Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update 7.2.3 to 7.4.6 #1634

Closed
wants to merge 1 commit into from
Closed

Update 7.2.3 to 7.4.6 #1634

wants to merge 1 commit into from

Conversation

fredriksvantes
Copy link

ws 7.2.3 is vulnerable to Regular Expression Denial of Service (ReDoS). A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (websockets/ws@00c425e).

@fredriksvantes
Update 7.2.3 to 7.4.6
348b4a6 
ws 7.2.3 is vulnerable to Regular Expression Denial of Service (ReDoS). A specially crafted value of the `Sec-Websocket-Protocol` header can be used to significantly slow down a ws server. The vulnerability has been fixed in ws@7.4.6 (websockets/ws@00c425e).
@ricmoo ricmoo added the on-deck This Enhancement or Bug is currently being worked on. label May 31, 2021
ricmoo added a commit that referenced this pull request May 31, 2021
@ricmoo
Update ws dependency version to fix security (#1633, #1634).
470551e
@ricmoo ricmoo added the fixed/complete This Bug is fixed or Enhancement is complete and published. label Jun 1, 2021
@ricmoo
Copy link
Member

ricmoo commented Jun 1, 2021

Fixed in 5.3.0.

Thanks! :)

@ricmoo ricmoo closed this Jun 1, 2021
fredriksvantes added a commit to fredriksvantes/prysm-web-ui that referenced this pull request Jun 1, 2021
@fredriksvantes
Update Ethers.js from 5.0.30 to 5.3.0
84b9368 
ethers.js before 5.3.0 is using ws 7.2.3. This version of ws is vulnerable to Regular Expression Denial of Service (ReDoS). A specially crafted value of the Sec-Websocket-Protocol header can be used to significantly slow down a ws server. ethers.js 5.3.0 has been updated to use a version of ws that is not vulnerable to this.

ethers-io/ethers.js#1634
websockets/ws@00c425e
pull bot pushed a commit to shapeshift/ethers.js that referenced this pull request Jun 4, 2021
@ricmoo @pull
Update ws dependency version to fix security (ethers-io#1633, ethers-…
275cc84 
…io#1634).
pull bot pushed a commit to shapeshift/ethers.js that referenced this pull request Jun 4, 2021
@ricmoo @pull
Update ws dependency version to fix security (ethers-io#1633, ethers-…
709bb2d 
…io#1634).
@ricmoo ricmoo removed the on-deck This Enhancement or Bug is currently being worked on. label Jul 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
fixed/complete This Bug is fixed or Enhancement is complete and published.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@fredriksvantes @ricmoo