search

BiancoRoyal / node-red-contrib-iiot-opcua

deprecated - very new developed by PLUS for Node-RED - https://plus4nodered.com
https://www.npmjs.com/package/node-red-contrib-iiot-opcua
BSD 3-Clause "New" or "Revised" License
34 stars 8 forks source link

chore(deps): bump node-opcua from 2.64.1 to 2.74.0 #194

Closed dependabot[bot] closed 1 year ago

dependabot[bot] commented 2 years ago

Bumps node-opcua from 2.64.1 to 2.74.0.

Release notes

Sourced from node-opcua's releases.

v2.74.0

This important release fixes 3 CVEs that have been recently discovered.

*We strongly encourage you to upgrade your existing node-opcua to version 2.74.0 or greater and to contact Sterfive for support.

Only Sterfive's customers or members of the NodeOPCUA Subscription Membership are entitled to receive professional advice & support. You can apply online at https://support.sterfive.com .

:bangbang: vulnerabilities fixes

CVE-2022-21208
  • The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.
CVE-2022-25231
  • The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) by sending a specifically crafted OPC UA message with a special OPC UA NodeID, when the requested memory allocation exceeds the v8’s memory limit.
CVE-2022-24375
  • The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.

:bug: bug fixes:

  • [902b288aae91ef465d960039e353259a926711b1] server now returns ServiceFault response in case of error, instead of the corresponding Response of the Request command.
  • [3fd46ec156e7718a506be41f3916310b6bdd0407] server: fix Subscription.modify that may cause server to crash;

©️ copyright update

  • node-opcua@2.74.0 is now copyrighted by Sterfive SAS. [902b288aae91ef465d960039e353259a926711b1]

please make sure to comply with the MIT license and includes the attributions to Sterfive SAS for NodeOPCUA in the documentation that accompanies your application.

Copyright (c) 2022  Sterfive SAS - 833264583 RCS ORLEANS - France (https://www.sterfive.com)
Copyright (c) 2014-2022 Etienne Rossignon

👬 contributors

v2.73.0

... (truncated)

Commits


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/BiancoRoyal/node-red-contrib-iiot-opcua/network/alerts).
dependabot[bot] commented 1 year ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.