← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #68294

[Bug 2003988] [NEW] glob-parent vulnerability

  Thread PreviousDate PreviousThread Next 
Public bug reported:

glob-parent before 5.1.2 vulnerable to Regular Expression Denial of
Service in enclosure regex

- https://github.com/advisories/GHSA-ww39-953v-wcq6
- https://nvd.nist.gov/vuln/detail/CVE-2020-28469
- https://cwe.mitre.org/data/definitions/400.html

In our third-party libraries, we are waiting for gulp to update their
dependencies. However, it's been 3 years since their last update.
Unsure if they will.

Yet to be fixed: gulp - but not hopeful currently
https://twitter.com/gulpjs/status/1564430489473077248?cxt=HHwWgMCqjbrP_LUrAAAA

However, our CSS gets compiled from hardcoded sass files before webpages
get loaded.

mahara-themes@1.0.2 /.../.../code/mahara
├─┬ gulp@4.0.2 🚨
│ ├─┬ glob-watcher@5.0.5
│ │ └─┬ chokidar@2.1.8
│ │   └── glob-parent@3.1.0 🚨
│ └─┬ vinyl-fs@3.0.3
│   └─┬ glob-stream@6.1.0
│     └── glob-parent@3.1.0 deduped 🚨
└─┬ sass@1.57.1
  └─┬ chokidar@3.5.3
    └── glob-parent@5.1.2 ✅

** Affects: mahara
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/2003988

Title:
  glob-parent vulnerability

Status in Mahara:
  New

Bug description:
  glob-parent before 5.1.2 vulnerable to Regular Expression Denial of
  Service in enclosure regex

  - https://github.com/advisories/GHSA-ww39-953v-wcq6
  - https://nvd.nist.gov/vuln/detail/CVE-2020-28469
  - https://cwe.mitre.org/data/definitions/400.html

  In our third-party libraries, we are waiting for gulp to update their
  dependencies. However, it's been 3 years since their last update.
  Unsure if they will.

  Yet to be fixed: gulp - but not hopeful currently
  https://twitter.com/gulpjs/status/1564430489473077248?cxt=HHwWgMCqjbrP_LUrAAAA

  However, our CSS gets compiled from hardcoded sass files before webpages
  get loaded.

  mahara-themes@1.0.2 /.../.../code/mahara
  ├─┬ gulp@4.0.2 🚨
  │ ├─┬ glob-watcher@5.0.5
  │ │ └─┬ chokidar@2.1.8
  │ │   └── glob-parent@3.1.0 🚨
  │ └─┬ vinyl-fs@3.0.3
  │   └─┬ glob-stream@6.1.0
  │     └── glob-parent@3.1.0 deduped 🚨
  └─┬ sass@1.57.1
    └─┬ chokidar@3.5.3
      └── glob-parent@5.1.2 ✅

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/2003988/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next