[
https://issues.apache.org/jira/browse/YUNIKORN-3268?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wilfred Spiegelenburg resolved YUNIKORN-3268.
---------------------------------------------
Fix Version/s: 1.9.0
Resolution: Fixed
The CVE list might have changed slightly after the removal of karma for the
tests but all open dependabot issue have been remediated.
A clear slate, for as long as it lasts, for dependency introduced CVEs, even in
development builds.
> WEB UI: Update dependencies for CVE fixes
> -----------------------------------------
>
> Key: YUNIKORN-3268
> URL: https://issues.apache.org/jira/browse/YUNIKORN-3268
> Project: Apache YuniKorn
> Issue Type: Improvement
> Components: security, webapp
> Reporter: Wilfred Spiegelenburg
> Assignee: Wilfred Spiegelenburg
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.9.0
>
>
> Another set of CVE upgrades that cannot be applied by dependabot:
> CVE-2026-41324: basic-ftp vulnerable to denial of service via unbounded
> memory consumption in Client.list()
> GHSA-458j-xx4x-4375: hono Improperly Handles JSX Attribute Names Allows
> HTML Injection in hono/jsx SSR
> GHSA-r4q5-vmmm-2653: follow-redirects leaks Custom Authentication Headers
> to Cross-Domain Redirect Targets
> GHSA-6v7q-wjvx-w8wg: basic-ftp: Incomplete CRLF Injection Protection Allows
> Arbitrary FTP Command Execution via Credentials and MKD Commands
> CVE-2026-2950: lodash vulnerable to Prototype Pollution via array path
> bypass in `_.unset` and `_.omit`
> CVE-2026-4800: lodash vulnerable to Code Injection via `_.template` imports
> key names
> CVE-2026-39983: basic-ftp has FTP Command Injection via CRLF
> CVE-2026-39410: Hono: Non-breaking space prefix bypass in cookie name
> handling in getCookie()
> GHSA-26pp-8wgv-hjvm: Hono missing validation of cookie name on write path
> in setCookie()
> CVE-2026-39409: Hono has incorrect IP matching in ipRestriction() for
> IPv4-mapped IPv6 addresses
> CVE-2026-39407: Hono: Middleware bypass via repeated slashes in serveStatic
> CVE-2026-39408: Hono: Path traversal in toSSG() allows writing files
> outside the output directory
> CVE-2026-39406: @hono/node-server: Middleware bypass via repeated slashes
> in serveStatic
> CVE-2026-39365: Vite Vulnerable to Path Traversal in Optimized Deps `.map`
> Handling
> CVE-2026-39363: Vite Vulnerable to Arbitrary File Read via Vite Dev Server
> WebSocket
> CVE-2026-39364: Vite: `server.fs.deny` bypassed with queries
> CVE-2026-4867: path-to-regexp vulnerable to Regular Expression Denial of
> Service via multiple route parameters
> CVE-2026-4926: path-to-regexp vulnerable to Denial of Service via
> sequential optional groups
> CVE-2026-4923: path-to-regexp vulnerable to Regular Expression Denial of
> Service via multiple wildcards
> CVE-2026-33750: brace-expansion: Zero-step sequence causes process hang and
> memory exhaustion
> CVE-2026-33532: yaml is vulnerable to Stack Overflow via deeply nested YAML
> collections
> CVE-2026-33672: Picomatch: Method Injection in POSIX Character Classes
> causes incorrect Glob Matching
> CVE-2026-33671: Picomatch has a ReDoS vulnerability via extglob quantifiers
> CVE-2026-33228: Prototype Pollution via parse() in NodeJS flatted
> CVE-2026-33151: socket.io allows an unbounded number of binary attachments
> CVE-2026-32141: flatted vulnerable to unbounded recursion DoS in parse()
> revive phase
> CVE-2026-32635: Angular vulnerable to XSS in i18n attribute bindings
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
