Bug 31494

Summary: nodejs-qs new security issue CVE-2022-24999
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, marja11, smelror, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: nodejs-qs-6.5.1-4.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-02-01 17:41:06 CET 
Debian-LTS has issued an advisory on January 30:
https://www.debian.org/lts/security/2023/dla-3299

The issue is fixed upstream in 6.5.3.

Mageia 8 is also affected.
David Walser 2023-02-01 17:41:17 CET

Status comment: (none) => Fixed upstream in 6.5.3
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2023-02-04 22:27:32 CET 
Assigning to our registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2023-02-05 08:25:30 CET 
Advisory
========
Updated to fix a security issue.

CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. 

References
==========
https://www.debian.org/lts/security/2023/dla-3299
https://security-tracker.debian.org/tracker/CVE-2022-24999

Files
=====

Uploaded to core/updates_testing

nodejs-qs-6.5.3-1.mga8

from nodejs-qs-6.5.3-1.mga8.src.rpm

Assignee: smelror => qa-bugs
Version: Cauldron => 8
Status comment: Fixed upstream in 6.5.3 => (none)
Whiteboard: MGA8TOO => (none)

David Walser 2023-02-05 14:56:09 CET

CC: (none) => smelror

Comment 3 Herman Viaene 2023-02-14 12:01:51 CET 
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
This is a developer's library. After looking in vain for an example I could understand, decided to treat this as other developer's stuff: OK on clean install.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2023-02-15 21:38:54 CET 
Validating, Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-20 21:02:06 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-02-20 22:27:04 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0053.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED