linux-nerds.org

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

NodeBB - Vulnerability

NodeBB

1 Beiträge 1 Kommentatoren 179 Aufrufe

FrankM

schrieb am

Man stolpert beim Aktualisieren von NodeBB öfter über solche Zeilen.

found 7 vulnerabilities (2 moderate, 5 high) in 3687 scanned packages
  run `npm audit fix` to fix 6 of them.
  1 vulnerability requires manual review. See the full report for details.

Ein npm audit schmeißt dann z.B. so was hier aus.

~/nodebb$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
# Run  npm install helmet@3.21.2  to resolve 1 vulnerability
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Configuration Override                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ helmet-csp                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ helmet                                                       │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ helmet > helmet-csp                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1176                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


# Run  npm update handlebars --depth 3  to resolve 5 vulnerabilities
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > istanbul-reports > handlebars                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1164                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ Moderate      │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > istanbul-reports > handlebars                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1300                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary Code Execution                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > istanbul-reports > handlebars                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1316                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Arbitrary Code Execution                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > istanbul-reports > handlebars                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1324                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Prototype Pollution                                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ handlebars                                                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ nyc [dev]                                                    │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ nyc > istanbul-reports > handlebars                          │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1325                            │
└───────────────┴──────────────────────────────────────────────────────────────┘


┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ mongodb                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.13                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ socket.io-adapter-mongo                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ socket.io-adapter-mongo > mubsub > mongodb                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1203                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 7 vulnerabilities (2 moderate, 5 high) in 3687 scanned packages
  run `npm audit fix` to fix 6 of them.
  1 vulnerability requires manual review. See the full report for details.

Gut, es gibt ein paar Pakete die ein Security Problem haben. Das kann man mit npm audit fix lösen. Dachte ich !?!?

~/nodebb$ npm audit fix

> husky@3.0.9 preuninstall /home/user_nodebb/nodebb/node_modules/husky
> node husky uninstall

husky > Uninstalling git hooks
husky > Done
npm WARN nodebb-plugin-emoji-android@2.0.0 requires a peer of nodebb-plugin-emoji@^2.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN textcomplete.contenteditable@0.1.1 requires a peer of textcomplete@^0.14.2 but none is installed. You must install peer dependencies yourself.

npm ERR! code EEXIST
npm ERR! path /home/user_nodebb/nodebb/node_modules/.bin/handlebars
npm ERR! Refusing to delete /home/user_nodebb/nodebb/node_modules/.bin/handlebars: is outside /home/user_nodebb/nodebb/node_modules/handlebars and not a link
npm ERR! File exists: /home/user_nodebb/nodebb/node_modules/.bin/handlebars
npm ERR! Remove the existing file and try again, or run npm
npm ERR! with --force to overwrite files recklessly.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/user_nodebb/.npm/_logs/2019-12-22T08_15_40_111Z-debug.log

Die Logs schreiben aber fast immer rein, was man machen soll

 npm ERR! Remove the existing file and try again, or run npm

Ok, das bekommen wir hin

mv /home/user/nodebb/node_modules/.bin/handlebars /home/user

Zur Sicherheit mal irgendwo hin kopiert Und erneut fixen.

~/nodebb$ npm audit fix

> husky@3.0.9 preuninstall /home/user_nodebb/nodebb/node_modules/husky
> node husky uninstall

husky > Uninstalling git hooks
husky > Done

> husky@3.1.0 install /home/user_nodebb/nodebb/node_modules/husky
> node husky install

husky > Setting up git hooks
husky > Done

> husky@3.1.0 postinstall /home/user_nodebb/nodebb/node_modules/husky
> opencollective-postinstall || exit 0

Thank you for using husky!
If you rely on this package, please consider supporting our open collective:
> https://opencollective.com/husky/donate

npm WARN nodebb-plugin-emoji-android@2.0.0 requires a peer of nodebb-plugin-emoji@^2.0.0 but none is installed. You must install peer dependencies yourself.
npm WARN textcomplete.contenteditable@0.1.1 requires a peer of textcomplete@^0.14.2 but none is installed. You must install peer dependencies yourself.

+ helmet@3.21.2
added 4 packages from 3 contributors, removed 1 package, updated 10 packages and moved 1 package in 8.094s

6 packages are looking for funding
  run `npm fund` for details

fixed 6 of 7 vulnerabilities in 3687 scanned packages
  1 vulnerability required manual review and could not be updated

Gut, einer bleibt über.

~/nodebb$ npm audit
                                                                                
                       === npm audit security report ===                        
                                                                                
┌──────────────────────────────────────────────────────────────────────────────┐
│                                Manual Review                                 │
│            Some vulnerabilities require your attention to resolve            │
│                                                                              │
│         Visit https://go.npm.me/audit-guide for additional guidance          │
└──────────────────────────────────────────────────────────────────────────────┘
┌───────────────┬──────────────────────────────────────────────────────────────┐
│ High          │ Denial of Service                                            │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Package       │ mongodb                                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Patched in    │ >=3.1.13                                                     │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Dependency of │ socket.io-adapter-mongo                                      │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ Path          │ socket.io-adapter-mongo > mubsub > mongodb                   │
├───────────────┼──────────────────────────────────────────────────────────────┤
│ More info     │ https://npmjs.com/advisories/1203                            │
└───────────────┴──────────────────────────────────────────────────────────────┘
found 1 high severity vulnerability in 3687 scanned packages
  1 vulnerability requires manual review. See the full report for details.

Da ich diese Datenbank nicht nutze, lasse ich den mal so stehen.

F

NodeBB - v3.7.0
Geplant Angeheftet Gesperrt Verschoben NodeBB nodebb linux
1

0 Stimmen

1 Beiträge

47 Aufrufe

Niemand hat geantwortet
F

NodeBB - 2.8.13 & 3.1.3 Security Release
Geplant Angeheftet Gesperrt Verschoben NodeBB nodebb linux
1

0 Stimmen

1 Beiträge

46 Aufrufe

Niemand hat geantwortet
F

NodeBB - v3.0.0-rc.2
Geplant Angeheftet Gesperrt Verschoben NodeBB
1

0 Stimmen

1 Beiträge

42 Aufrufe

Niemand hat geantwortet
F

NodeBB - v2.6.1 Security Update
Geplant Angeheftet Gesperrt Verschoben NodeBB nodebb security
1

0 Stimmen

1 Beiträge

53 Aufrufe

Niemand hat geantwortet
F

NodeBB - Update auf v1.18.4
Geplant Angeheftet Gesperrt Verschoben NodeBB nodebb nodejs
1

0 Stimmen

1 Beiträge

162 Aufrufe

Niemand hat geantwortet
F

NodeBB - v1.17.0
Geplant Angeheftet Gesperrt Verschoben NodeBB nodebb
1

0 Stimmen

1 Beiträge

151 Aufrufe

Niemand hat geantwortet
F

NodeBB - Update auf 1.13.1
Geplant Angeheftet Gesperrt Verschoben NodeBB nodebb
2

0 Stimmen

2 Beiträge

238 Aufrufe

F

Kurze Ergänzung, heute Morgen dieses Forum hier aktualisiert. Wie erwartet geht es jetzt einfach durch. Bis auf ein Plugin, was nicht kompatibel mit der Version 1.13.x ist. Das ist aber eine andere Baustelle. Für interessierte Leser, hänge ich den Log an.
~/nodebb$ ./nodebb upgrade Updating NodeBB... 1. Updating package.json file with defaults... OK 2. Bringing base dependencies up to date... started > sharp@0.23.4 install /home/user_nodebb/nodebb/node_modules/sharp > (node install/libvips && node install/dll-copy && prebuild-install) || (node-gyp rebuild && node install/dll-copy) info sharp Downloading https://github.com/lovell/sharp-libvips/releases/download/v8.8.1/libvips-8.8.1-linux-x64.tar.gz internal/modules/cjs/loader.js:638 throw err; ^ Error: Cannot find module './index' at Function.Module._resolveFilename (internal/modules/cjs/loader.js:636:15) at Function.Module._load (internal/modules/cjs/loader.js:562:25) at Module.require (internal/modules/cjs/loader.js:692:17) at require (internal/modules/cjs/helpers.js:25:18) at Object.<anonymous> (/home/user_nodebb/nodebb/node_modules/.bin/rc:2:10) at Module._compile (internal/modules/cjs/loader.js:778:30) at Object.Module._extensions..js (internal/modules/cjs/loader.js:789:10) at Module.load (internal/modules/cjs/loader.js:653:32) at tryModuleLoad (internal/modules/cjs/loader.js:593:12) at Function.Module._load (internal/modules/cjs/loader.js:585:3) make: Entering directory '/home/user_nodebb/nodebb/node_modules/sharp/build' TOUCH Release/obj.target/libvips-cpp.stamp CXX(target) Release/obj.target/sharp/src/common.o CXX(target) Release/obj.target/sharp/src/metadata.o CXX(target) Release/obj.target/sharp/src/stats.o CXX(target) Release/obj.target/sharp/src/operations.o CXX(target) Release/obj.target/sharp/src/pipeline.o CXX(target) Release/obj.target/sharp/src/sharp.o CXX(target) Release/obj.target/sharp/src/utilities.o SOLINK_MODULE(target) Release/obj.target/sharp.node COPY Release/sharp.node make: Leaving directory '/home/user_nodebb/nodebb/node_modules/sharp/build' npm WARN nodebb-plugin-emoji-android@2.0.0 requires a peer of nodebb-plugin-emoji@^2.0.0 but none is installed. You must install peer dependencies yourself. npm WARN textcomplete.contenteditable@0.1.1 requires a peer of textcomplete@^0.14.2 but none is installed. You must install peer dependencies yourself. added 2 packages from 1 contributor, updated 13 packages and audited 3687 packages in 35.671s 4 packages are looking for funding run `npm fund` for details 3. Checking installed plugins for updates... OK A total of 1 package(s) can be upgraded: * nodebb-plugin-2factor (2.6.4 -> 2.6.5) Proceed with upgrade (y|n)? n Package upgrades skipped. Check for upgrades at any time by running "./nodebb upgrade -p". 4. Updating NodeBB data store schema... Parsing upgrade scripts... 2019-12-22T07:52:31.428Z [4567/11002] - warn: [upgrade/appendPluginScripts] Unable to read plugin.json for plugin `nodebb-plugin-align-center`. Skipping. 2019-12-22T07:52:31.429Z [4567/11002] - warn: [upgrade/appendPluginScripts] Unable to read plugin.json for plugin `nodebb-plugin-blog-comments`. Skipping. 2019-12-22T07:52:31.429Z [4567/11002] - warn: [upgrade/appendPluginScripts] Unable to read plugin.json for plugin `nodebb-plugin-blog-comments2`. Skipping. 2019-12-22T07:52:31.430Z [4567/11002] - warn: [upgrade/appendPluginScripts] Unable to read plugin.json for plugin `nodebb-plugin-contact-page`. Skipping. 2019-12-22T07:52:31.430Z [4567/11002] - warn: [upgrade/appendPluginScripts] Unable to read plugin.json for plugin `nodebb-plugin-emoji-fontawesome`. Skipping. OK | 0 script(s) found, 84 skipped Schema update complete! 5. Rebuilding assets... started 2019-12-22T07:52:31.489Z [4567/11002] - info: [build] Building in parallel mode 2019-12-22T07:52:31.491Z [4567/11002] - info: [build] plugin static dirs build started 2019-12-22T07:52:31.500Z [4567/11002] - info: [build] requirejs modules build started 2019-12-22T07:52:31.501Z [4567/11002] - info: [build] client js bundle build started 2019-12-22T07:52:31.503Z [4567/11002] - info: [build] admin js bundle build started 2019-12-22T07:52:31.503Z [4567/11002] - info: [build] client side styles build started 2019-12-22T07:52:31.504Z [4567/11002] - info: [build] admin control panel styles build started 2019-12-22T07:52:31.504Z [4567/11002] - info: [build] templates build started 2019-12-22T07:52:31.505Z [4567/11002] - info: [build] languages build started 2019-12-22T07:52:31.505Z [4567/11002] - info: [build] sounds build started 2019-12-22T07:52:32.493Z [4567/11002] - info: [build] sounds build completed in 0.988sec 2019-12-22T07:52:41.512Z [4567/11002] - info: [build] client side styles build completed in 10.009sec 2019-12-22T07:52:41.939Z [4567/11002] - info: [build] admin control panel styles build completed in 10.435sec 2019-12-22T07:52:51.628Z [4567/11002] - info: [build] plugin static dirs build completed in 20.136sec 2019-12-22T07:52:52.192Z [4567/11002] - info: [build] client js bundle build completed in 20.691sec 2019-12-22T07:52:52.192Z [4567/11002] - info: [build] admin js bundle build completed in 20.689sec 2019-12-22T07:52:58.054Z [4567/11002] - info: [build] languages build completed in 26.549sec 2019-12-22T07:53:01.537Z [4567/11002] - info: [build] templates build completed in 30.033sec 2019-12-22T07:53:02.409Z [4567/11002] - info: [build] requirejs modules build completed in 30.909sec 2019-12-22T07:53:02.412Z [4567/11002] - info: [build] Asset compilation successful. Completed in 30.921sec. NodeBB Upgrade Complete!
Auch hier sieht man schön, wie das o.g. Paket heruntergeladen wird und gebaut wird!
F

NodeBB - Upgrade auf v1.9.0
Geplant Angeheftet Gesperrt Verschoben NodeBB nodebb linux
2

0 Stimmen

2 Beiträge

794 Aufrufe

F

Da oben fehlt ein Schritt.
cd nodebb (or path to where nodebb is installed) ./nodebb stop git fetch git checkout v1.12.x git merge origin/v1.12.x ./nodebb upgrade
Beim nächsten Upgrade testen.