topleft
commented
6 years ago +1
Closed ArthurGerbelot closed 4 years ago
topleft
commented
6 years ago +1
alanning
commented
6 years ago Merged into master. What is the effect of the roles/.versions file pointing to the pre-patch version?
topleft
commented
6 years ago A vulnerability was found in which a specially formed payload sent over a web socket could gain access to updating docs in the DB.
https://forums.meteor.com/t/meteor-allow-deny-vulnerability-disclosure/39500
topleft
commented
6 years ago @alanning Will you update the Atmosphere package to reflect what is currently on master?
alanning
commented
6 years ago I am aware of the vulnerability. The Roles package itself does not use allow/deny directly so it is not directly vulnerable to my knowledge.
I am wondering if I need to update the Atmosphere package. Not sure what effect, if any, having the older version in roles/.versions has. I would not anticipate it being a problem since people who actually use allow/deny will probably update their app to have the newest and then what's in the roles/.versions will be overwritten.
But this is all conjecture which is why I was asking to see if anyone had more concrete knowledge about this.
mitar
commented
6 years ago I am also unsure here if anything should be done. It is a patch bump. Anyone can just update it locally in their app. This package is not preventing that in any way.
mitar
commented
4 years ago I think this has been done.
Following the Meteor Allow-Deny Vulnerability Disclosure, the dependency to
allow-denyin fileroles/.versionsshould be updated to1.0.9to fix it.