Accepting request 1177399 from home:ateixeira:branches:security:sensor

- Patches changes:
  * Change CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
    to update the follow-redirects package instead of patching directly.
  * Added CVE-2022-25883-npm-watch-semver-deps.patch (bsc#1212572)
- Add a package-lock.json to the package

OBS-URL: https://build.opensuse.org/request/show/1177399
OBS-URL: https://build.opensuse.org/package/show/security:sensor/velociraptor?expand=0&rev=76
This commit is contained in:
Antonio Teixeira 2024-05-29 18:06:32 +00:00 committed by Git OBS Bridge
parent f4ebb447db
commit 61b53625a0
7 changed files with 20313 additions and 827 deletions

View File

@ -0,0 +1,24 @@
From 76e999d0976ad6559574c92b79fe7432596d2d6c Mon Sep 17 00:00:00 2001
From: snyk-bot <snyk-bot@snyk.io>
Date: Sat, 27 Apr 2024 00:20:54 +0000
Subject: [PATCH] fix: gui/velociraptor/package.json to reduce vulnerabilities
The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-SEMVER-3247795
---
gui/velociraptor/package.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: b/gui/velociraptor/package.json
===================================================================
--- a/gui/velociraptor/package.json
+++ b/gui/velociraptor/package.json
@@ -31,7 +31,7 @@
"lodash": "^4.17.21",
"moment": "^2.29.4",
"moment-timezone": "0.5.43",
- "npm-watch": "^0.11.0",
+ "npm-watch": "^0.12.0",
"prop-types": "^15.8.1",
"qs": "^6.11.2",
"query-string": "^6.14.1",

View File

@ -1,23 +1,30 @@
From c4f847f85176991f95ab9c88af63b1294de8649b Mon Sep 17 00:00:00 2001
From: Ruben Verborgh <ruben@verborgh.org>
Date: Thu, 14 Mar 2024 17:36:10 +0100
Subject: [PATCH] Drop Proxy-Authorization across hosts.
---
index.js | 2 +-
1 files changed, 1 insertions(+), 1 deletion(-)
diff --git a/gui/velociraptor/node_modules/follow-redirects/index.js b/gui/velociraptor/node_modules/follow-redirects/index.js
index f58b933..c649cab 100644
--- a/gui/velociraptor/node_modules/follow-redirects/index.js
+++ b/gui/velociraptor/node_modules/follow-redirects/index.js
@@ -430,7 +430,7 @@ RedirectableRequest.prototype._processResponse = function (response) {
redirectUrlParts.protocol !== "https:" ||
redirectUrlParts.host !== currentHost &&
!isSubdomain(redirectUrlParts.host, currentHost)) {
- removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+ removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers);
diff --git a/gui/velociraptor/package-lock.json b/gui/velociraptor/package-lock.json
index e6c46c00..2a6c8114 100644
--- a/gui/velociraptor/package-lock.json
+++ b/gui/velociraptor/package-lock.json
@@ -4750,9 +4750,9 @@
}
// Evaluate the beforeRedirect callback
},
"node_modules/follow-redirects": {
- "version": "1.15.2",
- "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz",
- "integrity": "sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==",
+ "version": "1.15.6",
+ "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz",
+ "integrity": "sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA==",
"funding": [
{
"type": "individual",
@@ -14720,9 +14720,9 @@
}
},
"follow-redirects": {
- "version": "1.15.2",
- "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.2.tgz",
- "integrity": "sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA=="
+ "version": "1.15.6",
+ "resolved": "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.6.tgz",
+ "integrity": "sha512-wWN62YITEaOpSK584EZXJafH1AGpO8RVgElfkuXbTOrPX4fIfOyEpW/CsiNd8JdYrAoOvafRTOEnvsO++qCqFA=="
},
"for-each": {
"version": "0.3.3",

19449
package-lock.json generated Normal file

File diff suppressed because it is too large Load Diff

BIN
velociraptor-node_modules.obscpio (Stored with Git LFS)

Binary file not shown.

File diff suppressed because it is too large Load Diff

View File

@ -1,3 +1,12 @@
-------------------------------------------------------------------
Tue May 28 16:45:51 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>
- Patches changes:
* Change CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
to update the follow-redirects package instead of patching directly.
* Added CVE-2022-25883-npm-watch-semver-deps.patch (bsc#1212572)
- Add a package-lock.json to the package
-------------------------------------------------------------------
Sat Apr 27 16:11:14 UTC 2024 - Antonio Teixeira <antonio.teixeira@suse.com>

View File

@ -93,14 +93,17 @@ Source8: sysconfig.velociraptor-client
Source9: %{projname}.obsinfo
Source10: system-user-velociraptor.sysusers
Source11: velociraptor-nodejs.spec.inc
Source12: package-lock.json
%include %{_sourcedir}/velociraptor-nodejs.spec.inc
Patch1: vendor-build-fixes-for-SLE12.patch
Patch2: sdjournal-build-fix-for-SLE12.patch
Patch3: velociraptor-reproducible-timestamp.diff
# CVE-2024-28849 - bsc#1221456 - follow-redirects: Drop Proxy-Athorization across hosts
# PATCH-FIX-UPSTREAM CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch bsc#1221456 -- follow-redirects: Drop Proxy-Athorization across hosts
Patch4: CVE-2024-28849-follow-redirects-drop-proxy-authorization.patch
# PATCH-FIX-UPSTREAM CVE-2022-25883-npm-watch-semver-deps.patch bsc#1212572 -- upgrade npm-watch
Patch5: CVE-2022-25883-npm-watch-semver-deps.patch
BuildRequires: fileb0x
%if 0%{?suse_version}
BuildRequires: systemd-rpm-macros
@ -243,6 +246,8 @@ console, please install the 'velociraptor' package.
%patch -P 1 -p1
%patch -P 2 -p1
%patch -P 3 -p1
%patch -P 4 -p1
%patch -P 5 -p1
# Set the version to something more specific than <next-tag>-dev
sed -ie "s/\([[:space:]]VERSION *= \).*/\1 \"%{VERSION}\"/" constants/constants.go
@ -263,13 +268,11 @@ cp vmlinux.h-%{vmlinux_h_version}/vmlinux-${arch}.h \
# Note: There are dependencies on these that need to be resolved before
# removing them outright.
# rm -rf artifacts/definitions/Windows
%if %{build_server}
pushd gui/velociraptor
rm -f package-lock.json
local-npm-registry %{_sourcedir} install
local-npm-registry %{_sourcedir} install --include=dev --legacy-peer-deps
popd
%patch -P 4 -p1
%endif
%build