This is an automated email from the ASF dual-hosted git repository.
skygo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/netbeans.git
The following commit(s) were added to refs/heads/master by this push:
new b2c3f01 [NETBEANS-4280] - cleanup potential security breaches
new 0eff9c8 Merge pull request #2110 from
BradWalker/cleanup_security_alerts
b2c3f01 is described below
commit b2c3f01001de5b648b9909b9e01245c17f92a2d7
Author: Brad Walker <bwal...@musings.com>
AuthorDate: Wed Apr 29 17:02:02 2020 -0600
[NETBEANS-4280] - cleanup potential security breaches
There are a few known security breaches in the sample source..
Specifically the following alerts:
CVE-2019-5484
Bower before 1.8.8 has a path traversal vulnerability permitting file write
in arbitrary locations via install command, which allows attackers to write
arbitrary files when a malicious package is extracted.
CVE-2019-5413
An attacker can use the format parameter to inject arbitrary commands in
the npm package morgan < 1.9.1.
CVE-2017-16137
The debug module is vulnerable to regular expression denial of service when
untrusted user input is passed into the o formatter. It takes around 50k
characters to block for 2 seconds making this a low severity issue.
I'm not saying these are critical. But, it's better we fix them to prevent
any possibility of using Netbeans IDE to allow someone to exploit this. As well
as set the proper example.
---
.../javascript.nodejs/samples_src/MessagesAngular/package.json | 2 +-
.../javascript.nodejs/samples_src/MessagesExpress/package.json | 6 +++---
.../javascript.nodejs/samples_src/MessagesKnockout/package.json | 2 +-
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git
a/webcommon/javascript.nodejs/samples_src/MessagesAngular/package.json
b/webcommon/javascript.nodejs/samples_src/MessagesAngular/package.json
index ea851f1..877fc23 100644
--- a/webcommon/javascript.nodejs/samples_src/MessagesAngular/package.json
+++ b/webcommon/javascript.nodejs/samples_src/MessagesAngular/package.json
@@ -10,7 +10,7 @@
"dependencies": {
"express": "^4.10.1",
"body-parser": "^1.4.3",
- "bower": "~1.3.12"
+ "bower": "~1.8.8"
},
"devDependencies": {
"gulp": "^3.8.10",
diff --git
a/webcommon/javascript.nodejs/samples_src/MessagesExpress/package.json
b/webcommon/javascript.nodejs/samples_src/MessagesExpress/package.json
index 5664cdf..accbe7e 100644
--- a/webcommon/javascript.nodejs/samples_src/MessagesExpress/package.json
+++ b/webcommon/javascript.nodejs/samples_src/MessagesExpress/package.json
@@ -11,11 +11,11 @@
"dependencies": {
"body-parser": "~1.10.2",
"cookie-parser": "~1.3.3",
- "debug": "~2.1.1",
+ "debug": "~2.6.9",
"express": "~4.11.1",
"jade": "~1.9.1",
- "morgan": "~1.5.1",
- "bower" : "~1.3.12"
+ "morgan": "~1.9.1",
+ "bower" : "~1.8.8"
},
"devDependencies": {
"grunt": "^0.4.5",
diff --git
a/webcommon/javascript.nodejs/samples_src/MessagesKnockout/package.json
b/webcommon/javascript.nodejs/samples_src/MessagesKnockout/package.json
index d407fb3..40bbc89 100644
--- a/webcommon/javascript.nodejs/samples_src/MessagesKnockout/package.json
+++ b/webcommon/javascript.nodejs/samples_src/MessagesKnockout/package.json
@@ -6,7 +6,7 @@
"dependencies": {
"express": "^4.10.1",
"body-parser": "^1.4.3",
- "bower" : "~1.3.12"
+ "bower" : "~1.8.8"
},
"devDependencies": {
"grunt": "^0.4.5",
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists
