etherpad-lite icon indicating copy to clipboard operation
etherpad-lite copied to clipboard

Published 20 hours ago verified publisher icon ether

Please update socket.io

Open laserrapt0r opened this issue 2 years ago • 1 comments

Please email [email protected] with details of the security issue prior to posting here. There is a security issue with socket.io 2.4.1 that allows denial of service attacks. The issue is fixed in Version 2.5. So please update to this version.

https://github.com/socketio/socket.io/releases/tag/2.5.0 https://github.com/advisories/GHSA-j4f2-536g-r55m

laserrapt0r avatar Aug 12 '22 10:08 laserrapt0r

Thanks for sharing this with us. FTR: As far as I understand, we already have the workaround in place (low max http buffer size value). Not sure, if this is still true, but in the past we couldn't easily split messages, so e.g. if the instance supports images, this value needs to be increased again. The workaround in socket.io was not really a fix of the underlying problem, but is more like a workaround.

However, as this is a update in the 2.x branch, we can bump the version.

webzwo0i avatar Aug 12 '22 17:08 webzwo0i

Duplicate so closiong

JohnMcLear avatar Jun 21 '23 10:06 JohnMcLear