Public bug reported: glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex
- https://github.com/advisories/GHSA-ww39-953v-wcq6 - https://nvd.nist.gov/vuln/detail/CVE-2020-28469 - https://cwe.mitre.org/data/definitions/400.html In our third-party libraries, we are waiting for gulp to update their dependencies. However, it's been 3 years since their last update. Unsure if they will. Yet to be fixed: gulp - but not hopeful currently https://twitter.com/gulpjs/status/1564430489473077248?cxt=HHwWgMCqjbrP_LUrAAAA However, our CSS gets compiled from hardcoded sass files before webpages get loaded. mahara-themes@1.0.2 /.../.../code/mahara ├─┬ gulp@4.0.2 🚨 │ ├─┬ glob-watcher@5.0.5 │ │ └─┬ chokidar@2.1.8 │ │ └── glob-parent@3.1.0 🚨 │ └─┬ vinyl-fs@3.0.3 │ └─┬ glob-stream@6.1.0 │ └── glob-parent@3.1.0 deduped 🚨 └─┬ sass@1.57.1 └─┬ chokidar@3.5.3 └── glob-parent@5.1.2 ✅ ** Affects: mahara Importance: Undecided Status: New -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: mahara-contributors https://bugs.launchpad.net/bugs/2003988 Title: glob-parent vulnerability Status in Mahara: New Bug description: glob-parent before 5.1.2 vulnerable to Regular Expression Denial of Service in enclosure regex - https://github.com/advisories/GHSA-ww39-953v-wcq6 - https://nvd.nist.gov/vuln/detail/CVE-2020-28469 - https://cwe.mitre.org/data/definitions/400.html In our third-party libraries, we are waiting for gulp to update their dependencies. However, it's been 3 years since their last update. Unsure if they will. Yet to be fixed: gulp - but not hopeful currently https://twitter.com/gulpjs/status/1564430489473077248?cxt=HHwWgMCqjbrP_LUrAAAA However, our CSS gets compiled from hardcoded sass files before webpages get loaded. mahara-themes@1.0.2 /.../.../code/mahara ├─┬ gulp@4.0.2 🚨 │ ├─┬ glob-watcher@5.0.5 │ │ └─┬ chokidar@2.1.8 │ │ └── glob-parent@3.1.0 🚨 │ └─┬ vinyl-fs@3.0.3 │ └─┬ glob-stream@6.1.0 │ └── glob-parent@3.1.0 deduped 🚨 └─┬ sass@1.57.1 └─┬ chokidar@3.5.3 └── glob-parent@5.1.2 ✅ To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/2003988/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
