-
Notifications
You must be signed in to change notification settings - Fork 373
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Assigned RUSTSEC-2024-0403 to js-sandbox, RUSTSEC-2024-0404 to anstre…
…am, RUSTSEC-2024-0405 to rustyscript (#2154) Co-authored-by: Shnatsel <[email protected]>
- Loading branch information
1 parent
f458c7c
commit 34a9f08
Showing
4 changed files
with
47 additions
and
47 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,3 @@ | ||
| This file causes merge conflicts if two ID assignment jobs run concurrently. | ||
| This prevents duplicate ID assignment due to a race between those jobs. | ||
| 54e570a3af4cf3373d3167584f6ba074f9a490041e0ceebf7eeeeda71c7eba9f - | ||
| fc3307516f0bba62f1990827568056f2ca57badabb319fa9a8b952b1e9ecda48 - |
2 changes: 1 addition & 1 deletion
2
crates/anstream/RUSTSEC-0000-0000.md → crates/anstream/RUSTSEC-2024-0404.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
44 changes: 22 additions & 22 deletions
44
crates/js-sandbox/RUSTSEC-0000-0000.md → crates/js-sandbox/RUSTSEC-2024-0403.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,22 +1,22 @@ | ||
| ```toml | ||
| [advisory] | ||
| id = "RUSTSEC-0000-0000" | ||
| package = "js-sandbox" | ||
| date = "2024-07-18" | ||
| url = "https://github.com/Bromeon/js-sandbox/issues/31" | ||
| categories = ["denial-of-service"] | ||
|
|
||
| [versions] | ||
| patched = [] | ||
| ``` | ||
|
|
||
| # op_panic in the base runtime can force a panic in the runtime's containing thread | ||
|
|
||
| Affected versions use deno_core releases that expose `Deno.core.ops.op_panic` to the JS runtime in the base core | ||
|
|
||
| This function when called triggers a manual panic in the thread containing the runtime, breaking sandboxing | ||
|
|
||
| It can be fixed by stubbing out the exposed op: | ||
| ```javascript | ||
| Deno.core.ops.op_panic = (msg) => { throw new Error(msg) }; | ||
| ``` | ||
| ```toml | ||
| [advisory] | ||
| id = "RUSTSEC-2024-0403" | ||
| package = "js-sandbox" | ||
| date = "2024-07-18" | ||
| url = "https://github.com/Bromeon/js-sandbox/issues/31" | ||
| categories = ["denial-of-service"] | ||
|
|
||
| [versions] | ||
| patched = [] | ||
| ``` | ||
|
|
||
| # op_panic in the base runtime can force a panic in the runtime's containing thread | ||
|
|
||
| Affected versions use deno_core releases that expose `Deno.core.ops.op_panic` to the JS runtime in the base core | ||
|
|
||
| This function when called triggers a manual panic in the thread containing the runtime, breaking sandboxing | ||
|
|
||
| It can be fixed by stubbing out the exposed op: | ||
| ```javascript | ||
| Deno.core.ops.op_panic = (msg) => { throw new Error(msg) }; | ||
| ``` |
46 changes: 23 additions & 23 deletions
46
crates/rustyscript/RUSTSEC-0000-0000.md → crates/rustyscript/RUSTSEC-2024-0405.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,23 +1,23 @@ | ||
| ```toml | ||
| [advisory] | ||
| id = "RUSTSEC-0000-0000" | ||
| package = "rustyscript" | ||
| date = "2024-07-18" | ||
| url = "https://github.com/rscarson/rustyscript/issues/174" | ||
| categories = ["denial-of-service"] | ||
|
|
||
| [versions] | ||
| patched = [">= 0.6.1"] | ||
| unaffected = ["<= 0.3.0"] | ||
| ``` | ||
|
|
||
| # op_panic in the base runtime can force a panic in the runtime's containing thread | ||
|
|
||
| Affected versions use deno_core releases that expose `Deno.core.ops.op_panic` to the JS runtime in the base core | ||
|
|
||
| This function when called triggers a manual panic in the thread containing the runtime. | ||
|
|
||
| It can be fixed by stubbing out the exposed op: | ||
| ```javascript | ||
| Deno.core.ops.op_panic = (msg) => { throw new Error(msg) }; | ||
| ``` | ||
| ```toml | ||
| [advisory] | ||
| id = "RUSTSEC-2024-0405" | ||
| package = "rustyscript" | ||
| date = "2024-07-18" | ||
| url = "https://github.com/rscarson/rustyscript/issues/174" | ||
| categories = ["denial-of-service"] | ||
|
|
||
| [versions] | ||
| patched = [">= 0.6.1"] | ||
| unaffected = ["<= 0.3.0"] | ||
| ``` | ||
|
|
||
| # op_panic in the base runtime can force a panic in the runtime's containing thread | ||
|
|
||
| Affected versions use deno_core releases that expose `Deno.core.ops.op_panic` to the JS runtime in the base core | ||
|
|
||
| This function when called triggers a manual panic in the thread containing the runtime. | ||
|
|
||
| It can be fixed by stubbing out the exposed op: | ||
| ```javascript | ||
| Deno.core.ops.op_panic = (msg) => { throw new Error(msg) }; | ||
| ``` |