Open renovate[bot] opened 2 months ago
This PR contains the following updates:
~3.4.120
~4.2.0
If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.
isEvalSupported
true
The patch removes the use of eval: https://github.com/mozilla/pdf.js/pull/18015
eval
Set the option isEvalSupported to false.
false
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
~3.4.120->~4.2.0GitHub Vulnerability Alerts
CVE-2024-4367
Impact
If pdf.js is used to load a malicious PDF, and PDF.js is configured with
isEvalSupportedset totrue(which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain.Patches
The patch removes the use of
eval: https://github.com/mozilla/pdf.js/pull/18015Workarounds
Set the option
isEvalSupportedtofalse.References
https://bugzilla.mozilla.org/show_bug.cgi?id=1893645
Release Notes
mozilla/pdfjs-dist (pdfjs-dist)
### [`v4.2.67`](https://togithub.com/mozilla/pdfjs-dist/compare/b604f5df0f709b103d2d001b8cd232497ab35512...aabddebbdb63cd45490b855ebdc58a50187f58e5) [Compare Source](https://togithub.com/mozilla/pdfjs-dist/compare/b604f5df0f709b103d2d001b8cd232497ab35512...aabddebbdb63cd45490b855ebdc58a50187f58e5) ### [`v4.1.392`](https://togithub.com/mozilla/pdfjs-dist/compare/a7e55a874a767ce627400d1aee736e2955224fb4...b604f5df0f709b103d2d001b8cd232497ab35512) [Compare Source](https://togithub.com/mozilla/pdfjs-dist/compare/a7e55a874a767ce627400d1aee736e2955224fb4...b604f5df0f709b103d2d001b8cd232497ab35512) ### [`v4.0.379`](https://togithub.com/mozilla/pdfjs-dist/compare/8c748cb7da8880ed104456e31aabff28e3446423...a7e55a874a767ce627400d1aee736e2955224fb4) [Compare Source](https://togithub.com/mozilla/pdfjs-dist/compare/8c748cb7da8880ed104456e31aabff28e3446423...a7e55a874a767ce627400d1aee736e2955224fb4) ### [`v4.0.269`](https://togithub.com/mozilla/pdfjs-dist/compare/1ca25bb577a7e5ac51725fca27b227bde471f347...8c748cb7da8880ed104456e31aabff28e3446423) [Compare Source](https://togithub.com/mozilla/pdfjs-dist/compare/1ca25bb577a7e5ac51725fca27b227bde471f347...8c748cb7da8880ed104456e31aabff28e3446423) ### [`v4.0.189`](https://togithub.com/mozilla/pdfjs-dist/compare/f287f540ed3ed393e137c9ff7a2e98f6e73ea527...1ca25bb577a7e5ac51725fca27b227bde471f347) [Compare Source](https://togithub.com/mozilla/pdfjs-dist/compare/f287f540ed3ed393e137c9ff7a2e98f6e73ea527...1ca25bb577a7e5ac51725fca27b227bde471f347) ### [`v3.11.174`](https://togithub.com/mozilla/pdfjs-dist/compare/66f4a54d50db112550a5850061dea2ac854aec34...f287f540ed3ed393e137c9ff7a2e98f6e73ea527) [Compare Source](https://togithub.com/mozilla/pdfjs-dist/compare/66f4a54d50db112550a5850061dea2ac854aec34...f287f540ed3ed393e137c9ff7a2e98f6e73ea527) ### [`v3.10.111`](https://togithub.com/mozilla/pdfjs-dist/compare/8e42496c7ddbb9b2475840b2d202167809e0d734...66f4a54d50db112550a5850061dea2ac854aec34) [Compare Source](https://togithub.com/mozilla/pdfjs-dist/compare/8e42496c7ddbb9b2475840b2d202167809e0d734...66f4a54d50db112550a5850061dea2ac854aec34) ### [`v3.9.179`](https://togithub.com/mozilla/pdfjs-dist/compare/a992272b1a6955dad3f8f22ce6691b3f223b250a...8e42496c7ddbb9b2475840b2d202167809e0d734) [Compare Source](https://togithub.com/mozilla/pdfjs-dist/compare/a992272b1a6955dad3f8f22ce6691b3f223b250a...8e42496c7ddbb9b2475840b2d202167809e0d734) ### [`v3.8.162`](https://togithub.com/mozilla/pdfjs-dist/compare/43db84a7b499ea87096e55c363980b162cc02318...a992272b1a6955dad3f8f22ce6691b3f223b250a) [Compare Source](https://togithub.com/mozilla/pdfjs-dist/compare/43db84a7b499ea87096e55c363980b162cc02318...a992272b1a6955dad3f8f22ce6691b3f223b250a) ### [`v3.7.107`](https://togithub.com/mozilla/pdfjs-dist/compare/5cc200a05453966af9a57b53fdde2507cf04b178...43db84a7b499ea87096e55c363980b162cc02318) [Compare Source](https://togithub.com/mozilla/pdfjs-dist/compare/5cc200a05453966af9a57b53fdde2507cf04b178...43db84a7b499ea87096e55c363980b162cc02318) ### [`v3.6.172`](https://togithub.com/mozilla/pdfjs-dist/compare/d869733e8e30fb27c26585606ddea5c328ff4bd9...5cc200a05453966af9a57b53fdde2507cf04b178) [Compare Source](https://togithub.com/mozilla/pdfjs-dist/compare/d869733e8e30fb27c26585606ddea5c328ff4bd9...5cc200a05453966af9a57b53fdde2507cf04b178) ### [`v3.5.141`](https://togithub.com/mozilla/pdfjs-dist/compare/v3.4.120...d869733e8e30fb27c26585606ddea5c328ff4bd9) [Compare Source](https://togithub.com/mozilla/pdfjs-dist/compare/v3.4.120...d869733e8e30fb27c26585606ddea5c328ff4bd9)Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.