Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CVE] Resolve jpeg-js to 0.4.4 #1753

Merged
merged 1 commit into from
Jun 16, 2022
Merged

[CVE] Resolve jpeg-js to 0.4.4 #1753

merged 1 commit into from
Jun 16, 2022

Conversation

kavilla
Copy link
Member

@kavilla kavilla commented Jun 16, 2022
edited
Loading

Description

Addresses Denial of Service (DoS) issue where a particular piece of input
will cause to enter an infinite loop and never return.

CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851

Signed-off-by: Kawika Avilla kavilla414@gmail.com

Issues Resolved

#1725

Check List

  • New functionality includes testing.
    • All tests pass
      • yarn test:jest
      • yarn test:jest_integration
      • yarn test:ftr
  • New functionality has been documented.
  • Commits are signed per the DCO using --signoff

@kavilla
[CVE] Resolve jpeg-js to 0.4.4
b09a23e 
Addresses Denial of Service (DoS) issue where a particular piece of input
will cause to enter an infinite loop and never return.

CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851

Issue Resolved:
opensearch-project#1725

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
@kavilla kavilla requested a review from a team as a code owner June 16, 2022 06:41
@kavilla kavilla added high severity High severity CVE cve Security vulnerabilities detected by Dependabot or Mend backport 2.x v2.1.0 labels Jun 16, 2022
@kavilla
Copy link
Member Author

kavilla commented Jun 16, 2022

This could be backported to 2.0.

@kavilla kavilla linked an issue Jun 16, 2022 that may be closed by this pull request
CVE-2022-25851 (High) detected in jpeg-js-0.4.3.tgz #1725
Closed
joshuarrrr
joshuarrrr approved these changes Jun 16, 2022
View reviewed changes
Copy link
Member

@joshuarrrr joshuarrrr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@tmarkley
Copy link
Contributor

This could be backported to 2.0.

Yeah I'm not sure if we'll be doing another patch release to 2.0 but it wouldn't hurt to get it there.

@kavilla
Copy link
Member Author

kavilla commented Jun 16, 2022

This could be backported to 2.0.

Yeah I'm not sure if we'll be doing another patch release to 2.0 but it wouldn't hurt to get it there.

Gotcha. I will add it if there is a bump in the patch version.

@kavilla kavilla merged commit 2a159e8 into opensearch-project:main Jun 16, 2022
@kavilla kavilla deleted the avillk/lock_jpeg_js branch June 16, 2022 19:37
opensearch-trigger-bot bot pushed a commit that referenced this pull request Jun 16, 2022
@kavilla @github-actions
[CVE] Resolve jpeg-js to 0.4.4 (#1753)
5786aff 
Addresses Denial of Service (DoS) issue where a particular piece of input
will cause to enter an infinite loop and never return.

CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851

Issue Resolved:
#1725

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 2a159e8)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Jun 16, 2022
Merged
ananzh pushed a commit that referenced this pull request Jun 17, 2022
@opensearch-trigger-bot @kavilla
[CVE] Resolve jpeg-js to 0.4.4 (#1753) (#1757)
25e6835 
Addresses Denial of Service (DoS) issue where a particular piece of input
will cause to enter an infinite loop and never return.

CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851

Issue Resolved:
#1725

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 2a159e8)

Co-authored-by: Kawika Avilla <kavilla414@gmail.com>
cliu123 pushed a commit to cliu123/OpenSearch-Dashboards that referenced this pull request Jun 30, 2022
@opensearch-trigger-bot @kavilla
[CVE] Resolve jpeg-js to 0.4.4 (opensearch-project#1753) (opensearc…
00463c0 
…h-project#1757)

Addresses Denial of Service (DoS) issue where a particular piece of input
will cause to enter an infinite loop and never return.

CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851

Issue Resolved:
opensearch-project#1725

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 2a159e8)

Co-authored-by: Kawika Avilla <kavilla414@gmail.com>
cliu123 pushed a commit to cliu123/OpenSearch-Dashboards that referenced this pull request Jun 30, 2022
@opensearch-trigger-bot @kavilla
[CVE] Resolve jpeg-js to 0.4.4 (opensearch-project#1753) (opensearc…
d70392c 
…h-project#1757)

Addresses Denial of Service (DoS) issue where a particular piece of input
will cause to enter an infinite loop and never return.

CVE: https://vuln.whitesourcesoftware.com/vulnerability/CVE-2022-25851

Issue Resolved:
opensearch-project#1725

Signed-off-by: Kawika Avilla <kavilla414@gmail.com>
(cherry picked from commit 2a159e8)

Co-authored-by: Kawika Avilla <kavilla414@gmail.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this pull request Mar 30, 2023
@ananzh
[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4
a5b9d0b 
Issue Resolve
opensearch-project#1725

Backport PR
opensearch-project#1753

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this pull request Mar 30, 2023
@ananzh
[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4
fc71d28 
Issue Resolve
opensearch-project#1725

Backport PR
opensearch-project#1753

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
@ananzh ananzh mentioned this pull request Mar 30, 2023
Merged
8 tasks
ananzh added a commit to ananzh/OpenSearch-Dashboards that referenced this pull request Mar 30, 2023
@ananzh
[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4
ba2f9ca 
Issue Resolve
opensearch-project#1725

Backport PR
opensearch-project#1753

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
joshuarrrr added a commit that referenced this pull request Apr 17, 2023
@ananzh @joshuarrrr
[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4 (#3741)
637d545 
Issue Resolve
#1725

Backport PR
#1753

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
opensearch-trigger-bot bot pushed a commit that referenced this pull request Apr 17, 2023
@github-actions
[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4 (#3741)
698dd85 
Issue Resolve
#1725

Backport PR
#1753

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit 637d545)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md
abbyhu2000 pushed a commit that referenced this pull request Apr 17, 2023
@opensearch-trigger-bot @github-actions
[CVE-2022-25851][1.x] Bump jpeg-js from 0.4.1 to 0.4.4 (#3741) (#3860)
dc8f59c 
Issue Resolve
#1725

Backport PR
#1753

Signed-off-by: Anan Zhuang <ananzh@amazon.com>
Co-authored-by: Josh Romero <rmerqg@amazon.com>
(cherry picked from commit 637d545)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

# Conflicts:
#	CHANGELOG.md

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuarrrr joshuarrrr joshuarrrr approved these changes

@tmarkley tmarkley tmarkley approved these changes

Assignees
No one assigned
Labels
backport 2.x cve Security vulnerabilities detected by Dependabot or Mend high severity High severity CVE v2.1.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE-2022-25851 (High) detected in jpeg-js-0.4.3.tgz
3 participants
@kavilla @tmarkley @joshuarrrr