| Summary: | nodejs-tough-cookie new security issue CVE-2023-26136 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | andrewsfarm, dan, nicolas.salguero, sysadmin-bugs |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | nodejs-tough-cookie-2.3.4-5.mga9.src.rpm | CVE: | CVE-2023-26136 |
| Status comment: | |||
|
Description
David Walser
2023-07-17 21:57:24 CEST
David Walser
2023-07-17 21:58:02 CEST
Whiteboard:
(none) =>
MGA8TOO This is one for Stig (last touched 5y ago!). Assignee:
bugsquad =>
smelror Suggested advisory: ======================== The updated package fixes a security vulnerability: Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized. (CVE-2023-26136) References: https://www.debian.org/lts/security/2023/dla-3488 ======================== Updated package in core/updates_testing: ======================== nodejs-tough-cookie-2.3.4-5.1.mga9 from SRPM: nodejs-tough-cookie-2.3.4-5.1.mga9.src.rpm Assignee:
smelror =>
qa-bugs
katnatek
2024-03-19 19:58:18 CET
Keywords:
(none) =>
advisory RH mageia 9 x86_64
Install current package
LC_ALL=C urpmi nodejs-tough-cookie
https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/nodejs-tough-cookie-2.3.4-5.mga9.noarch.rpm
installing nodejs-tough-cookie-2.3.4-5.mga9.noarch.rpm from /var/cache/urpmi/rpms
Preparing... ######################################################################################
1/1: nodejs-tough-cookie ######################################################################################
Update to testing version
LC_ALL=C urpmi --auto --auto-update
medium "QA Testing (32-bit)" is up-to-date
medium "QA Testing (64-bit)" is up-to-date
medium "Core Release (distrib1)" is up-to-date
medium "Core Updates (distrib3)" is up-to-date
medium "Nonfree Release (distrib11)" is up-to-date
medium "Nonfree Updates (distrib13)" is up-to-date
medium "Tainted Release (distrib21)" is up-to-date
medium "Tainted Updates (distrib23)" is up-to-date
medium "Core 32bit Release (distrib31)" is up-to-date
medium "Core 32bit Updates (distrib32)" is up-to-date
medium "Nonfree 32bit Release (distrib36)" is up-to-date
medium "Tainted 32bit Release (distrib41)" is up-to-date
medium "Tainted 32bit Updates (distrib42)" is up-to-date
installing nodejs-tough-cookie-2.3.4-5.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64
Preparing... ######################################################################################
1/1: nodejs-tough-cookie ######################################################################################
1/1: removing nodejs-tough-cookie-2.3.4-5.mga9.noarch
######################################################################################
Remove package
LC_ALL=C urpme nodejs-tough-cookie
removing nodejs-tough-cookie-2.3.4-5.1.mga9.noarch
removing package nodejs-tough-cookie-2.3.4-5.1.mga9.noarch
1/1: removing nodejs-tough-cookie-2.3.4-5.1.mga9.noarch
######################################################################################
katnatek
2024-03-21 20:35:23 CET
CC:
(none) =>
andrewsfarm Not previous rounds of the package Give OK Whiteboard:
(none) =>
MGA9-64-OK Validating. CC:
(none) =>
sysadmin-bugs Assuming the version number is correct as-is and shouldn't be rotated right once to 1.2.3-4.5 :-) CC:
(none) =>
dan An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0080.html Status:
ASSIGNED =>
RESOLVED |