generated from redhat-developer/new-project-template
-
Notifications
You must be signed in to change notification settings - Fork 58
RHIDP-5852 fix security issues #907
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
themr0c
merged 3 commits into
redhat-developer:release-1.4
from
themr0c:RHIDP-5852-fix-security-issues-for-release-1.4
Feb 6, 2025
Merged
Changes from all commits
Commits
Show all changes
3 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
6 changes: 0 additions & 6 deletions
6
modules/release-notes/list-fixed-security-issues-in-product-1.3.0.txt
This file was deleted.
Oops, something went wrong.
8 changes: 8 additions & 0 deletions
8
modules/release-notes/list-fixed-security-issues-in-product-1.4.0.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,8 @@ | ||
| CVE-2024-21536 | ||
| CVE-2024-21538 | ||
| CVE-2024-45296 | ||
| CVE-2024-45590 | ||
| CVE-2024-45815 | ||
| CVE-2024-45816 | ||
| CVE-2024-46976 | ||
| CVE-2024-47762 | ||
26 changes: 0 additions & 26 deletions
26
modules/release-notes/list-fixed-security-issues-in-rpm-1.3.0.txt
This file was deleted.
Oops, something went wrong.
Empty file.
19 changes: 0 additions & 19 deletions
19
modules/release-notes/snip-fixed-security-issues-in-product-1.3.0.adoc
This file was deleted.
Oops, something went wrong.
25 changes: 25 additions & 0 deletions
25
modules/release-notes/snip-fixed-security-issues-in-product-1.4.0.adoc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| = {product} dependency updates | ||
|
|
||
| link:https://access.redhat.com/security/cve/CVE-2024-21536[CVE-2024-21536]:: | ||
| A flaw was found in the http-proxy-middleware package. Affected versions of this package are vulnerable to denial of service (DoS) due to an UnhandledPromiseRejection error thrown by micromatch. This flaw allows an attacker to kill the Node.js process and crash the server by requesting certain paths. | ||
|
|
||
| link:https://access.redhat.com/security/cve/CVE-2024-21538[CVE-2024-21538]:: | ||
| A Regular Expression Denial of Service (ReDoS) vulnerability was found in the cross-spawn package for Node.js. Due to improper input sanitization, an attacker can increase CPU usage and crash the program with a large, specially crafted string. | ||
|
|
||
| link:https://access.redhat.com/security/cve/CVE-2024-45296[CVE-2024-45296]:: | ||
| A flaw was found in path-to-regexp package, where it turns path strings into regular expressions. In certain cases, path-to-regexp will output a regular expression that can be exploited to cause poor performance. Because JavaScript is single-threaded and regex matching runs on the main thread, poor performance will block the event loop and lead to a denial of service (DoS). | ||
|
|
||
| link:https://access.redhat.com/security/cve/CVE-2024-45590[CVE-2024-45590]:: | ||
| A flaw was found in body-parser. This vulnerability causes denial of service via a specially crafted payload when the URL encoding is enabled. | ||
|
|
||
| link:https://access.redhat.com/security/cve/CVE-2024-45815[CVE-2024-45815]:: | ||
| A flaw was found in the backstage/plugin-catalog-backend package. A malicious actor with authenticated access to a Backstage instance with the catalog backend plugin installed is able to interrupt the service using a specially crafted query to the catalog API. | ||
|
|
||
| link:https://access.redhat.com/security/cve/CVE-2024-45816[CVE-2024-45816]:: | ||
| A directory traversal vulnerability was found in the backstage/plugin-techdocs-backend package. When using the AWS S3 or GCS storage provider for TechDocs, it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks in Backstage. | ||
|
|
||
| link:https://access.redhat.com/security/cve/CVE-2024-46976[CVE-2024-46976]:: | ||
| A flaw was found in the backstage/plugin-techdocs-backend package. An attacker with control of the contents of the TechDocs storage buckets may be able to inject executable scripts in the TechDocs content that will be executed in the victim's browser when browsing documentation or navigating to an attacker provided link. | ||
|
|
||
| link:https://access.redhat.com/security/cve/CVE-2024-47762[CVE-2024-47762]:: | ||
| A flaw was found in the backstage/plugin-app-backend package. Configurations supplied through APP_CONFIG_* environment variables unexpectedly ignore the visibility defined in the configuration schema, potentially exposing sensitive configuration details intended to remain private or restricted to backend processes. |
92 changes: 0 additions & 92 deletions
92
modules/release-notes/snip-fixed-security-issues-in-rpm-1.3.0.adoc
This file was deleted.
Oops, something went wrong.
1 change: 1 addition & 0 deletions
1
modules/release-notes/snip-fixed-security-issues-in-rpm-1.4.0.adoc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| = RHEL 9 platform RPM updates |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.