CVE-2021-23386: out-dated dns-packet dependency --> update multicast-dns

[arderyp]

CVE-2021-23386

the current multicast-dns dependency version relies on an ancient version of dns-packet that is vulnerable to CVE-2021-23386

https://github.com/watson/bonjour/blob/master/package.json#L11

RELATED:

• https://github.com/mafintosh/multicast-dns/issues/74

[arderyp]

multicast-dns patched their dns-packet dependency. Updating to "multicast-dns": "^7.2.3" should do the trick.

[croraf]

This is a potentially breaking change though as current version is: "multicast-dns": "^6.0.1"

[arderyp]

@croraf, yes, that's correct. I also notice this project hasn't been touched in 5 years. Hopefully it's still being actively monitored and maintained. Paging @watson

[mallardduck]

yep it seems @croraf was correct. but the breaking changes were trivial to fix for. ready to go: https://github.com/watson/bonjour/pull/64

[mafintosh]

This is fixed in dns-packet v1 which this is tracking, trying to get them to update the advisory to create less noise.

[arderyp]

@mafintosh, are you saying the latest version of this package (and thus dns-packet@1.3.1 is not actually vulnerable to the aforementioned CVE? If so, that'll be the second inaccurate CVE vulnerability warning from GitHub that I've seen in the past week.

[mafintosh]

@arderyp no i backported the fix to v1 to make it easy for people to get the fix without changing their semvers

[ghost]

Here is the issue stating it's fixed in mafintosh/multicast-dns/issues/75 I think dns-packet 1.3.4 has the fix

[arderyp]

thanks @mafintosh. I was able to pull 1.3.4 successfully. GH still shows that as a vulnerable version, but I suppose that's what you were referencing when you said you were trying to get GH to update the advisory (to include 1.3.4 as non-vulnerable). Thanks again.

[mafintosh]

@arderyp yea, i contacted SNYK today to get them to update their db and they promised to do that today (crossing my fingers that'll happen soon)

[arderyp]

looks like they've done it. No more warning over here :)

[arderyp]

back-ported dns-packet@1.3.4 provides the fix and does not require downstream versioning. A simple yarn upgrade should resolve the vulnerability now.

[croraf]

Wait, why is this closed? Version 3.5 (latest) still has the issue...

[arderyp]

Run yarn upgrade. You should notice your dns-packet jump to version 1.3.4. Thanks to @mafintosh, that fixes the CVE vulnerability exposure to multicast-dns, and thus to the latest version here. Push that to GH and you'll see the vulnerability warning disappear.

[arderyp]

If the maintainers or others want to create a new issue for upgrading from multicast-dns 6.x to 7.x, you should open a separate issue for that specific task. This issue is simply about resolving the CVE exposure, which is now done.