Bug 27962

Summary: grpc new security issue CVE-2020-7768
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: David GEIGER <geiger.david68210>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: major    
Priority: Normal    
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2020-7768
Whiteboard:
Source RPM: grpc-1.20.0-1.mga7.src.rpm CVE: CVE-2020-7768
Status comment:

Description Zombie Ryushu 2020-12-28 19:39:54 CET 
The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 are vulnerable to Prototype Pollution via loadPackageDefinition.
Zombie Ryushu 2020-12-28 19:40:11 CET

QA Contact: (none) => security
Component: RPM Packages => Security
CVE: (none) => CVE-2020-7768

Comment 1 David Walser 2020-12-28 19:55:10 CET 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7768

Upstream patches:
https://github.com/grpc/grpc-node/pull/1605
https://github.com/grpc/grpc-node/pull/1606

Status comment: (none) => Patches available from upstream
Assignee: bugsquad => geiger.david68210
Summary: grpc security issue CVE-2020-7768 => grpc new security issue CVE-2020-7768
Severity: normal => major

Comment 2 David GEIGER 2021-01-06 08:03:14 CET 
We haven't the package "grpc-node", so we are not affected!
Comment 3 David Walser 2021-01-06 16:17:40 CET 
Indeed it looks like the affected code isn't in the package.

Status: NEW => RESOLVED
Status comment: Patches available from upstream => (none)
Resolution: (none) => INVALID