•  
      request #9913 Potential regular expression denial of service through Tuleap Realtime dependencies
    Infos
    #9913
    Thomas Gerbet (tgerbet)
    2017-01-30 13:20
    2017-01-30 09:15
    10203
    Details
    Potential regular expression denial of service through Tuleap Realtime dependencies
    Tuleap Realtime has a dependency to convict < 2 which himself depends on a vulnerable version of moment [1]

    In our context it is not really exploitable but potentially vulnerable dependencies should be updated.


    [1] https://github.com/moment/moment/commit/663f33e333212b3800b63592cd8e237ac8fabdb9
    Other
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Under implementation
    Empty
    Attachments
    Empty
    References
    Referenced by request #9913

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-01-30 13:20
    We can not update to moment 2 until we have a NodeJS >= 4 which is not the case on CentOS 6 with the EPEL repo.