Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request dependency <=2.68 opens to potential memory exposure vulnerability #2336

Closed
evilaliv3 opened this issue Jul 29, 2016 · 1 comment
Closed

Request dependency <=2.68 opens to potential memory exposure vulnerability #2336

evilaliv3 opened this issue Jul 29, 2016 · 1 comment

Comments

@evilaliv3
Copy link

Do you want to request a feature or report a bug?
This ticket is to report a a potential security vulnerability caused by the request dependency.

What is the current behavior?
Various of the dependencies used by bower make use of a vulnerable version of the request package (<2.68) that allow potential memory exposure.

Involved dependencies are: registry-client, request-replay

details:
evilaliv3 added a commit to evilaliv3/bower that referenced this issue Jul 29, 2016
@evilaliv3
Partially address ticket bower#2336
5a348e0 
The commit bump the direct dependency request to version 2.74.0

In order for the fix to be complete the node-request-reply will have to be
updated as well as soon that IndigoUnited/node-request-replay#7
will be merged and a new package will be released.
@evilaliv3 evilaliv3 mentioned this issue Jul 29, 2016
Closed
@evilaliv3
Copy link
Author

evilaliv3 commented Aug 6, 2016
edited

could someone review this ticket?

request-replay has been patched already.
now we miss only to fix registry-client.

sheerun added a commit that referenced this issue Mar 28, 2018
@sheerun
Update request version in bower-registry-client #2336
1e2c27f
sheerun added a commit that referenced this issue Mar 28, 2018
@sheerun
Update request version in bower-registry-client #2336
b62faa1
sheerun added a commit that referenced this issue Mar 28, 2018
@sheerun
Revert "Update request version in bower-registry-client #2336"
d6a18ae 
This reverts commit 1e2c27f.
@sheerun sheerun closed this as completed Apr 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@evilaliv3 @sheerun