Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Backport CVE-2024-43368 to trix v1 and update advisory #1184

Open
tagliala opened this issue Sep 4, 2024 · 2 comments
Open

Backport CVE-2024-43368 to trix v1 and update advisory #1184

tagliala opened this issue Sep 4, 2024 · 2 comments

Comments

@tagliala
Copy link

tagliala commented Sep 4, 2024

Hello,

is there by any chance the possibility to backport the fix for CVE-2024-43368 to v1 and release a new version?

Follow up:
@ha4gu
Copy link

ha4gu commented Dec 10, 2024

trix 1.3.3 and 1.3.4 are released, and 1.3.3 seems to be backported the fix of CVE-2024-43368.
Thanks for the update.

@tagliala tagliala reopened this Dec 10, 2024
@tagliala
Copy link
Author

tagliala commented Dec 10, 2024
edited
Loading

Thanks for the heads-up,

It appears that GHSA-qm2q-9f3q-2vcv needs an update to consider trix >= 1.3.3 safe, just like it happened with the previous CVE reported

$ yarn list --pattern trix
yarn list v1.22.22
└─ trix@1.3.4

$ yarn audit
yarn audit v1.22.22
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ moderate      │ Trix has a cross-site Scripting vulnerability on copy &      │
│               │ paste                                                        │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ trix                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=2.1.4                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ trix                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ trix                                                         │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://www.npmjs.com/advisories/1098590                     │
└───────────────┴──────────────────────────────────────────────────────────────┘

@tagliala tagliala changed the title Backport CVE-2024-43368 to trix v1 Backport CVE-2024-43368 to trix v1 and update advisory Dec 10, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tagliala @ha4gu