Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency electron to v11 [SECURITY] #182

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jan 31, 2021

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
electron ^4.1.4 -> ^11.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-4075

Impact

The vulnerability allows arbitrary local file read by defining unsafe window options on a child window opened via window.open.

Workarounds

Ensure you are calling event.preventDefault() on all new-window events where the url or options is not something you expect.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

For more information

If you have any questions or comments about this advisory:

CVE-2020-4076

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

Non-Impacted Versions

  • 9.0.0-beta.*

For more information

If you have any questions or comments about this advisory:

CVE-2020-4077

Impact

Apps using both contextIsolation and contextBridge are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4

For more information

If you have any questions or comments about this advisory:

CVE-2020-15096

Impact

Apps using contextIsolation are affected.

This is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions.

Workarounds

There are no app-side workarounds, you must update your Electron version to be protected.

Fixed Versions

  • 9.0.0-beta.21
  • 8.2.4
  • 7.2.4
  • 6.1.11

For more information

If you have any questions or comments about this advisory:

CVE-2020-26272

Impact

IPC messages sent from the main process to a subframe in the renderer process, through webContents.sendToFrame, event.reply or when using the remote module, can in some cases be delivered to the wrong frame.

If your app does ANY of the following, then it is impacted by this issue:

  • Uses remote
  • Calls webContents.sendToFrame
  • Calls event.reply in an IPC message handler

Patches

This has been fixed in the following versions:

  • 9.4.0
  • 10.2.0
  • 11.1.0
  • 12.0.0-beta.9

Workarounds

There are no workarounds for this issue.

For more information

If you have any questions or comments about this advisory, email us at [email protected].

CVE-2021-39184

Impact

This vulnerability allows a sandboxed renderer to request a "thumbnail" image of an arbitrary file on the user's system. The thumbnail can potentially include significant parts of the original file, including textual data in many cases.

All current stable versions of Electron are affected.

Patches

This was fixed with #​30728, and the following Electron versions contain the fix:

  • 15.0.0-alpha.10
  • 14.0.0
  • 13.3.0
  • 12.1.0
  • 11.5.0

Workarounds

If your app enables contextIsolation, this vulnerability is significantly more difficult for an attacker to exploit.

Further, if your app does not depend on the createThumbnailFromPath API, then you can simply disable the functionality. In the main process, before the 'ready' event:

delete require('electron').nativeImage.createThumbnailFromPath

For more information

If you have any questions or comments about this advisory, email us at [email protected].


Release Notes

electron/electron

v11.5.0

Compare Source

Release Notes for v11.5.0

Other Changes

End of Support for 11.x.y

Electron 11.x.y has reached end-of-support as per the project's support policy. Developers and applications are encouraged to upgrade to a newer version of Electron.

v11.4.12

Compare Source

Release Notes for v11.4.12
Fixes

v11.4.11

Compare Source

Release Notes for v11.4.11

Other Changes

v11.4.10

Compare Source

Release Notes for v11.4.10

Other Changes

v11.4.9

Compare Source

Release Notes for v11.4.9
Fixes
  • Fixed potential corruption of piped response data when using interceptHttpProtocol/registerHttpProtocol. #​29667 (Also in 12, 13, 14)
  • Security: backported fix for CVE-2021-30551. #​29780
Other Changes

v11.4.8

Compare Source

Release Notes for v11.4.8

Fixes

  • Fixed will-resize and will-move events not scaling the emitted newBounds rectangle to the appropriate Windows display scale factor. #​29225 (Also in 12, 13)
  • Fixed drag and drop not working correctly for some x11 window managers. #​29271 (Also in 12)
  • Fixed packaged apps allowing --require in NODE_OPTIONS on Windows. #​29419

Other Changes

v11.4.7

Compare Source

Release Notes for v11.4.7

Fixes

  • Fixed an incorrect warning about enableRemoteModule being issued when the option was undefined (and thus defaulting to false). #​29023
  • Fixed an issue where events on webview elements were missing properties if contextIsolation was enabled. #​29150 (Also in 10)
  • Fixed corner radius for vibrancy view in macOS 11. #​29072 (Also in 12, 13)

Documentation

v11.4.6

Compare Source

Release Notes for v11.4.6
Fixes
  • Fixed <webview> focus / blur events not working with contextIsolation enabled. #​29027 (Also in 10, 12, 13)
  • Fixed an issue where drag regions on macOS would be offset incorrectly when no drag regions were set,. #​29018 (Also in 12, 13)

v11.4.5

Compare Source

Release Notes for v11.4.5

Fixes

  • Allow Node.js to manage microtasks queue by using explicit microtasks policy before calling uv_run(). #​28974 (Also in 12, 13)
  • Fixed an issue where some Node.js modules would hang on page reload on Windows. #​28336 (Also in 12, 13)
  • Fixed an issue where windows in simpleFullscreen mode were not properly resizing when display metrics changed. #​28870 (Also in 12, 13)
  • Fixed the window-all-closed event being emitted while the last BrowserWindow was still in the process of being closed. #​28912 (Also in 12, 13)

Other Changes

v11.4.4

Compare Source

Release Notes for v11.4.4
Fixes
  • Fixed an issue where multiple calls to window.setFullScreen could cause problems. #​28773 (Also in 12, 13)
  • Fixed an issue where some dialogs would stop working on macOS if window.hide() was called while they were open. #​28696 (Also in 12, 13)
  • Fixed crash on m1 mac. #​28745
  • No longer set backgroundColor in default-app when opening custom files / URLs. #​28843 (Also in 10, 12, 13)
Other Changes

v11.4.3

Compare Source

Release Notes for v11.4.3

Fixes

  • Fixed a bug where, when a JumpList task description exceeded 260 characters, the JumpList was empty, despite valid entries. #​28524 (Also in 12, 13)
  • Fixed a network process crash that could happen when using setCertificateVerifyProc with many concurrent verification requests. #​28470 (Also in 12, 13)
  • Fixed failing to request file:// resources when web security is disabled. #​28589 (Also in 12, 13)
  • Support wasm-eval csp behind WebAssemblyCSP flag. #​28576 (Also in 12, 13)
  • Transparent windows cannot be maximized using the Windows system menu or by double clicking the title bar. #​28635 (Also in 12, 13)

Other Changes

  • Security: backported fix for chromium:1196683. #​28639

v11.4.2

Compare Source

Release Notes for v11.4.2

Fixes

  • Fixed an issue where the thumbar disappeared after win.hide() on Windows. #​28391 (Also in 10, 12, 13)
  • Fixed bug where TouchBarPopover and TouchBarGroup were no longer rendering. #​28412 (Also in 12)
  • Fixed crash when exiting app with active nodejs worker_threads. #​28471
  • Fixed service worker not working with custom protocol. #​28353 (Also in 12, 13)

Documentation

v11.4.1

Compare Source

Release Notes for v11.4.1

Fixes

  • Fixed desktopCapturer.getSources() promise result sometimes never resolving. #​28282 (Also in 10, 12, 13)
  • Fixed an issue where the drag regions in BrowserViews on macOS could be off in their y-axis. #​28297 (Also in 10, 12, 13)
  • Fixed context menus not being positioned correctly when near the edge of the screen. #​28278 (Also in 12, 13)
  • Fixed intensive I/O from asar files causing ERR_FILE_NOT_FOUND after a while. #​28201 (Also in 12, 13)
  • Fixed issue where window.open() would not return an object with a location.href setter when contextIsolation is enabled and nativeWindowOpen is disabled. #​28161 (Also in 10, 12)
  • URLS passed to shell.openExternal on windows are now correctly URI encoded. This was already occurring on macOS and Linux. #​28340 (Also in 10, 12, 13)

Other Changes

Documentation

v11.4.0

Compare Source

Release Notes for v11.4.0

Features

  • Added support for the des-ede3 cipher in node crypto. #​27993 (Also in 12)

Fixes

  • Colors returned from systemPreferences.getAccentColor(), getSystemColor and getColor are now correctly converted into the devices color space. Previously the color would have been subtly incorrect. #​28171 (Also in 12, 13)
  • Fixed a potential crash when resetting BrowserViews. #​27948 (Also in 10, 12)
  • Fixed an issue where BrowserViews could have mismatched draggable regions to their bounds. #​27987 (Also in 10, 12)
  • Fixed an issue where win.capturePage() never called back after calling hide() for a hidden window on some platforms. #​28074 (Also in 12, 13)
  • Fixed an issue where libuv might hang with multiple subframes when nodeIntegrationInSubframes is enabled. #​27880 (Also in 10, 12)
  • Fixed an out-of-bounds access in WebContents.sendInputEvent. #​27853 (Also in 10, 12)
  • Fixed background color not being applied for child windows created by native window.open path. #​27944 (Also in 10, 12)
  • Fixed crash when calling getBackgroundColor on a transparent window with no assigned background color. #​28186 (Also in 12, 13)
  • Fixed native window.open() to not use windowName/frameName as title by default. #​27813 (Also in 10, 12)
  • Fixed navigator.bluetooth.requestDevice crash. #​27941 (Also in 12)
  • Fixed warning when worldSafeExecuteJavaScript is disabled. #​27968 (Also in 10, 12)

Other Changes

v11.3.0

Compare Source

Release Notes for v11.3.0

Features

  • Added allowFileAccess option to loadExtension() API. #​27703 (Also in 12)
  • Added win.setTopBrowserView() so that BrowserViews can be raised. #​27712 (Also in 10, 12)

Fixes

  • Backported fix for https://crbug.com/1125165. #​27558
  • Fixed OS-level shortcuts on macOS (e.g. Ctrl + F2, ⌘ + ~). #​27787 (Also in 12)
  • Fixed SVG content with filter sometimes not being rendered. #​27699
  • Fixed a crash when calling crypto.createDiffieHellman() with certain parameters. #​27766 (Also in 12)
  • Fixed a memory leak when creating BrowserWindows. #​27640 (Also in 12)
  • Fixed an erroneous enableBlinkFeatures warning shown webviews which enabled no Blink features. #​27789 (Also in 10, 12)
  • Fixed an issue where deleted download directories would be sometimes recreated by the operating system. #​27808 (Also in 10, 12)
  • Fixed an occasional white flicker present when rendering BrowserViews in close succession. #​27659 (Also in 10, 12)
  • Fixed crash when destroying WebContents in the crashed event. #​27757 (Also in 10, 12)
  • Fixed memory leak when sending non-primitives over the context bridge. #​27638 (Also in 10, 12)
  • Fixed native window freeze on Windows when Electron app is sent to tray and external display changes. #​27669 (Also in 12)
  • Fixed svg with filter content not being rendered. #​27635

Other Changes

Documentation

v11.2.3

Compare Source

Release Notes for v11.2.3

Fixes

Other Changes

v11.2.2

Compare Source

Release Notes for v11.2.2

Fixes

  • Fixed CSP with unsafe-eval detection with Trusted Types. #​27469 (Also in 9, 10, 12)
  • Fixed <webview> not working with Trusted Types. #​27464 (Also in 9, 10, 12)
  • Fixed regression that crashed Electron when processing an invalid icon. #​27478 (Also in 12)
  • None. #​27509 (Also in 12)

Other Changes

v11.2.1

Compare Source

Release Notes for v11.2.1

Fixes

  • Apps requesting the CAMERA_PAN_TILT_ZOOM permission will have the permission request handler called with a permission string of "media" instead of "font-access". #​27423
  • Fixed crash when a keyboard event immediately precedes calling browserWindow.close() on Windows. #​27357 (Also in 10, 12)
  • Fixed shutdown crash when quitting with in-progress downloads. #​27419 (Also in 10, 12)
  • Increase stack size on windows x64 to 8MB. #​27385 (Also in 10, 12)
  • Updated the ICU time zone database to the latest 2020f version. #​27369

Other Changes

v11.2.0

Compare Source

Release Notes for v11.2.0

Features

  • Made win.setAspectRatio() work on Windows. #​27203 (Also in 12)

Fixes

  • Fixed a crash that could occur on app quit when using the remote module. #​27069 (Also in 12)
  • Fixed an issue where BrowserViews couldn't be effectively reparented. #​27219 (Also in 12)
  • Fixed an issue where non-draggable regions on BrowserViews could have incorrectly calculated bounds. #​27183 (Also in 10, 12)
  • Fixed an issue where some draggable regions were not clickable when loaded into BrowserViews on Windows. #​27178 (Also in 10, 12)
  • Fixed the pretty-print JavaScript feature in DevTools not functioning correctly. #​27102

Other Changes

  • Updated Chromium to 87.0.4280.141. #​27213

Unknown

  • Fixed chrome.webRequest extensions API not intercepting any requests. #​27096 (Also in 10, 12)

v11.1.1

Compare Source

Release Notes for v11.1.1

Fixes

  • Fixed protocol methods not being accessible via remote.protocol. #​27044 (Also in 12)
  • Fixed readdir/readdirSync (w/ withFileTypes) failing on a deep directory within archive. #​27010 (Also in 12)
  • Fixed a memory leak in desktopCapturer.getSources. #​27056 (Also in 10, 12)
  • Fixed an issue where SIGINT was improperly handled in Node.js processes. #​26972 (Also in 10, 12)
  • Fixed an issue where renderer process stack traces were broken with contextIsolation enabled. #​26997 (Also in 12)
  • Fixed an issue where some async_hooks were not properly emitted after an error in the renderer process. #​26991 (Also in 12)
  • Fixed an issue whereby remote.screen EventEmitter methods are undefined in the renderer. #​26989 (Also in 12)

v11.1.0

Compare Source

Release Notes for v11.1.0

Fixes

  • Added Electron DLLs like libGLESv2.dll to symbol server. #​26965 (Also in 9, 10, 12)
  • Fixed an issue that a message box in GTK contains no buttons. #​26916 (Also in 10, 12)
  • Fixed an issue where event.reply could sometimes not deliver a reply to an IPC message when cross-site iframes were present. #​26926 (Also in 9, 10, 12)
  • Fixed an occasional crash on Windows related to NativeViewHost::SetParentAccessible. #​26951 (Also in 9, 10, 12)

v11.0.5

Compare Source

Release Notes for v11.0.5

Fixes

  • Fixed "screen" methods to be reassignable again. #​26873 (Also in 12)
  • Fixed systemPreferences.effectiveAppearance returning systemPreferences.getAppLevelAppearance(). #​26878 (Also in 9, 10, 12)
  • Fixed callbacks passed via the remote module not being released after all references are dropped. #​26836 (Also in 12)
  • Fixed uncaught promise rejection when creating webContents with javascript disabled. #​26870 (Also in 10, 12)

Other Changes

  • Updated Chromium to 87.0.4280.88. #​26817

v11.0.4

Compare Source

Release Notes for v11.0.4

Fixes

  • Added default Bluetooth permission strings to info.plist. #​26768 (Also in 12)
  • Fixed an issue where IsMaximized would incorrectly return false for some windows on Windows. #​26780 (Also in 12)
  • Fixed an issue where draggable regions did not work exclusively on BrowserViews on Windows. #​26774 (Also in 12)
  • Fixed an issue where draggable regions in BrowserWindow causes BrowserView to become draggable in non-correspondent places. #​26754 (Also in 10, 12)
  • Fixed import of unpacked node modules. #​26751 (Also in 12)

v11.0.3

Compare Source

Release Notes for v11.0.3

Fixes

  • Fixed &lt;webview&gt; render-process-gone event dispatch. #​26578
  • Fixed contentTracing.stopRecording() not rejecting when there is no trace in progress. #​26655 (Also in 12)
  • Fixed screen methods not being accessible via remote.screen. #​26660
  • Fixed a crash when calling webContents.fromId with an unknown ID. #​26652

v11.0.2

Compare Source

Release Notes for v11.0.2

Fixes

  • Fixed LC_ALL environment variable getting changed in Electron. #​26551 (Also in 9, 10)
  • Fixed an issue where some buttons were un-clickable in some BrowserViews with draggable regions enabled. #​26528
  • Fixed detection of launch on login items
    • Fixed detection of enabled state set by TaskManager. #​26538
  • Stopped using private API CTFontDescriptorIsSystemUIFont in MAS build. #​26574

Other Changes

  • Updated Chromium to 87.0.4280.67. #​26565

Unknown

v11.0.1

Compare Source

Release Notes for v11.0.1

Fixes

  • Fixed an Uncaught TypeError when opening DevTools. #​26514
  • Removed private API usage that was blocking Mac App Store releases. #​26513

v11.0.0

Compare Source

Release Notes for v11.0.0

Stack Upgrades

Breaking Changes

  • Removed experimental APIs: BrowserView.{destroy, fromId, fromWebContents, getAllViews} and the id property of BrowserView. #​23578

Features

Additions
  • Added new experimental apple silicon (darwin arm64) builds. #​24545
  • Added new app.runningUnderRosettaTranslation property to detect when running under rosetta on Apple silicon. #​26492
  • Added V8 crash message and location information to crashReport parameters. #​24771 (Also in 10)
  • Added a small console hint to console to help debug renderer crashes. #​25474 (Also in 9, 10)
  • Added new system-context-menu event to allow preventing and overriding the system context menu. #​25835
  • Added webContents.forcefullyCrashRenderer() to forcefully terminate a renderer process to assist with recovering a hung renderer. #​25756
  • Added app.getApplicationInfoForProtocol() API that returns detailed information about the app that handles a certain protocol. #​24112
  • Added name to app.getAppMetrics() output. #​24359
  • Added utility-process-gone event to app. #​24367
  • Added visualEffectState option to BrowserWindows to allow customization of vibrancy effect state on macOS. #​25083
  • Added app.createThumbnailFromPath() API that returns a preview image of a file given its file path and a maximum thumbnail size. #​24802
  • Added back a previously broken visibleOnFullScreen option for setVisibleOnAllWorkspaces. #​24956
  • Added desktopCapturer.getMediaSourceIdForWebContents(), can be used with getUserMedia to get a stream for a WebContent. #​22701
  • Added did-become-active event on Mac for observing any application activation. #​23872
  • Added new worldSafeExecuteJavaScript webPreference to ensure that the return values from `webFrame.e

Configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-electron-vulnerability branch from ca2b7de to fda5687 Compare October 18, 2021 23:14
@renovate renovate bot changed the title Update dependency electron to v9 [SECURITY] Update dependency electron to v11 [SECURITY] Oct 18, 2021
@smblee smblee closed this Nov 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants