[jira] [Commented] (NETBEANS-4280) cleanup potential security breaches
[ https://issues.apache.org/jira/browse/NETBEANS-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17096771#comment-17096771 ] Brad Walker commented on NETBEANS-4280: --- Hey @ebarboni, I don't have a reviewer in mind. This is only a version bump for the libraries.. In addition, it's only for sample code. So the fix is low on the risk scale.. > cleanup potential security breaches > --- > > Key: NETBEANS-4280 > URL: https://issues.apache.org/jira/browse/NETBEANS-4280 > Project: NetBeans > Issue Type: Bug >Reporter: Brad Walker >Assignee: Brad Walker >Priority: Major > Fix For: Next > > Time Spent: 20m > Remaining Estimate: 0h > > There are a few known security breaches in the sample source.. > Specifically the following alerts: > +CVE-2019-5484+ > Bower before 1.8.8 has a path traversal vulnerability permitting file write > in arbitrary locations via install command, which allows attackers to write > arbitrary files when a malicious package is extracted. > +CVE-2019-5413+ > An attacker can use the format parameter to inject arbitrary commands in the > npm package morgan < 1.9.1. > +CVE-2017-16137+ > The debug module is vulnerable to regular expression denial of service when > untrusted user input is passed into the o formatter. It takes around 50k > characters to block for 2 seconds making this a low severity issue. > I'm not saying these are critical. But, it's better we fix them to prevent > any possibility of using Netbeans IDE to allow someone to exploit this. As > well as set the proper example. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org For additional commands, e-mail: commits-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
[jira] [Commented] (NETBEANS-4280) cleanup potential security breaches
[ https://issues.apache.org/jira/browse/NETBEANS-4280?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17096767#comment-17096767 ] Brad Walker commented on NETBEANS-4280: --- Hey @ebarboni, I really don't as this should be a pretty simple fix. This is only a version bump and that's it. In addition, this is part of sample code. So the risk is pretty minimal. > cleanup potential security breaches > --- > > Key: NETBEANS-4280 > URL: https://issues.apache.org/jira/browse/NETBEANS-4280 > Project: NetBeans > Issue Type: Bug >Reporter: Brad Walker >Assignee: Brad Walker >Priority: Major > Fix For: Next > > Time Spent: 20m > Remaining Estimate: 0h > > There are a few known security breaches in the sample source.. > Specifically the following alerts: > +CVE-2019-5484+ > Bower before 1.8.8 has a path traversal vulnerability permitting file write > in arbitrary locations via install command, which allows attackers to write > arbitrary files when a malicious package is extracted. > +CVE-2019-5413+ > An attacker can use the format parameter to inject arbitrary commands in the > npm package morgan < 1.9.1. > +CVE-2017-16137+ > The debug module is vulnerable to regular expression denial of service when > untrusted user input is passed into the o formatter. It takes around 50k > characters to block for 2 seconds making this a low severity issue. > I'm not saying these are critical. But, it's better we fix them to prevent > any possibility of using Netbeans IDE to allow someone to exploit this. As > well as set the proper example. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org For additional commands, e-mail: commits-h...@netbeans.apache.org For further information about the NetBeans mailing lists, visit: https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
