Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: update gjson for security problem #775

Merged
merged 1 commit into from
Mar 8, 2022

Conversation

sysulq
Copy link
Contributor

@sysulq sysulq commented Jan 29, 2022

What is the purpose of the change

Remediation
Upgrade github.com/tidwall/gjson to version 1.9.3 or later. For example:

require github.com/tidwall/gjson v1.9.3
Always verify the validity and compatibility of suggestions with your codebase.

Details
CVE-2021-42836
High severity
Vulnerable versions: < 1.9.3
Patched version: 1.9.3
GJSON before 1.9.3 allows a ReDoS (regular expression denial of service) attack.

Brief changelog

Verifying this change

Follow this checklist to help us incorporate your contribution quickly and easily. Notice, it would be helpful if you could finish the following 5 checklist(the last one is not necessary)before request the community to review your PR.

  • Make sure there is a Github issue filed for the change (usually before you start working on it). Trivial changes like typos do not require a Github issue. Your pull request should address just this issue, without pulling in other changes - one PR resolves one issue.
  • Format the pull request title like [ISSUE #123] Fix UnknownException when host config not exist. Each commit in the pull request should have a meaningful subject line and body.
  • Write a pull request description that is detailed enough to understand what the pull request does, how, and why.
  • Write necessary unit-test(over 80% coverage) to verify your logic correction, more mock a little better when a cross-module dependency exists.
  • If this contribution is large, please file an Apache Individual Contributor License Agreement.

@UnderTreeTech
Copy link
Contributor

@ShannonDing Could you merge this PR? It's just a security fix.

@duhenglucky duhenglucky merged commit bcd6e49 into apache:master Mar 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants