Skip to content

Vulnerability - Upgrade bl to v2.2.1#1432

Open
sergiopereirain wants to merge 1 commit intoSOHU-Co:masterfrom
sergiopereirain:patch-2
Open

Vulnerability - Upgrade bl to v2.2.1#1432
sergiopereirain wants to merge 1 commit intoSOHU-Co:masterfrom
sergiopereirain:patch-2

Conversation

@sergiopereirain
Copy link
Copy Markdown

@sergiopereirain sergiopereirain commented Oct 15, 2020

There was a vulnerability fixed in bl@2.2.1. It was also fixed in 3.0.1 and 4.0.3 but just bumping from 2.2.0 to 2.2.1 seems less risky here.

Affected versions of this package are vulnerable to Remote Memory Exposure. If user input ends up in consume() argument and can become negative, BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.

@sergiopereirain
Update package.json
6c46a87 
There was a vulnerability fixed in `bl@2.2.1`. It was also fixed in `3.0.1` and `4.0.3` but just bumping from `2.2.0` to `2.2.1` seems less risky here.
> Affected versions of this package are vulnerable to Remote Memory Exposure. If user input ends up in consume() argument and can become negative, BufferList state can be corrupted, tricking it into exposing uninitialized memory via regular .slice() calls.
@sergiopereirain sergiopereirain changed the title Update package.json Vulnerability - Upgrade bl to v2.2.1 Oct 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@sergiopereirain