Bug 31491

Summary: dojo new security issues CVE-2020-4051 and CVE-2021-23450
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: dojo-1.14.6-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2023-02-01 17:22:36 CET 
Debian-LTS has issued an advisory on January 29:
https://www.debian.org/lts/security/2023/dla-3289

The issues are fixed upstream in 1.16.5 (and possibly 1.14.9):
https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6
https://github.com/advisories/GHSA-m8gw-hjpr-rjv7
David Walser 2023-02-01 17:22:58 CET

Status comment: (none) => Fixed upstream in 1.16.5

Comment 1 David GEIGER 2023-02-04 08:53:11 CET 
Done for mga8!

CC: (none) => geiger.david68210

Comment 2 David Walser 2023-02-04 15:55:16 CET 
dojo-1.16.5-1.mga8

from dojo-1.16.5-1.mga8.src.rpm

Status comment: Fixed upstream in 1.16.5 => (none)
Assignee: mageia => qa-bugs

Comment 3 Thomas Andrews 2023-02-04 22:32:15 CET 
Tested in a VirtualBox Plasma guest. Referring to past updates, bug 26287 and bug 26335, I'm OKing this on the basis of a clean install over the previous version.

Validating.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-02-06 20:59:21 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2023-02-07 01:08:59 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0039.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED