CVE-2016-5118 - please upgrade to v0.15.x

Question

CVE-2016-5118 - please upgrade to v0.15.x

Closed this issue 9 years ago · 4 comments

http://www.openwall.com/lists/oss-security/2016/05/29/7
http://www.openwall.com/lists/oss-security/2016/05/30/1

This affects the version of *magick in the pre-built binaries made available to v0.13.x and v0.14.x on both Linux and Windows. These previous versions will be deprecated and, within 7 days, the pre-built binaries removed.

The current v0.15.x release is unaffected as the *magick dependency is no longer included (unless sharp is using an installation of libvips that was manually compiled with a *magick dependency).

Answer 1 · 2016-05-31T20:28:03.000Z

npm deprecate sharp@"^0.13.0" "CVE-2016-5118 https://github.com/lovell/sharp/issues/449"
npm deprecate sharp@"^0.14.0" "CVE-2016-5118 https://github.com/lovell/sharp/issues/449"

Answer 2 · 2016-06-08T17:50:00.000Z

I'm still seeing 400-500 downloads per day (~40% of total) of vulnerable versions of the pre-built binaries.

😿

Answer 3 · 2016-06-10T16:19:12.000Z

The pre-compiled binaries for libvips v8.2.2 as used by sharp v0.13.0 have now been deleted.

ERROR: https://dl.bintray.com/lovell/sharp/libvips-8.2.2-lin.tar.gz status code 404

Answer 4 · 2016-06-13T19:54:57.000Z

The pre-compiled binaries for libvips v8.2.3 as used by sharp v0.14.0 have now been deleted.

ERROR: https://dl.bintray.com/lovell/sharp/libvips-8.2.3-lin.tar.gz status code 404