hsu-aut / lion

Lightweight Industrial Ontology Support
MIT License
18 stars 2 forks source link

Bump node-opcua from 2.5.0-alpha.6 to 2.74.0 in /lion_backEnd #164

Closed dependabot[bot] closed 4 months ago

dependabot[bot] commented 2 years ago

Bumps node-opcua from 2.5.0-alpha.6 to 2.74.0.

Release notes

Sourced from node-opcua's releases.

v2.74.0

This important release fixes 3 CVEs that have been recently discovered.

*We strongly encourage you to upgrade your existing node-opcua to version 2.74.0 or greater and to contact Sterfive for support.

Only Sterfive's customers or members of the NodeOPCUA Subscription Membership are entitled to receive professional advice & support. You can apply online at https://support.sterfive.com .

:bangbang: vulnerabilities fixes

CVE-2022-21208
  • The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.
CVE-2022-25231
  • The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) by sending a specifically crafted OPC UA message with a special OPC UA NodeID, when the requested memory allocation exceeds the v8’s memory limit.
CVE-2022-24375
  • The package node-opcua before 2.74.0 are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.

:bug: bug fixes:

  • [902b288aae91ef465d960039e353259a926711b1] server now returns ServiceFault response in case of error, instead of the corresponding Response of the Request command.
  • [3fd46ec156e7718a506be41f3916310b6bdd0407] server: fix Subscription.modify that may cause server to crash;

©️ copyright update

  • node-opcua@2.74.0 is now copyrighted by Sterfive SAS. [902b288aae91ef465d960039e353259a926711b1]

please make sure to comply with the MIT license and includes the attributions to Sterfive SAS for NodeOPCUA in the documentation that accompanies your application.

Copyright (c) 2022  Sterfive SAS - 833264583 RCS ORLEANS - France (https://www.sterfive.com)
Copyright (c) 2014-2022 Etienne Rossignon

👬 contributors

v2.73.0

... (truncated)

Commits


Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hsu-aut/lion/network/alerts).

Note Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

dependabot[bot] commented 1 year ago

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

dependabot[bot] commented 4 months ago

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.