Commit Graph

11 Commits

Author SHA1 Message Date
Maximilian Bosch
aa4c5bb7cf hedgedoc: fix build by re-running yarn2nix
Failing Hydra build: https://hydra.nixos.org/build/154209534
2021-09-26 21:05:28 +02:00
Maximilian Bosch
e187f77ceb
hedgedoc: fix eval with allowAliases = false 2021-09-19 00:23:28 +02:00
Maximilian Bosch
0a10c17c8d
hedgedoc: 1.8.2 -> 1.9.0, fixes CVE-2021-39175
ChangeLog: https://github.com/hedgedoc/hedgedoc/releases/tag/1.9.0

As documented in the Nix expression, I unfortunately had to patch
`yarn.lock` manually (the `yarn.nix` result isn't affected by this). By
adding a `git+https`-prefix to
`midi "https://github.com/paulrosen/MIDI.js.git#abcjs"` in the lock-file
I ensured that `yarn` actually uses the `MIDI.js` from the offline-cache
from `yarn2nix` rather than trying to download a tarball from GitHub.

Also, this release contains a fix for CVE-2021-39175 which doesn't seem
to be backported to 1.8. To quote NVD[1]:

> In versions prior to 1.9.0, an unauthenticated attacker can inject
> arbitrary JavaScript into the speaker-notes of the slide-mode feature
> by embedding an iframe hosting the malicious code into the slides or by
> embedding the HedgeDoc instance into another page.

Even though it "only" has a medium rating by NVD (6.1), this seems
rather problematic to me (also, GitHub rates this as "High"), so it's
actually a candidate for a backport.

[1] https://nvd.nist.gov/vuln/detail/CVE-2021-39175
2021-09-19 00:18:18 +02:00
Robert Hensing
a201246bac treewide: runCommandNoCC -> runCommand in generated code
This has been synonymous for ~5y.

Note that many of these runCommand bindings are unused, but that's
ok for generated code.
2021-08-15 17:36:41 +02:00
Felix Buehler
a56d117bdb servers: replace name with pname&version 2021-07-26 20:15:46 +02:00
WilliButz
0432a81670
hedgedoc: 1.8.0 -> 1.8.2
includes fixes for:
* CVE-2021-29503: Improper Neutralization of Script-Related HTML Tags in Notes
* a potential XSS-vector in the handling of usernames and profile pictures

https://github.com/hedgedoc/hedgedoc/releases/tag/1.8.2
2021-05-11 23:59:13 +02:00
WilliButz
0a27a76b27
hedgedoc: 1.7.2 -> 1.8.0
https://github.com/hedgedoc/hedgedoc/releases/tag/1.8.0

includes fixes for CVE-2021-21306 and CVE-2021-29474
2021-05-04 09:58:17 +02:00
WilliButz
a646165d0c
hedgedoc: 1.7.1 -> 1.7.2, fixes CVE-2021-21259
https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.2

CVE-2021-21259:
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-44w9-vm8p-3cxw
2021-01-16 00:44:29 +01:00
Profpatsch
4a7f99d55d treewide: with stdenv.lib; in meta -> with lib;
Part of: https://github.com/NixOS/nixpkgs/issues/108938

meta = with stdenv.lib;

is a widely used pattern. We want to slowly remove
the `stdenv.lib` indirection and encourage people
to use `lib` directly. Thus let’s start with the meta
field.

This used a rewriting script to mostly automatically
replace all occurances of this pattern, and add the
`lib` argument to the package header if it doesn’t
exist yet.

The script in its current form is available at
https://cs.tvl.fyi/depot@2f807d7f141068d2d60676a89213eaa5353ca6e0/-/blob/users/Profpatsch/nixpkgs-rewriter/default.nix
2021-01-11 10:38:22 +01:00
WilliButz
484d851cb9
hedgedoc: 1.7.0 -> 1.7.1 (fixes CVE-2020-26286 and CVE-2020-26287)
https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.1
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-wcr3-xhv7-8gxc
https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-g6w6-7xf9-m95p
2020-12-27 23:06:21 +01:00
WilliButz
e19995e43b
codimd: 1.6.0 -> 1.7.0, rename to hedgedoc
CodiMD was renamed to HedgeDoc and is now built with nodejs-14_x.

https://github.com/hedgedoc/hedgedoc/releases/tag/1.7.0
2020-12-22 01:39:02 +01:00