(deps): [security] bump moment-timezone from 0.5.34 to 0.5.37</li></ul> [Compare with previous version](/unboundsoftware/dancefinder/dancefinder-app/-/merge_requests/528/diffs?diff_id=473585347&start_sha=a9ced654019293ae533b6d46942aefe1d35f2f45)
argoyle commented 2022-08-31 09:55:32 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 2 commits

  • f4bc110d - 1 commit from branch master
  • 7cc84ef3 - Build(deps): [security] bump moment-timezone from 0.5.34 to 0.5.37

Compare with previous version

added 2 commits <ul><li>f4bc110d - 1 commit from branch <code>master</code></li><li>7cc84ef3 - Build(deps): [security] bump moment-timezone from 0.5.34 to 0.5.37</li></ul> [Compare with previous version](/unboundsoftware/dancefinder/dancefinder-app/-/merge_requests/528/diffs?diff_id=473601870&start_sha=d959242c04db8e785182183eeaa44ffc3975f2e9)
argoyle (Migrated from gitlab.com) merged commit into master 2022-08-31 10:45:20 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
javascript
security
Pull requests that address a security vulnerability
 severity:critical
severity:high
severity:low
severity:moderate
No Label dependencies javascript security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#577
Delete Branch "dependabot-npm_and_yarn-moment-timezone-0.5.37"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?