ZeroNet icon indicating copy to clipboard operation
ZeroNet copied to clipboard
verified publisher icon HelloZeroNet

fix(sec): upgrade msgpack to 0.6.0

Open chncaption opened this issue 3 years ago • 4 comments

What happened?

There are 1 security vulnerabilities found in msgpack 0.4.4

What did I do?

Upgrade msgpack from 0.4.4 to 0.6.0 for vulnerability fix

What did you expect to happen?

Ideally, no insecure libs should be used.

The specification of the pull request

PR Specification from OSCS

chncaption avatar Dec 04 '22 08:12 chncaption

hello and thanks for the PR . this project is dead (as @shortcutme haven't been around for a long while) and development now happens in forks . as a maintainer of one of those , i'm gonna merge this change soon (waiting for any potential feedback first~~)

caryoscelus avatar Dec 04 '22 15:12 caryoscelus

The fix seems to set a limit on the message size, so you better check that ZeroNet does not send messages larger than that limit (or increase the limit if necessary)

purplesyringa avatar Dec 04 '22 16:12 purplesyringa

@imachug the version wasn't pinned so most users have already upgraded to the latest . if it causes any problems , it already does

Requirement already satisfied: msgpack>=0.6.0 in ./venv/lib/python3.9/site-packages (from -r requirements.txt (line 3)) (1.0.4)

caryoscelus avatar Dec 05 '22 09:12 caryoscelus

@caryoscelus I'm going to report you to GitHub if you keep spamming this repository with your crappy fork.

ghost avatar Dec 27 '22 11:12 ghost