Bug 26293

Summary: http-parser new security issue CVE-2019-15605
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, herman.viaene, smelror, sysadmin-bugs, tmb
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: http-parser-2.9.2-3.mga8.src.rpm CVE:
Status comment:

Description David Walser 2020-03-04 15:01:21 CET 
RedHat has issued an advisory today (March 4):
https://access.redhat.com/errata/RHSA-2020:0703

The issue is fixed upstream in 2.9.3.

Mageia 7 is also affected.
David Walser 2020-03-04 15:02:34 CET

Status comment: (none) => Fixed upstream in 2.9.3
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-03-04 20:30:12 CET 
No obvious maintainer, so assigning globally; CC'ing Stig as having touched this relatively recently.

Assignee: bugsquad => pkg-bugs
CC: (none) => smelror

Comment 2 Stig-Ørjan Smelror 2020-03-04 20:51:30 CET 
Version 2.9.3 pushed to Cauldron.
Comment 3 Stig-Ørjan Smelror 2020-03-04 20:56:57 CET 
Advisory
========

http-parser has been updated to fix a security issue.

CVE-2019-15605: HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

References
==========

https://nvd.nist.gov/vuln/detail/CVE-2019-15605
https://access.redhat.com/errata/RHSA-2020:0703

Files
=====

Uploaded to core/updates_testing

libhttp-parser-devel-2.9.3-1.mga7
libhttp-parser2-2.9.3-1.mga7

from http-parser-2.9.3-1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs

David Walser 2020-03-04 22:03:05 CET

Status comment: Fixed upstream in 2.9.3 => (none)

Thomas Backlund 2020-03-06 23:12:33 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 4 Herman Viaene 2020-03-08 11:00:18 CET 
MGA7-64 Plasma on Lenovo B50
No installation issues.
# urpmq --whatrequires lib64http-parser2
lib64git2_28
lib64git2_28
lib64http-parser2
nodejs
nodejs-libs
sssd-common
sssd-common
wasn't much help to test
Tried 
# urpmq --whatrequires-recursive lib64http-parser2  
and found among many others kwrite-handbook, so installed that one and ran
$ strace -o httpparser.txt kwrite
and opened handbook via "Help" menu, read a few items and closed.
Found in trace
openat(AT_FDCWD, "/lib64/libhttp_parser.so.2", O_RDONLY|O_CLOEXEC) = 3
So OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-03-08 21:10:28 CET 
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Mageia Robot 2020-03-08 23:38:58 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0131.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED