Bug 31238

Summary: nodejs-json-schema new security issue CVE-2021-3918
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, smelror, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: nodejs-json-schema-0.2.3-4.mga9.src.rpm CVE:
Status comment:

Description David Walser 2022-12-07 18:19:56 CET 
Debian-LTS has issued an advisory today (December 7):
https://www.debian.org/lts/security/2022/dla-3228

The issue is fixed upstream in 0.4.0.

Mageia 8 is also affected.
David Walser 2022-12-07 18:20:08 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 0.4.0

Comment 1 Lewis Smith 2022-12-07 20:55:22 CET 
This pkg has been quiet since it was introduced over 4y ago!
Assigning this update to its registered maintainer Stig.

Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2022-12-08 07:45:54 CET 
Advisory
========

CVE-2021-3918: node-json-schema, JSON Schema validation and specifications, was vulnerable to Improperly Controlled Modification of Object Prototype Attributes.

References
==========

https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Files
=====

Uploaded to core/updates_testing

nodejs-json-schema-0.2.3-3.1.mga8

from nodejs-json-schema-0.2.3-3.1.mga8.src.rpm

Assignee: smelror => qa-bugs
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

David Walser 2022-12-08 14:18:55 CET

CC: (none) => smelror
Status comment: Fixed upstream in 0.4.0 => (none)

Comment 3 Herman Viaene 2022-12-09 14:27:25 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
No wiki, no previous updates, so searching
# urpmq --whatrequires nodejs-json-schema
nodejs-json-schema
nodejs-jsprim
# urpmq --whatrequires-recursive nodejs-json-schema
nodejs-http-signature
nodejs-json-schema
nodejs-jsprim
nodejs-request
This all looks developer's territory to me, so I OK on clean install, unless someone jumps in with better ideas.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-12-10 14:20:41 CET 
Validating. Advisory in comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-12-13 03:21:55 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-12-13 23:11:07 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0463.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED