dancefinder/dancefinder-app
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Activity

Build(deps): [security] bump undici from 5.12.0 to 5.19.1 #955

Merged
argoyle merged 1 commits from dependabot-npm_and_yarn-undici-5.19.1 into master 2023-02-17 08:53:26 +00:00
Conversation 1 Commits 1 Files Changed 1
+3 -3
argoyle commented 2023-02-17 04:45:35 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps undici from 5.12.0 to 5.19.1. This update includes security fixes.

Vulnerabilities fixed

Regular Expression Denial of Service in Headers

Impact

The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.

Patches

This vulnerability was patched in v5.19.1.

Workarounds

There is no workaround. Please update to an unaffected version.

References

Credits

Carter Snook reported this vulnerability.

Patched versions: 5.19.1 Affected versions: < 5.19.1

CRLF Injection in Nodejs ‘undici’ via host

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@​timon8) for reporting this vulnerability.

Patched versions: 5.19.1 Affected versions: >= 2.0.0, < 5.19.1

Release notes

Sourced from undici's releases.

v5.19.1

⚠️ Security Release ⚠️

This release is part of the Node.js security release train: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/

v5.19.0

What's Changed

New Contributors

Full Changelog: https://github.com/nodejs/undici/compare/v5.18.0...v5.19.0

v5.18.0

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v5.17.1...v5.18.0

v5.17.1

What's Changed

Full Changelog: https://github.com/nodejs/undici/compare/v5.17.0...v5.17.1

v5.17.0

What's Changed

... (truncated)

Commits
  • 984d53b Bumped v5.19.1
  • 6c32c0f lint fixes
  • f2324e5 Merge pull request from GHSA-r6ch-mqf9-qc9w
  • a2eff05 Merge pull request from GHSA-5r9g-qh6m-jxff
  • f5c89e5 Bumped v5.19.0
  • f7c6c6a Make the fetch() abort test pass locally, on Linux and Mac, Node 18 and 19 (#...
  • aebb232 fix(types): add missing keepAlive params (#1918)
  • e155c6d doc(mock): update out-of-date reply documentation (#1913)
  • 87fa734 fix(headers): clone getSetCookie list & add getSetCookie type (#1917)
  • ba5ef44 feat: add Headers.prototype.getSetCookie (#1915)
  • Additional commits viewable in compare view

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [undici](https://github.com/nodejs/undici) from 5.12.0 to 5.19.1. **This update includes security fixes.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Regular Expression Denial of Service in Headers</strong></p> <h3>Impact</h3> <p>The <code>Headers.set()</code> and <code>Headers.append()</code> methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the <code>headerValueNormalize()</code> utility function.</p> <h3>Patches</h3> <p>This vulnerability was patched in v5.19.1.</p> <h3>Workarounds</h3> <p>There is no workaround. Please update to an unaffected version.</p> <h3>References</h3> <ul> <li><a href="https://hackerone.com/bugs?report_id=1784449">https://hackerone.com/bugs?report_id=1784449</a></li> </ul> <h3>Credits</h3> <p>Carter Snook reported this vulnerability.</p> <p>Patched versions: 5.19.1 Affected versions: &lt; 5.19.1</p> </blockquote> <blockquote> <p><strong>CRLF Injection in Nodejs ‘undici’ via host</strong></p> <h3>Impact</h3> <p>undici library does not protect <code>host</code> HTTP header from CRLF injection vulnerabilities.</p> <h3>Patches</h3> <p>This issue was patched in Undici v5.19.1.</p> <h3>Workarounds</h3> <p>Sanitize the <code>headers.host</code> string before passing to undici.</p> <h3>References</h3> <p>Reported at <a href="https://hackerone.com/reports/1820955">https://hackerone.com/reports/1820955</a>.</p> <h3>Credits</h3> <p>Thank you to Zhipeng Zhang (<a href="https://hackerone.com/timon8"><code>@​timon8</code></a>) for reporting this vulnerability.</p> <p>Patched versions: 5.19.1 Affected versions: &gt;= 2.0.0, &lt; 5.19.1</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v5.19.1</h2> <h2>⚠️ Security Release ⚠️</h2> <ul> <li><a href="https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w">Regular Expression Denial of Service in Headers</a> with CVE-2023-24807</li> <li><a href="https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff">CRLF Injection in Nodejs ‘undici’ via host</a> with CVE-2023-23936</li> </ul> <p>This release is part of the Node.js security release train: <a href="https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/">https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/</a></p> <h2>v5.19.0</h2> <h2>What's Changed</h2> <ul> <li>fix(fetch): raise AbortSignal max event listeners by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://github.com/nodejs/undici/pull/1910">nodejs/undici#1910</a></li> <li>fix: content-disposition header parsing by <a href="https://github.com/climba03003"><code>@​climba03003</code></a> in <a href="https://github.com/nodejs/undici/pull/1911">nodejs/undici#1911</a></li> <li>fix: remove test by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://github.com/nodejs/undici/pull/1916">nodejs/undici#1916</a></li> <li>feat: add Headers.prototype.getSetCookie by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://github.com/nodejs/undici/pull/1915">nodejs/undici#1915</a></li> <li>fix(headers): clone getSetCookie list &amp; add getSetCookie type by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://github.com/nodejs/undici/pull/1917">nodejs/undici#1917</a></li> <li>doc(mock): update out-of-date reply documentation by <a href="https://github.com/p9f"><code>@​p9f</code></a> in <a href="https://github.com/nodejs/undici/pull/1913">nodejs/undici#1913</a></li> <li>fix(types): add missing keepAlive params by <a href="https://github.com/SkeLLLa"><code>@​SkeLLLa</code></a> in <a href="https://github.com/nodejs/undici/pull/1918">nodejs/undici#1918</a></li> <li>Make the fetch() abort test pass locally, on Linux and Mac, Node 18/19. by <a href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a href="https://github.com/nodejs/undici/pull/1927">nodejs/undici#1927</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/climba03003"><code>@​climba03003</code></a> made their first contribution in <a href="https://github.com/nodejs/undici/pull/1911">nodejs/undici#1911</a></li> <li><a href="https://github.com/p9f"><code>@​p9f</code></a> made their first contribution in <a href="https://github.com/nodejs/undici/pull/1913">nodejs/undici#1913</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v5.18.0...v5.19.0">https://github.com/nodejs/undici/compare/v5.18.0...v5.19.0</a></p> <h2>v5.18.0</h2> <h2>What's Changed</h2> <ul> <li>Add ability to set TCP keepalive by <a href="https://github.com/xconverge"><code>@​xconverge</code></a> in <a href="https://github.com/nodejs/undici/pull/1904">nodejs/undici#1904</a></li> <li>use faster timers by <a href="https://github.com/ronag"><code>@​ronag</code></a> in <a href="https://github.com/nodejs/undici/pull/1908">nodejs/undici#1908</a></li> <li>fix: ensure header value is a string by <a href="https://github.com/ronag"><code>@​ronag</code></a> in <a href="https://github.com/nodejs/undici/pull/1899">nodejs/undici#1899</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v5.17.1...v5.18.0">https://github.com/nodejs/undici/compare/v5.17.1...v5.18.0</a></p> <h2>v5.17.1</h2> <h2>What's Changed</h2> <ul> <li>fix: bad buffer slice (<a href="https://github.com/nodejs/undici/commit/d2be675575512794dcd41b9683b209fc15368154">https://github.com/nodejs/undici/commit/d2be675575512794dcd41b9683b209fc15368154</a>)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v5.17.0...v5.17.1">https://github.com/nodejs/undici/compare/v5.17.0...v5.17.1</a></p> <h2>v5.17.0</h2> <h2>What's Changed</h2> <ul> <li>fix(wpts): Blob is a global getter in &gt;=v19.x.x by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://github.com/nodejs/undici/pull/1880">nodejs/undici#1880</a></li> <li>doc: fix anchor links dispatcher.stream by <a href="https://github.com/RafaelGSS"><code>@​RafaelGSS</code></a> in <a href="https://github.com/nodejs/undici/pull/1881">nodejs/undici#1881</a></li> <li>wpt: make runner more resilient by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://github.com/nodejs/undici/pull/1884">nodejs/undici#1884</a></li> <li>Make test pass in v19.x by <a href="https://github.com/mcollina"><code>@​mcollina</code></a> in <a href="https://github.com/nodejs/undici/pull/1879">nodejs/undici#1879</a></li> <li>Correct the type of DispatchOptions[&quot;headers&quot;] by <a href="https://github.com/pan93412"><code>@​pan93412</code></a> in <a href="https://github.com/nodejs/undici/pull/1896">nodejs/undici#1896</a></li> <li>perf(content-type parser): faster string collector by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://github.com/nodejs/undici/pull/1894">nodejs/undici#1894</a></li> <li>feat: expose content-type parser by <a href="https://github.com/KhafraDev"><code>@​KhafraDev</code></a> in <a href="https://github.com/nodejs/undici/pull/1895">nodejs/undici#1895</a></li> <li>fix(types): Update DispatchOptions type for missing &quot;blocking&quot; by <a href="https://github.com/xconverge"><code>@​xconverge</code></a> in <a href="https://github.com/nodejs/undici/pull/1889">nodejs/undici#1889</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodejs/undici/commit/984d53bad97c98529424a7f3bef6be1d0e76d039"><code>984d53b</code></a> Bumped v5.19.1</li> <li><a href="https://github.com/nodejs/undici/commit/6c32c0fd5b874328e5e1f635e2cc431aa21cddab"><code>6c32c0f</code></a> lint fixes</li> <li><a href="https://github.com/nodejs/undici/commit/f2324e549943f0b0937b09fb1c0c16cc7c93abdf"><code>f2324e5</code></a> Merge pull request from GHSA-r6ch-mqf9-qc9w</li> <li><a href="https://github.com/nodejs/undici/commit/a2eff05401358f6595138df963837c24348f2034"><code>a2eff05</code></a> Merge pull request from GHSA-5r9g-qh6m-jxff</li> <li><a href="https://github.com/nodejs/undici/commit/f5c89e5c87c7d702996b152c4ad86302b60c4181"><code>f5c89e5</code></a> Bumped v5.19.0</li> <li><a href="https://github.com/nodejs/undici/commit/f7c6c6a4a2aef7ee3b8207c4eeab700cb0cfc7dc"><code>f7c6c6a</code></a> Make the fetch() abort test pass locally, on Linux and Mac, Node 18 and 19 (#...</li> <li><a href="https://github.com/nodejs/undici/commit/aebb232d22e9adafce015b985093114a95b560f0"><code>aebb232</code></a> fix(types): add missing keepAlive params (<a href="https://github.com/nodejs/undici/issues/1918">#1918</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/e155c6db5cec9bc577d548fa7c7378013631c79c"><code>e155c6d</code></a> doc(mock): update out-of-date reply documentation (<a href="https://github.com/nodejs/undici/issues/1913">#1913</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/87fa73498d6014a33989179cfaa4347dcb29600f"><code>87fa734</code></a> fix(headers): clone getSetCookie list &amp; add getSetCookie type (<a href="https://github.com/nodejs/undici/issues/1917">#1917</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/ba5ef44b71eff5a86a8473850a326ff7392664d3"><code>ba5ef44</code></a> feat: add Headers.prototype.getSetCookie (<a href="https://github.com/nodejs/undici/issues/1915">#1915</a>)</li> <li>Additional commits viewable in <a href="https://github.com/nodejs/undici/compare/v5.12.0...v5.19.1">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle commented 2023-02-17 08:53:14 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

added 2 commits

  • ad7fe1b6 - 1 commit from branch master
  • a029da8b - Build(deps): [security] bump undici from 5.12.0 to 5.19.1

Compare with previous version

added 2 commits <ul><li>ad7fe1b6 - 1 commit from branch <code>master</code></li><li>a029da8b - Build(deps): [security] bump undici from 5.12.0 to 5.19.1</li></ul> [Compare with previous version](/unboundsoftware/dancefinder/dancefinder-app/-/merge_requests/906/diffs?diff_id=606624720&start_sha=8c33000b64861ef937d2e62266d56bb2fc577356)
argoyle (Migrated from gitlab.com) merged commit into master 2023-02-17 08:53:26 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
javascript
security
Pull requests that address a security vulnerability
 severity:critical
severity:high
severity:low
severity:moderate
No Label dependencies javascript security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#955
Delete Branch "dependabot-npm_and_yarn-undici-5.19.1"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?