Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency electron to v20.0.1 [security] #44

Merged
merged 1 commit into from
Apr 7, 2023
Merged

chore(deps): update dependency electron to v20.0.1 [security] #44

merged 1 commit into from
Apr 7, 2023

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 10, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
electron 20.0.0 -> 20.0.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-36077

Impact

When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.

Patches

This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:

  • 21.0.0-beta.1
  • 20.0.1
  • 19.0.11
  • 18.3.7

We recommend all apps upgrade to the latest stable version of Electron.

Workarounds

If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the WebContents.on('will-redirect') event, for all WebContents:

app.on('web-contents-created', (e, webContents) => {
  webContents.on('will-redirect', (e, url) => {
    if (/^file:/.test(url)) e.preventDefault()
  })
})

For more information

If you have any questions or comments about this advisory, email us at [email protected].

Credit

Thanks to user @​coolcoolnoworries for reporting this issue.

Release Notes

electron/electron

v20.0.1: electron v20.0.1

Compare Source

Release Notes for v20.0.1

Fixes

  • Do not exit when logging initialization fails. #​35190
  • Fixed WCO not responding to touch events on windows. #​35174 (Also in 18, 19)

Other Changes

  • Updated Chromium to 104.0.5112.81. #​35181

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot changed the title chore(deps): update dependency electron to v20.0.1 [security] Update dependency electron to v20.0.1 [SECURITY] Dec 17, 2022
@renovate renovate bot changed the title Update dependency electron to v20.0.1 [SECURITY] chore(deps): update dependency electron to v20.0.1 [security] Dec 17, 2022
@jaywcjlove jaywcjlove merged commit c90cdb0 into main Apr 7, 2023
@jaywcjlove jaywcjlove deleted the renovate/npm-electron-vulnerability branch April 7, 2023 05:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jaywcjlove