search

smblee / parameter-store-manager

A cross platform desktop application that provides an UI to easily view and manage AWS SSM parameters.
MIT License
68 stars 11 forks source link

Update dependency electron to v7 [SECURITY] #156

Closed renovate[bot] closed 3 years ago

renovate[bot] commented 4 years ago

This PR contains the following updates:

Package Type Update Change
electron devDependencies major ^4.1.4 -> ^7.0.0

GitHub Vulnerability Alerts

CVE-2020-4075

Impact

The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.

Workarounds

Ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.

Fixed Versions

For more information

If you have any questions or comments about this advisory:

CVE-2020-4076

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

Non-Impacted Versions

For more information

If you have any questions or comments about this advisory:

CVE-2020-4077

Impact

Apps using both contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

For more information

If you have any questions or comments about this advisory:

CVE-2020-15096

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

For more information

If you have any questions or comments about this advisory:

Release Notes

electron/electron ### [`v7.2.4`](https://togithub.com/electron/electron/releases/v7.2.4) [Compare Source](https://togithub.com/electron/electron/compare/v7.2.3...v7.2.4) ### Release Notes for v7.2.4 #### Fixes - Fixed Promise timeout issue when running Electron as Node. [#​23324](https://togithub.com/electron/electron/issues/23324) - Fixed a use-after-free error that could happen if a Tray was destroyed while showing a custom context menu. [#​23182](https://togithub.com/electron/electron/issues/23182) - Fixed an issue where windows without `nativeWindowOpen: true` could invoke the non-native-open path. [#​23224](https://togithub.com/electron/electron/issues/23224) - Fixed memory leak when using contextBridge with sandbox=true. [#​23232](https://togithub.com/electron/electron/issues/23232) - MacOS VoiceOver is now able to find its way back into web contents after it navigated "out" of an application. [#​23174](https://togithub.com/electron/electron/issues/23174) ### [`v7.2.3`](https://togithub.com/electron/electron/releases/v7.2.3) [Compare Source](https://togithub.com/electron/electron/compare/v7.2.2...v7.2.3) ### Release Notes for v7.2.3 #### Fixes - Security: Ensure proxy object is created in the correct context [`a9bead2`](https://togithub.com/electron/electron/commit/a9bead22) ### [`v7.2.2`](https://togithub.com/electron/electron/releases/v7.2.2) [Compare Source](https://togithub.com/electron/electron/compare/v7.2.1...v7.2.2) ### Release Notes for v7.2.2 #### Fixes - Fixed a potential crash on invalid `zoomFactor` values when setting the zoom factor of a webpage. [#​22710](https://togithub.com/electron/electron/issues/22710) - Fixed an issue with `maximizable` state persistence of BrowserWindows on macOS. [#​23019](https://togithub.com/electron/electron/issues/23019) - Fixed an issue with possible creation of a messageBox which cannot be dismissed on macOS. [#​23089](https://togithub.com/electron/electron/issues/23089) - Fixed an occasional crash when closing all BrowserWindows. [#​23024](https://togithub.com/electron/electron/issues/23024) - Security: Backported fix for CVE-2020-6426: inappropriate implementation in V8. [#​23043](https://togithub.com/electron/electron/issues/23043) - Security: backported a fix for crbug.com/[`1065094`](https://togithub.com/electron/electron/commit/1065094). [#​23059](https://togithub.com/electron/electron/issues/23059) - Security: backported fix for a potential buffer overrun in WebRTC audio encoding. [#​23037](https://togithub.com/electron/electron/issues/23037) - Security: backported fix for site isolation bypass in dedicated workers. [#​23040](https://togithub.com/electron/electron/issues/23040) - Security: backported the fix to CVE-2020-6452: potential container-overflow in MediaStream mojo. [#​23044](https://togithub.com/electron/electron/issues/23044) #### Other Changes - Security: Backport fix for buffer underflow in DWrite. [#​22979](https://togithub.com/electron/electron/issues/22979) - Security: Backported fix for use after free in file chooser. [#​22981](https://togithub.com/electron/electron/issues/22981) - Security: backport fix for CVE-2020-6451: Use after free in WebAudio. [#​22945](https://togithub.com/electron/electron/issues/22945) - Security: backport fix for use after free in VideoEncodeAccelerator. [#​22983](https://togithub.com/electron/electron/issues/22983) - Security: backported fix for CVE-2019-20503: Out of bounds read in usersctplib. [#​22986](https://togithub.com/electron/electron/issues/22986) - Security: backported fix for CVE-2020-6422: Use after free in WebGL. [#​23017](https://togithub.com/electron/electron/issues/23017) - Security: backported fix for CVE-2020-6423: Use after free in audio. [#​23048](https://togithub.com/electron/electron/issues/23048) - Security: backported fix for CVE-2020-6427: Use after free in audio. [#​23015](https://togithub.com/electron/electron/issues/23015) - Security: backported fix for CVE-2020-6428: Use after free in audio. [#​23013](https://togithub.com/electron/electron/issues/23013) - Security: backported fix for CVE-2020-6429: Use after free in audio. [#​23011](https://togithub.com/electron/electron/issues/23011) - Security: backported fix for CVE-2020-6449: Use after free in audio. [#​23009](https://togithub.com/electron/electron/issues/23009) - Security: backported fix for use-after-poison in WebAudio (crbug.com/[`1023810`](https://togithub.com/electron/electron/commit/1023810)). [#​22869](https://togithub.com/electron/electron/issues/22869) - Security: backported fix for use-after-poison in WebAudio. [#​22943](https://togithub.com/electron/electron/issues/22943) ### [`v7.2.1`](https://togithub.com/electron/electron/releases/v7.2.1) [Compare Source](https://togithub.com/electron/electron/compare/v7.2.0...v7.2.1) ### Release Notes for v7.2.1 #### Fixes - Reverted "fix: better window hierarchy checks". [`cac3884`](https://togithub.com/electron/electron/commit/cac3884d) ### [`v7.2.0`](https://togithub.com/electron/electron/releases/v7.2.0) [Compare Source](https://togithub.com/electron/electron/compare/v7.1.14...v7.2.0) ### Release Notes for v7.2.0 #### Features - - Added new `useSessionCookies` flag to `net` requests to allow them to use the session cookie store. > - Fixed issue where `SameSite` cookies would not be attached to outgoing requests from the `net` module. [#​22808](https://togithub.com/electron/electron/issues/22808) - Exposing methods required by capturing a hidden webContents. [#​21894](https://togithub.com/electron/electron/issues/21894) #### Fixes - Better window hierarchy checks. [`c16c4c2`](https://togithub.com/electron/electron/commit/c16c4c25) - Fixed ARIA role="tree" for macOS VoiceOver. [#​22424](https://togithub.com/electron/electron/issues/22424) - Fixed a crash that could occur when sending arrays over IPC. [#​22757](https://togithub.com/electron/electron/issues/22757) - Fixed a potential crash on devices which had not connected any printers to their network. [#​22517](https://togithub.com/electron/electron/issues/22517) - Fixed an occasional segfault with modal windows being closed or destroyed. [#​22540](https://togithub.com/electron/electron/issues/22540) - Fixed issue where mutating the global `Object` prototype could cause internal Electron logic to throw errors. [#​22729](https://togithub.com/electron/electron/issues/22729) - Fixed some properties not working in webview tags. [#​22512](https://togithub.com/electron/electron/issues/22512) #### Unknown - Reset version for 7.2.0. [`ace3216`](https://togithub.com/electron/electron/commit/ace32163) ### [`v7.1.14`](https://togithub.com/electron/electron/releases/v7.1.14) [Compare Source](https://togithub.com/electron/electron/compare/v7.1.13...v7.1.14) ### Release Notes for v7.1.14 #### Fixes - Backported V8 patch to fix bug in type inference. [#​22428](https://togithub.com/electron/electron/issues/22428) - Fixed "will-navigate" event not being emitted for sandboxed contents. [#​22329](https://togithub.com/electron/electron/issues/22329) - Fixed Electron apps getting rejected to Mac App Store. [#​22299](https://togithub.com/electron/electron/issues/22299) - Fixed an OOB access in ReadableStream::Close (). [#​22435](https://togithub.com/electron/electron/issues/22435) - Fixed an integer overflow crash in ICU (). [#​22420](https://togithub.com/electron/electron/issues/22420) - Fixed an issue with `safeDialog` preferences not being passed properly. [#​22376](https://togithub.com/electron/electron/issues/22376) - Fixed crash with seccomp-bpf sandbox on linux and glibc 2.31. [#​22338](https://togithub.com/electron/electron/issues/22338) ### [`v7.1.13`](https://togithub.com/electron/electron/releases/v7.1.13) [Compare Source](https://togithub.com/electron/electron/compare/v7.1.12...v7.1.13) ### Release Notes for v7.1.13 #### Fixes - Fixed `webRequest` API not working with WebSockets. [#​22141](https://togithub.com/electron/electron/issues/22141) - Fixed a crash in `webContents.print()` with custom print margins. [#​22187](https://togithub.com/electron/electron/issues/22187) - Fixed a potential issue with active Menu garbage collection. [#​22151](https://togithub.com/electron/electron/issues/22151) - Fixed an issue where `undefined` was printed from `console.log` on Window when no arguments were passed. [#​22173](https://togithub.com/electron/electron/issues/22173) - Removed unneccessary breakpad_symbols directory from the dsym zip file. [#​22220](https://togithub.com/electron/electron/issues/22220) #### Other Changes - Fixed a potential crash on faulty `deviceName`s in `webContents.print()`. [#​22012](https://togithub.com/electron/electron/issues/22012) #### Documentation - Documentation changes: [#​22266](https://togithub.com/electron/electron/issues/22266) ### [`v7.1.12`](https://togithub.com/electron/electron/releases/v7.1.12) [Compare Source](https://togithub.com/electron/electron/compare/v7.1.11...v7.1.12) ### Release Notes for v7.1.12 #### Fixes - Fixed an issue where sending complex objects over IPC could in some cases cause the renderer process to be terminated. [#​21922](https://togithub.com/electron/electron/issues/21922) - Fixed crash with Date.toLocaleString for invalid locale and locale of the format aa@BB. [#​21969](https://togithub.com/electron/electron/issues/21969) - Fixed flash plugin not working. [#​22109](https://togithub.com/electron/electron/issues/22109) - Fixed issue where renderers could crash during GC when using the `contextBridge` module. [#​22112](https://togithub.com/electron/electron/issues/22112) - Fixed netLog.stopLogging returning undefined instead of the path to the log. [#​21988](https://togithub.com/electron/electron/issues/21988) ### [`v7.1.11`](https://togithub.com/electron/electron/releases/v7.1.11) [Compare Source](https://togithub.com/electron/electron/compare/v7.1.10...v7.1.11) ### Release Notes for v7.1.11 #### Fixes - Fixed an edge case in checkbox logic on Windows. [#​21860](https://togithub.com/electron/electron/issues/21860) - Fixed an issue where `window.print()` only worked once on a single `BrowserWindow`. [#​21911](https://togithub.com/electron/electron/issues/21911) - Fixed an issue where the credits set in About Panel credits were not dark mode aware on macOS. [#​21924](https://togithub.com/electron/electron/issues/21924) - Fixed error thrown when importing powerMonitor on Linux before app's 'ready' event. [#​21941](https://togithub.com/electron/electron/issues/21941) - Fixed fuzzy font rendering when hot-plugging displays on macOS Catalina. [#​21872](https://togithub.com/electron/electron/issues/21872) #### Documentation - Documentation changes: [#​21873](https://togithub.com/electron/electron/issues/21873) ### [`v7.1.10`](https://togithub.com/electron/electron/releases/v7.1.10) [Compare Source](https://togithub.com/electron/electron/compare/v7.1.9...v7.1.10) ### Release Notes for v7.1.10 #### Fixes - Fixed `BrowserWindow.setFocusable(true)` not working on Windows. [#​21855](https://togithub.com/electron/electron/issues/21855) - Fixed `set-cookie` header not passed in net module. [#​21770](https://togithub.com/electron/electron/issues/21770) - Fixed an issue where custom stream protocols would sometimes not complete responses when the data stream ended. [#​21758](https://togithub.com/electron/electron/issues/21758) - Fixed crash when restoring minimized hidden window on Windows. [#​21820](https://togithub.com/electron/electron/issues/21820) - Fixed issue where non-zero size pixels in CSS styles could be rounded down to zero size pixels. [#​21857](https://togithub.com/electron/electron/issues/21857) - Fixed memory leak when using javascript generator functions. [#​21773](https://togithub.com/electron/electron/issues/21773) #### Other Changes - Fixed potential hang when sending synchronous IPC messages on process shutdown. [#​21776](https://togithub.com/electron/electron/issues/21776) ### [`v7.1.9`](https://togithub.com/electron/electron/releases/v7.1.9) [Compare Source](https://togithub.com/electron/electron/compare/v7.1.8...v7.1.9) ### Release Notes for v7.1.9 #### Fixes - Fixed a crash in contextBridge that happens on garbage collection. [#​21736](https://togithub.com/electron/electron/issues/21736) - Fixed a crash that would occur when Notifications were closed in concert with app termination. [#​21719](https://togithub.com/electron/electron/issues/21719) - Fixed an issue that could cause frameless windows to become undraggable in some circumstances. [#​21723](https://togithub.com/electron/electron/issues/21723) - Fixed an issue that could prevent communication between a sandboxed child window opened with `nativeWindowOpen: false` and an unsandboxed parent window. Also fixed `document.visibilityState` not working in sandboxed ``. [#​21696](https://togithub.com/electron/electron/issues/21696) - Fixed an issue with potential duplicate error popups when calling `shell.showItemInFolder` on Windows. [#​21749](https://togithub.com/electron/electron/issues/21749) - Fixed white flash when foregrounding an occluded window. [#​21750](https://togithub.com/electron/electron/issues/21750) #### Documentation - Documentation changes: [#​21742](https://togithub.com/electron/electron/issues/21742) ### [`v7.1.8`](https://togithub.com/electron/electron/releases/v7.1.8) [Compare Source](https://togithub.com/electron/electron/compare/v7.1.7...v7.1.8) ### Release Notes for v7.1.8 #### Fixes - Fixed an issue in the `net` module where aborting a request during a redirect could cause an error to be thrown. [#​21645](https://togithub.com/electron/electron/issues/21645) - Fixed incorrect button highlighting when `defaultId` is passed for dialog message boxes. [#​21652](https://togithub.com/electron/electron/issues/21652) #### Other Changes - Updated `crashReporter` to throw an error for `getLastCrashReport` if `crashReporter` not started. [#​21683](https://togithub.com/electron/electron/issues/21683) ### [`v7.1.7`](https://togithub.com/electron/electron/releases/v7.1.7) [Compare Source](https://togithub.com/electron/electron/compare/v7.1.6...v7.1.7) ### Release Notes for v7.1.7 #### Fixes - Fixed an issue where calling allowNTLMCredentialsForDomains() could cause a change in Kerberos SPN generation behavior. [#​21572](https://togithub.com/electron/electron/issues/21572) ### [`v7.1.6`](https://togithub.com/electron/electron/releases/v7.1.6) [Compare Source](https://togithub.com/electron/electron/compare/v7.1.5...v7.1.6) ### Release Notes for v7.1.6 #### Fixes - Fixed black boxes with `