dependabot-preview[bot]
commented
5 years ago Superseded by #38.
Closed dependabot-preview[bot] closed 5 years ago
dependabot-preview[bot]
commented
5 years ago Superseded by #38.
Bumps sshpk from 1.13.1 to 1.15.2. This update includes security fixes.
Vulnerabilities fixed
*Sourced from The GitHub Security Advisory Database.* > **Moderate severity vulnerability that affects sshpk** > The sshpk NPM package is vulnerable to ReDoS when parsing crafted invalid public keys. > > Affected versions: < 1.13.2 *Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/fc393f9f-282f-4bc9-953b-d7e4b48352e9).* > **CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')** > The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended. > > Affected versions: <1.14.1 *Sourced from [The Node Security Working Group](https://github.com/nodejs/security-wg/blob/master/vuln/npm/401.json).* > **Denial of Service** > `sshpk` is vulnerable to ReDoS when parsing crafted invalid public keys > > Affected versions: <=1.13.1Release notes
*Sourced from [sshpk's releases](https://github.com/joyent/node-sshpk/releases).* > ## v1.14.1 > * Remove all remaining usage of jodid25519 (abandoned dep) > * Add support for DNSSEC key format > * Add support for Ed25519 keys in PEM format (according to draft-curdle-pkix) > * Fixes for X.509 encoding issues (asn.1 NULLs in RSA certs, cert string type mangling) > * Performance issues parsing long SSH public keysCommits
- [`c7a6c68`](https://github.com/joyent/node-sshpk/commit/c7a6c6833370f69322c47e73e9f4cfdedaf4e8f4) joyent/node-sshpk#58 des-ede3-cbc encrypted keys broken - [`2ab4f2a`](https://github.com/joyent/node-sshpk/commit/2ab4f2a018766559252f2c3426a3735f0860ac0d) joyent/node-sshpk#56 md5 fingerprints not quite right - [`026ef47`](https://github.com/joyent/node-sshpk/commit/026ef4764a55648dd15f45f7f14ff9da5d1fe2ad) joyent/node-sshpk#53 stop using optional deps to fix webpack - [`53e23fe`](https://github.com/joyent/node-sshpk/commit/53e23feff41226826b45293bc4a9fc45f2e44afe) joyent/node-sshpk#50 Support PKCS#5 AES-256-CBC encrypted private keys - [`6b68d49`](https://github.com/joyent/node-sshpk/commit/6b68d49abc7876d81cfa2f3947024f4a84c21a94) joyent/node-sshpk#54 want API for accessing x509 extensions - [`1088992`](https://github.com/joyent/node-sshpk/commit/10889924a536c3e3a839c00a31727d60f6d55756) joyent/node-sshpk#52 Buffer no longer performs length check for hex strings i... - [`6ec6f9d`](https://github.com/joyent/node-sshpk/commit/6ec6f9db719dabcfaf1771dffcaff8aa56077b88) joyent/node-sshpk#38 want support for more obscure DN OIDs - [`1cc4c99`](https://github.com/joyent/node-sshpk/commit/1cc4c99dc6ebeb4c6be46fa56e3ec70086f19c49) joyent/node-sshpk#51 package.json repository does not point to Joyent - [`175758a`](https://github.com/joyent/node-sshpk/commit/175758a9473523409339e6c519c470c808ca03de) joyent/node-sshpk#46 Use Buffer.(from|alloc) instead of deprecated Buffer API - [`6edb37c`](https://github.com/joyent/node-sshpk/commit/6edb37cb986b7ddaf0d346440d37287cc059bfee) Release 1.14.0 - Additional commits viewable in [compare view](https://github.com/joyent/node-sshpk/compare/v1.13.1...v1.15.2)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.