🚨 [security] Update electron: 19.0.1 → 19.0.17 (patch)
This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!
Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.
What changed?
✳ ️ electron (19.0.1 → 19.0.17) · Repo
Security Advisories 🚨
🚨 Exfiltration of hashed SMB credentials on Windows via file:// redirect
Impact
When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as
file://some.website.com/, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials.Patches
This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes:
- 21.0.0-beta.1
- 20.0.1
- 19.0.11
- 18.3.7
We recommend all apps upgrade to the latest stable version of Electron.
Workarounds
If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the
WebContents.on('will-redirect')event, for all WebContents:app.on('web-contents-created', (e, webContents) => { webContents.on('will-redirect', (e, url) => { if (/^file:/.test(url)) e.preventDefault() }) })For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org.
Credit
Thanks to user @coolcoolnoworries for reporting this issue.
Release Notes
19.0.17
Release Notes for v19.0.17
Fixes
- Added a background to the WCO container to avoid rendering glitches. #35610 (Also in 20, 21)
- Added support for Windows drop-down dialog extensions. #35660 (Also in 18, 20)
- Fixed issue with history.back() in sandboxed iframes affecting parent browsing context. #35621 (Also in 20, 21)
- Fixed session.getBlobData never resolves with blob sizes > 65536. #35600 (Also in 20, 21)
Other Changes
- Security: backported fix for CVE-2022-3075. #35545
Documentation
- Documentation changes: #35647
19.0.11
Release Notes for v19.0.11
Fixes
- Fixed WCO not responding to touch events on windows. #35176 (Also in 18, 20)
- Fixed
webContents.getUserAgent()incorrectly returning an empty string unless previously set. #35132 (Also in 17, 18, 20)- Fixed context menu not showing all items on macOS when dock is not hidden. #35199 (Also in 18)
- None. #35172 (Also in 18, 20)
Other Changes
- Disabled GPU acceleration on VMware on Linux. #35185
19.0.10
Release Notes for v19.0.10
Fixes
- Added support for
--ozone-platform-hintflag on Linux. #35015 (Also in 20)- Fixed a Windows Control Overlay issue where a window taken directly from minimized to maximized state could have incorrect hover state. #35073 (Also in 20)
- Fixed a crash when calling
BrowserWindow.setEnabled(). #34971 (Also in 18, 20)- Fixed an issue in which calling setBounds() after e.preventDefault in a 'will-move' or 'will-resize' event wouldn't change the window's shape until the mouse button was released. #35083 (Also in 20)
- Fixed an issue with fullscreen transitions when HTML fullscreen is requested. #34908 (Also in 20)
- Fixed inertial scroll is broken when the scrollable element has an overlay with pointer-events: none. #35051
- Fixed symbol generation on 32-bit Windows release builds. #35090 (Also in 20)
19.0.9
Release Notes for v19.0.9
Fixes
- Ensures that
requestMediaKeySystemAccesseventually resolves / rejects. #34890 (Also in 20)- Fixed a potential crash when changing window settings after initializing WCO with an invalid
titleBarStyle. #34874 (Also in 18, 20)- Fixed alwaysOnTop BrowserWindow option for X11 Linux. #34912 (Also in 18, 20)
- Fixed an issue where BrowserWindows on macOS were incorrectly marked as resizable. #34906 (Also in 18, 20)
- Fixed an issue where calling
BrowserWindow.setRepresentedFilenameon macOS withtitlebarStyle: 'hiddenInset'ortitlebarStyle: 'hidden'inadvertently moves the traffic light location. #34848 (Also in 18, 20)- Fixed an issue where printing with an invalid
deviceNameon Linux caused silent failures. #34900 (Also in 20)- Fixed an issue where the minimize button with WCO enabled would incorrectly be highlighted in some cases. #34839 (Also in 17, 18, 20)
- Fixed empty app_id when running under wayland. #34878 (Also in 18, 20)
- Prevent brief display of "Ozone X11" in window title on Linux. #34929 (Also in 18)
Other Changes
- Updated Chromium to 102.0.5005.167. #35017
19.0.8
Release Notes for v19.0.8
Fixes
- Fixed an issue where DataList bounds had part of the item text cut off vertically. #34785 (Also in 20)
Other Changes
- Updated Chromium to 102.0.5005.148. #34824
19.0.7
Release Notes for v19.0.7
Fixes
- Fixed an issue where Windows Control Overlay buttons did not respect maximizable/minimizable/closable states of a BrowserWindow. #34722 (Also in 17, 18, 20)
- Fixed missing Sec-CH-UA headers and empty navigator.userAgentData. #34757 (Also in 17, 18, 20)
Other Changes
19.0.6
Release Notes for v19.0.6
Fixes
19.0.5
Release Notes for v19.0.5
Fixes
- Fixed a performance problem in
crashReporter.start()on macOS. #34638 (Also in 17, 18)- Fixed an error where
setWindowOpenHandler()would crash if the callback threw an error. #34546 (Also in 18, 20)- Fixed an issue where draggable regions were not recalculated when BrowserView bounds changed on Windows. #34611 (Also in 18, 20)
- Fixed an issue where media keys would be sent to Electron on Windows no matter which window was in focus. #34646
- Fixed an issue where normal bounds would not be appropriately updated if the user minimized with the minimize button. #34484 (Also in 18, 20)
- Fixed an issue where passing
{ name: 'All Files', extensions: ['*'] }in thefiltersparam of open or save dialogs on Linux would disallow choosing files without an extension. #34517 (Also in 18, 20)- Fixed linux arm64 builds to not require glibc 2.29+. #34502 (Also in 20)
Other Changes
19.0.4
Release Notes for v19.0.4
Fixes
19.0.3
Release Notes for v19.0.3
Fixes
19.0.2
Release Notes for v19.0.2
Fixes
- Fixed an issue where pressing escape would not un-fullscreen on Windows or Linux in some circumstances. #34359 (Also in 18)
- Fixed an issue where zombie windows can be created if
window.close()is called during a fullscreen transition. #34391 (Also in 17, 18, 20)- Fixed printing crash when using
webContents.print(). #34369Other Changes
- Updated Chromium to 102.0.5005.63. #34349
Does any of this look wrong? Please let us know.
Sorry, we couldn't find anything useful about this release.
Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.
All Depfu comment commands
- @depfu rebase
- Rebases against your default branch and redoes this update
- @depfu recreate
- Recreates this PR, overwriting any edits that you've made to it
- @depfu merge
- Merges this PR once your tests are passing and conflicts are resolved
- @depfu close
- Closes this PR and deletes the branch
- @depfu reopen
- Restores the branch and reopens this PR (if it's closed)
- @depfu pause
- Ignores all future updates for this dependency and closes this PR
- @depfu pause [minor|major]
- Ignores all future minor/major updates for this dependency and closes this PR
- @depfu resume
- Future versions of this dependency will create PRs again (leaves this PR as is)