Skip to content

Release 2.0.0

Release 2.0.0 #35

GitHub Actions / node-red:3.0.2-main-linux-arm64 scan results succeeded Jan 18, 2024 in 0s

7 fail in 0s

1 files  ±0  4 suites  ±0   0s ⏱️ ±0s
7 tests ±0  0 ✅ ±0  0 💤 ±0  7 ❌ ±0 
8 runs  ±0  0 ✅ ±0  0 💤 ±0  8 ❌ ±0 

Results for commit ee51b54. ± Comparison against earlier commit defcf43.

Annotations

Check warning on line 0 in libcrypto3-3.1.4-r3

See this annotation in the file changed.

@github-actions github-actions / node-red:3.0.2-main-linux-arm64 scan results

[MEDIUM] CVE-2023-6237 (libcrypto3-3.1.4-r3) failed

trivy-junit-results.xml
Raw output
openssl: Excessive time spent checking invalid RSA public keys
A flaw was found in OpenSSL. When the EVP_PKEY_public_check() function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.

Check warning on line 0 in libssl3-3.1.4-r3

See this annotation in the file changed.

@github-actions github-actions / node-red:3.0.2-main-linux-arm64 scan results

[MEDIUM] CVE-2023-6237 (libssl3-3.1.4-r3) failed

trivy-junit-results.xml
Raw output
openssl: Excessive time spent checking invalid RSA public keys
A flaw was found in OpenSSL. When the EVP_PKEY_public_check() function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.

Check warning on line 0 in openssl-3.1.4-r3

See this annotation in the file changed.

@github-actions github-actions / node-red:3.0.2-main-linux-arm64 scan results

[MEDIUM] CVE-2023-6237 (openssl-3.1.4-r3) failed

trivy-junit-results.xml
Raw output
openssl: Excessive time spent checking invalid RSA public keys
A flaw was found in OpenSSL. When the EVP_PKEY_public_check() function is called in RSA public keys, a computation is done to confirm that the RSA modulus, n, is composite. For valid RSA keys, n is a product of two or more large primes and this computation completes quickly. However, if n is a large prime, this computation takes a long time. An application that calls EVP_PKEY_public_check() and supplies an RSA key obtained from an untrusted source could be vulnerable to a Denial of Service attack.

Check warning on line 0 in moment-timezone-0.5.34

See this annotation in the file changed.

@github-actions github-actions / node-red:3.0.2-main-linux-arm64 scan results

[MEDIUM] GHSA-v78c-4p63-2j6c (moment-timezone-0.5.34) failed

trivy-junit-results.xml
Raw output
Cleartext Transmission of Sensitive Information in moment-timezone
### Impact

* if Alice uses `grunt data` (or `grunt release`) to prepare a custom-build, moment-timezone with the latest tzdata from IANA's website
* and Mallory intercepts the request to IANA's unencrypted ftp server, Mallory can serve data which might exploit further stages of the moment-timezone tzdata pipeline, or potentially produce a tainted version of moment-timezone (practicality of such attacks is not proved)

### Patches
Problem has been patched in version 0.5.35, patch should be applicable with minor modifications to all affected versions. The patch includes changing the FTP endpoint with an HTTPS endpoint.

### Workarounds
Specify the exact version of tzdata (like `2014d`, full command being `grunt data:2014d`, then run the rest of the release tasks by hand), or just apply the patch before issuing the grunt command.

Check warning on line 0 in semver-7.3.7

See this annotation in the file changed.

@github-actions github-actions / node-red:3.0.2-main-linux-arm64 scan results

All 2 runs failed: [MEDIUM] CVE-2022-25883 (semver-7.3.7)

trivy-junit-results.xml
Raw output
nodejs-semver: Regular expression denial of service
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Check warning on line 0 in tough-cookie-4.0.0

See this annotation in the file changed.

@github-actions github-actions / node-red:3.0.2-main-linux-arm64 scan results

[MEDIUM] CVE-2023-26136 (tough-cookie-4.0.0) failed

trivy-junit-results.xml
Raw output
tough-cookie: prototype pollution in cookie memstore
Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Check warning on line 0 in xml2js-0.4.23

See this annotation in the file changed.

@github-actions github-actions / node-red:3.0.2-main-linux-arm64 scan results

[MEDIUM] CVE-2023-0842 (xml2js-0.4.23) failed

trivy-junit-results.xml
Raw output
node-xml2js: xml2js is vulnerable to prototype pollution
xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited.