dancefinder/dancefinder-app
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Activity

Build(deps): [security] bump ua-parser-js from 0.7.32 to 0.7.33 #892

Merged
argoyle merged 1 commits from dependabot-npm_and_yarn-ua-parser-js-0.7.33 into master 2023-01-25 08:40:33 +00:00
Conversation 1 Commits 1 Files Changed 1
+3 -3
argoyle commented 2023-01-25 04:46:47 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps ua-parser-js from 0.7.32 to 0.7.33. This update includes a security fix.

Vulnerabilities fixed

ReDoS Vulnerability in ua-parser-js version

Description:

A regular expression denial of service (ReDoS) vulnerability has been discovered in ua-parser-js.

Impact:

This vulnerability bypass the library's MAX_LENGTH input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.

Affected Versions:

All versions of the library prior to version 0.7.33 / 1.0.33.

Patches:

A patch has been released to remove the vulnerable regular expression, update to version 0.7.33 / 1.0.33 or later.

References:

Regular expression Denial of Service - ReDoS

Credits:

Thanks to @​Snyk who first reported the issue.

Patched versions: 0.7.33 Affected versions: < 0.7.33

Changelog

Sourced from ua-parser-js's changelog.

Version 0.7.32 / 1.0.32

  • Add new browser : DuckDuckGo, Huawei Browser, LinkedIn
  • Add new OS : HarmonyOS
  • Add some Huawei models
  • Add Sharp Aquos TV
  • Improve detection Xiaomi Mi CC9
  • Fix Sony Xperia 1 III misidentified as Acer tablet
  • Fix Detect Sony BRAVIA as SmartTV
  • Fix Detect Xiaomi Mi TV as SmartTV
  • Fix Detect Galaxy Tab S8 as tablet
  • Fix WeGame mistakenly identified as WeChat
  • Fix included commas in Safari / Mobile Safari version
  • Increase UA_MAX_LENGTH to 350

Version 0.7.33 / 1.0.33

  • Add new browser : Cobalt
  • Identify Macintosh as an Apple device
  • Fix ReDoS vulnerability

Version 0.8

Version 0.8 was created by accident. This version is now deprecated and no longer maintained, please update to version 0.7 / 1.0.

Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [ua-parser-js](https://github.com/faisalman/ua-parser-js) from 0.7.32 to 0.7.33. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>ReDoS Vulnerability in ua-parser-js version</strong></p> <h3>Description:</h3> <p>A regular expression denial of service (ReDoS) vulnerability has been discovered in <code>ua-parser-js</code>.</p> <h3>Impact:</h3> <p>This vulnerability bypass the library's <code>MAX_LENGTH</code> input limit prevention. By crafting a very-very-long user-agent string with specific pattern, an attacker can turn the script to get stuck processing for a very long time which results in a denial of service (DoS) condition.</p> <h3>Affected Versions:</h3> <p>All versions of the library prior to version <code>0.7.33</code> / <code>1.0.33</code>.</p> <h3>Patches:</h3> <p>A patch has been released to remove the vulnerable regular expression, update to version <code>0.7.33</code> / <code>1.0.33</code> or later.</p> <h3>References:</h3> <p><a href="https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS">Regular expression Denial of Service - ReDoS</a></p> <h3>Credits:</h3> <p>Thanks to <a href="https://github.com/Snyk"><code>@​Snyk</code></a> who first reported the issue.</p> <p>Patched versions: 0.7.33 Affected versions: &lt; 0.7.33</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/faisalman/ua-parser-js/blob/master/changelog.md">ua-parser-js's changelog</a>.</em></p> <blockquote> <h2>Version 0.7.32 / 1.0.32</h2> <ul> <li>Add new browser : DuckDuckGo, Huawei Browser, LinkedIn</li> <li>Add new OS : HarmonyOS</li> <li>Add some Huawei models</li> <li>Add Sharp Aquos TV</li> <li>Improve detection Xiaomi Mi CC9</li> <li>Fix Sony Xperia 1 III misidentified as Acer tablet</li> <li>Fix Detect Sony BRAVIA as SmartTV</li> <li>Fix Detect Xiaomi Mi TV as SmartTV</li> <li>Fix Detect Galaxy Tab S8 as tablet</li> <li>Fix WeGame mistakenly identified as WeChat</li> <li>Fix included commas in Safari / Mobile Safari version</li> <li>Increase UA_MAX_LENGTH to 350</li> </ul> <h2>Version 0.7.33 / 1.0.33</h2> <ul> <li>Add new browser : Cobalt</li> <li>Identify Macintosh as an Apple device</li> <li>Fix ReDoS vulnerability</li> </ul> <h1>Version 0.8</h1> <p>Version 0.8 was created by accident. This version is now deprecated and no longer maintained, please update to version 0.7 / 1.0.</p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/faisalman/ua-parser-js/commit/f2d0db001d87da15de7b9b1df7be9f2eacefd8c5"><code>f2d0db0</code></a> Bump version 0.7.33</li> <li><a href="https://github.com/faisalman/ua-parser-js/commit/a6140a17dd0300a35cfc9cff999545f267889411"><code>a6140a1</code></a> Remove unsafe regex in trim() function</li> <li><a href="https://github.com/faisalman/ua-parser-js/commit/a88660493568d6144a551424a8139d6c876635f6"><code>a886604</code></a> Fix <a href="https://github.com/faisalman/ua-parser-js/issues/605">#605</a> - Identify Macintosh as Apple device</li> <li><a href="https://github.com/faisalman/ua-parser-js/commit/b814bcd79198e730936c82462e2d729eb5423e3c"><code>b814bcd</code></a> Merge pull request <a href="https://github.com/faisalman/ua-parser-js/issues/606">#606</a> from rileyjshaw/patch-1</li> <li><a href="https://github.com/faisalman/ua-parser-js/commit/7f71024161399b7aa5d5cd10dba9e059f0218262"><code>7f71024</code></a> Fix documentation</li> <li><a href="https://github.com/faisalman/ua-parser-js/commit/c239ac5167abd574a635cb809a2b4fa35810d23b"><code>c239ac5</code></a> Merge pull request <a href="https://github.com/faisalman/ua-parser-js/issues/604">#604</a> from obecerra3/master</li> <li><a href="https://github.com/faisalman/ua-parser-js/commit/8d3c2d327cf540ff2c050f1cc67bca8c6f8e4458"><code>8d3c2d3</code></a> Add new browser: Cobalt</li> <li>See full diff in <a href="https://github.com/faisalman/ua-parser-js/compare/0.7.32...0.7.33">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle commented 2023-01-25 08:40:23 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 4 commits

  • 355203d5...55bcd5d2 - 3 commits from branch master
  • 9d932b2f - Build(deps): [security] bump ua-parser-js from 0.7.32 to 0.7.33

Compare with previous version

added 4 commits <ul><li>355203d5...55bcd5d2 - 3 commits from branch <code>master</code></li><li>9d932b2f - Build(deps): [security] bump ua-parser-js from 0.7.32 to 0.7.33</li></ul> [Compare with previous version](/unboundsoftware/dancefinder/dancefinder-app/-/merge_requests/843/diffs?diff_id=585987087&start_sha=355203d5d8c0f25dae8ce9fe016772c6275e14d7)
argoyle (Migrated from gitlab.com) merged commit into master 2023-01-25 08:40:34 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
javascript
security
Pull requests that address a security vulnerability
 severity:critical
severity:high
severity:low
severity:moderate
No Label dependencies javascript security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#892
Delete Branch "dependabot-npm_and_yarn-ua-parser-js-0.7.33"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?