Skip to content

chore: bump vm2 due to CVE #15268

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 26, 2023
Merged

chore: bump vm2 due to CVE #15268

merged 3 commits into from
Apr 26, 2023

Conversation

fuziontech
Copy link
Member

@fuziontech fuziontech commented Apr 26, 2023
edited
Loading

Problem

CVE affecting VM2 version we are using
https://nvd.nist.gov/vuln/detail/CVE-2023-29017

Changes

Bump to version 3.9.17 which has mitigated CVE
This vulnerability was patched in the release of version 3.9.15 of vm2. There are no known workarounds.

👉 Stay up-to-date with PostHog coding conventions for a smoother review.

How did you test this code?

@posthog-bot
Copy link
Contributor

Hey @fuziontech! 👋
This pull request seems to contain no description. Please add useful context, rationale, and/or any other information that will help make sense of this change now and in the distant Mars-based future.

@fuziontech fuziontech merged commit e0711e2 into master Apr 26, 2023
@fuziontech fuziontech deleted the bump_vm2_version_3.9.17 branch April 26, 2023 21:30
fuziontech added a commit that referenced this pull request Apr 26, 2023
@fuziontech
Merge branch 'master' into revert-15246-no_read_only_setting_hogql
f6dadf3 
* master:
  fix: fix sprint planning issue template (#15271)
  fix: player skip buttons only ever showed right (#15269)
  chore: bump vm2 due to CVE (#15268)
fuziontech added a commit that referenced this pull request Apr 27, 2023
@fuziontech
Merge branch 'master' into temporal-worker-vars
bda7910 
* master: (37 commits)
  fix: fix sprint planning issue template (#15271)
  fix: player skip buttons only ever showed right (#15269)
  chore: bump vm2 due to CVE (#15268)
  fix(person-query): don't query persons twice if we don't need to (#15265)
  fix(ch): stop running delete jobs while clickhouse is on an older version (#15239)
  chore(recordings): use cooperative-sticky rebalance strategy (#15260)
  fix: SESSION_RECORDING_BLOB_PROCESSING_TEAMS config handling (#15247)
  fix(flags): Some UX inconsistencies (#15255)
  fix: Recording share button (#15256)
  chore(deps): Update posthog-js to 1.54.0 (#15257)
  style(3000): Support keyboard navigation in sidebar (#15237)
  feat: Add support for opening bug report via URL (#15251)
  feat: Hedgebar (#14934)
  Fixed undefined default for window select (#15249)
  fix(data-exploration): prevent leave confirmation safeguard (#15250)
  chore: remove readonly setting defaults for hogql (#15246)
  feat(hogql): refactor macros and asterisks into "resolver" (#15175)
  feat(hogql): swap out toDateTime function (#15226)
  fix(insight-timeout-state): centralize query ID (#15240)
  Fix/forgot ingestion fixes (#15238)
  ...
@xvello xvello mentioned this pull request Apr 27, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mariusandra mariusandra mariusandra approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@fuziontech @posthog-bot @mariusandra