#git

### Impact A major blind SSRF has been found in `remark-images-download`, which allowed for requests to be made to neighboring servers on local IP ranges. The issue came from a loose filtering of URLs inside the module. Imagine a server running on a private network `192.168.1.0/24`. A private service serving images is running on `192.168.1.2`, and is not expected to be accessed by users. A machine is running `remark-images-download` on the neighboring `192.168.1.3` host. An user enters the following Markdown: ```markdown  ``` The image is downloaded by the server and included inside the resulting document. Hence, the user has access to the private image. It has been corrected by preventing images downloads from local IP ranges, both in IPv4 and IPv6. To avoid malicious domain names, resolved local IPs from are also forbidden inside the module. This vulnerability impact is moderate, as it is can allow access to unexposed documents on the local...

### Impact A minor Local File Inclusion vulnerability has been found in `zmarkdown`, which allowed for images with a known path on the host machine to be included inside a LaTeX document. To prevent it, a new option has been created that allow to replace invalid paths with a default image instead of linking the image on the host directly. `zmarkdown` has been updated to make this setting the default. Every user of `zmarkdown` is likely impacted, except if disabling LaTeX generation or images download. Here is an example of including an image from an invalid path: ```markdown  ``` Will effectively redownload and include the image found at `/tmp/img.png`. ### Patches The vulnerability has been patched in version 10.1.3. If impacted, you should update to this version as soon as possible. ### Workarounds Disable images downloading, or sanitize paths. ### For more information If you have any questions or comments about this advisory, open an issue in [ZMarkdown](...

### Impact The faulty nodes will reject transactions which calls `load_cell_data` syscall but the input cell is still in the mempool. They also ban other nodes and cause the network separation. ### Patches 0.35.2, 0.36.1, 0.37.1, 0.38.2

### Impact There's a bug in the pool statistics that when conflicting transactions are removed from the pool, they are not subtracted from the statics. Finally, the transaction pool keeps full and reject all transactions. ### Patches 0.39.2 ### Workarounds Restart the CKB node.

### Impact This GitHub Action use `set-env` runner commands which are processed via stdout related to GHSA-mfwh-5m23-j46w ### Patches The following versions use the recommended [Environment File Syntax](https://github.com/actions/toolkit/blob/main/docs/commands.md#environment-files). - 2.1.1 - 1.1.1 ### Workarounds None, it is strongly suggested that you upgrade as soon as possible. ### For more information If you have any questions or comments about this advisory: * Open an issue in [rlespinasse/github-slug-action](https://github.com/rlespinasse/github-slug-action)

### Impact Tx-pool verify transaction which inputs' script contains `load_cell_data_hash` is nondeterministic ### Workarounds Enforce tx-pool ResolvedTrascation inputs' load data is none.

### Impact Adversary can create message which compressed size is less than the package limit but the decompressed length is very large such as 1G. It will cost the node many memories to process the network messages, and on the system with less than 1G memory, the process is killed directly because of out of memory error. ### Patches The node must check the decompress length before allocating the memory for the message. ### References * https://github.com/nervosnetwork/ckb/blob/687d797f1888dd05d1f38ce6d1bef3e5b9b6e38b/network/src/compress.rs#L68 * https://github.com/BurntSushi/rust-snappy/blob/master/src/decompress.rs#L106 * https://github.com/BurntSushi/rust-snappy/blob/6cfb836463b9b3ac48ca7cd15d0a50d030e95769/src/decompress.rs#L30

### Impact CKB process will panic when received malformed p2p message because of snappy, which is used to compress network messages ### References https://github.com/BurntSushi/rust-snappy/issues/29

### Vulnerability type Logging ### Detail etcd users who have no password can authenticate only through a client certificate. When such users try to authenticate into etcd using the Authenticate endpoint, errors are logged with insufficient information regarding why the authentication failed, and may be misleading when auditing etcd logs. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)

### Impact Data Validation ### Detail The parseCompactionRetention function in embed/etcd.go allows the retention variable value to be negative and causes the node to execute the history compaction in a loop, taking more CPU than usual and spamming logs. ### References Find out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf) ### For more information If you have any questions or comments about this advisory: * Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)