mafintosh
commented
3 years ago That was the fix.
Closed hatpick closed 3 years ago
mafintosh
commented
3 years ago That was the fix.
prueker
commented
3 years ago @mafintosh Did you also inform the CVE database and github advisory that the v 1.3.4 also has the patch, so that automated toolings can detect the fix for people on v1 branch?
mafintosh
commented
3 years ago @prueker I did, they said they'd update it today (crossing my fingers, that'll happen soon)
prueker
commented
3 years ago Great, thanks.
Kartikdot
commented
3 years ago Hi! Has this issue been fixed? I am unable to use force resolutions in my repository to upgrade to 5.2.4. can i use these changes to generate patch package? index.js
Are there any other changes required?
mafintosh
commented
3 years ago Best to apply all the commits. Also only relevant if an attacker can craft your packet inputs
Kartikdot
commented
3 years ago @mafintosh Just to be clear. I am currently using v1.3.3. By 'apply all commits' do you mean change all files that have changed to between v1.3.3 to v5.2.4?
Kartikdot
commented
3 years ago Ok i read your previous comment to regarding v1.3.4. Please update here if you get confirmation on automated toolings detecting the patch in v1.3.4 Thanks a ton!
pinpointpanda
commented
3 years ago FYI - dependabot picked this fix up 4 days ago for me in 1.3.4 👍 Thanks for the quick resolve! 😄
Caused by this change: https://github.com/mafintosh/dns-packet/commit/25f15dd0fedc53688b25fd053ebbdffe3d5c1c56