Bug 27972

Summary: nodejs-handlebars new security issue CVE-2019-20922
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: Stig-Ørjan Smelror <smelror>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: mageia, ouaurelien
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://nvd.nist.gov/vuln/detail/CVE-2019-20922
Whiteboard:
Source RPM: nodejs-handlebars-4.0.13-4.mga8.src CVE: CVE-2019-20922
Status comment: Fixed upstream in 4.4.5

Description Zombie Ryushu 2020-12-29 10:23:36 CET 
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Zombie Ryushu 2020-12-29 10:23:47 CET

CVE: (none) => CVE-2019-20922

David Walser 2020-12-29 17:10:30 CET

Whiteboard: (none) => MGA7TOO
Summary: nodejs-handlebars security issue CVE-2019-20922 => nodejs-handlebars new security issue CVE-2019-20922
Status comment: (none) => Fixed upstream in 4.4.5

Comment 1 Aurelien Oudelet 2020-12-29 21:12:07 CET 
This is also for you Stig.

CC: (none) => ouaurelien
Assignee: bugsquad => smelror

Comment 2 Nicolas Lécureuil 2020-12-31 00:25:06 CET 
version 4.4.5 pushed in cauldron

Whiteboard: MGA7TOO => (none)
CC: (none) => mageia
Version: Cauldron => 7

Comment 3 David Walser 2021-07-01 18:27:32 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Status: NEW => RESOLVED