Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency nodemailer to v6.9.9 [security] #584

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(deps): update dependency nodemailer to v6.9.9 [security] #584

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Feb 1, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
nodemailer (source) 6.9.4 -> 6.9.9 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-9h6g-pr28-7cqp

Summary

A ReDoS vulnerability occurs when nodemailer tries to parse img files with the parameter attachDataUrls set, causing the stuck of event loop.
Another flaw was found when nodemailer tries to parse an attachments with a embedded file, causing the stuck of event loop.

Details

Regex: /^data:((?:[^;];)(?:[^,])),(.)$/

Path: compile -> getAttachments -> _processDataUrl

Regex: /(<img\b[^>]* src\s*=[\s"']*)(data:([^;]+);[^"'>\s]+)/

Path: _convertDataImages

PoC

https://gist.github.com/francoatmega/890dd5053375333e40c6fdbcc8c58df6
https://gist.github.com/francoatmega/9aab042b0b24968d7b7039818e8b2698

Impact

ReDoS causes the event loop to stuck a specially crafted evil email can cause this problem.

Release Notes

nodemailer/nodemailer (nodemailer)

v6.9.9

Compare Source

Bug Fixes
  • security: Fix issues described in GHSA-9h6g-pr28-7cqp. Do not use eternal matching pattern if only a few occurences are expected (dd8f5e8)
  • tests: Use native node test runner, added code coverage support, removed grunt (#​1604) (be45c1b)

v6.9.8

Compare Source

Bug Fixes
  • punycode: do not use native punycode module (b4d0e0c)

v6.9.7

Compare Source

Bug Fixes
  • customAuth: Do not require user and pass to be set for custom authentication schemes (fixes #​1584) (41d482c)

v6.9.6

Compare Source

Bug Fixes
  • inline: Use 'inline' as the default Content Dispostion value for embedded images (db32c93)
  • tests: Removed Node v12 from test matrix as it is not compatible with the test framework anymore (7fe0a60)

v6.9.5

Compare Source

Bug Fixes
  • license: Updated license year (da4744e)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the 📦 package label Feb 1, 2024
@vercel Vercel
Copy link

vercel bot commented Feb 1, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
chirpy ✅ Ready (Inspect) Visit Preview 💬 Add feedback Oct 30, 2024 6:12am

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Feb 1, 2024
edited
Loading

⚠️ No Changeset found

Latest commit: abb643a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 70a4c15 to 8c27d96 Compare March 4, 2024 06:31
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 8c27d96 to 5360743 Compare October 15, 2024 12:37
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 5360743 to 0512024 Compare October 20, 2024 02:39
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from 0512024 to b398c4e Compare October 24, 2024 07:51
@renovate renovate bot force-pushed the renovate/npm-nodemailer-vulnerability branch from b398c4e to abb643a Compare October 30, 2024 06:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
📦 package
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants