Versions of js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file. Objects that have toString as key, JavaScript code as value and are used as explicit mapping keys allow attackers to execute the supplied code through the load() function. The safeLoad() function is unaffected. https://www.npmjs.com/advisories/813 https://github.com/nodeca/js-yaml/pull/480
Advisory ======== nodejs-js-yaml has been updated to fix a security issue. References ========== https://www.npmjs.com/advisories/813 https://github.com/nodeca/js-yaml/pull/480 Files ===== Uploaded to core/updates_testing nodejs-fs.realpath-1.0.0-2.mga6 from nodejs-fs.realpath-1.0.0-2.mga6.src.rpm nodejs-js-yaml-3.13.1-1.mga6 from nodejs-js-yaml-3.13.1-1.mga6.src.rpm
Assignee: smelror => qa-bugsStatus comment: (none) => Version 3,13,1 has been pushed to Cauldron
Cannot find either of these packages in release. Enabled updates testing # urpmi nodejs-fs.realpath http://ftp.fi.muni.cz/pub/linux/mageia/distrib/6/x86_64/media/core/updates_testing/nodejs-fs.realpath-1.0.0-2.mga6.noarch.rpm installing nodejs-fs.realpath-1.0.0-2.mga6.noarch.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 1/1: nodejs-fs.realpath ############################################# # urpmi nodejs-js-yaml A requested package cannot be installed: nodejs-js-yaml-3.13.1-1.mga6.noarch (due to unsatisfied npm(esprima)[>= 4.0.0]) # npm install esprima -g /usr/bin/esparse -> /usr/lib/node_modules/esprima/bin/esparse.js /usr/bin/esvalidate -> /usr/lib/node_modules/esprima/bin/esvalidate.js /usr/lib └── esprima@4.0.1 # urpmi nodejs-js-yaml A requested package cannot be installed: nodejs-js-yaml-3.13.1-1.mga6.noarch (due to unsatisfied npm(esprima)[>= 4.0.0]) Help!
CC: (none) => tarazed25Keywords: (none) => feedback
Follow up on comment 2. There is a package nodejs-esprima-2.7.2-1.mga6.noarch already installed. Presumably that needs updating as well.
Looking at the bundled modules tree $ npm ls -g shows some that are invalid. ├─┬ argparse@1.0.3 │ ├── lodash@3.10.1 -> /usr/lib/node_modules/lodash │ ├── sprintf-js@1.0.3 -> /usr/lib/node_modules/sprintf-js │ └── underscore@1.8.3 -> /usr/lib/node_modules/underscore invalid ├─┬ js-yaml@3.5.2 │ ├── argparse@1.0.3 -> /usr/lib/node_modules/argparse │ └── esprima@4.0.1 -> /usr/lib/node_modules/esprima invalid npm ERR! invalid: underscore@1.8.3 /usr/lib/node_modules/argparse/node_modules/underscore npm ERR! invalid: esprima@4.0.1 /usr/lib/node_modules/js-yaml/node_modules/esprima
A question: should these modules be noarch and if so should 32-bit updates testing be enabled?
Len asked for some feedback three months ago. Could we get a response to his question? It would be nice to be able to clear this before M6 goes EOL...
CC: (none) => andrewsfarm
Len, the QARepo tool just found both of those packages for me in the 64-bit testing repositories. Both are indeed noarch. Unfortunately, I don't have a clue about how to test them.
FWIW, https://madb.mageia.org/tools/listRpmsForQaBug/bugnum/24792/application/0 only lists the nodejs-fs.realpath package. It does not mention the nodejs-js-yaml package at all.
Back to the beginning. Removed nodejs and 10 other related packages. Installed nodejs from scratch, nodejs-js-yaml and nodejs-fs.realpath. Enabled updates testing for 64bits and updated nodejs-fs.realpath successfully but: # urpmi nodejs-js-yaml A requested package cannot be installed: nodejs-js-yaml-3.13.1-1.mga6.noarch (due to unsatisfied npm(argparse)[>= 1.0.7]) This is the state of play: # rpm -qa | grep nodejs nodejs-underscore-1.8.3-1.mga6 nodejs-argparse-1.0.3-3.mga6 nodejs-sprintf-js-1.0.3-5.mga6 nodejs-6.10.3-2.mga6 nodejs-js-yaml-3.5.2-3.mga6 nodejs-esprima-2.7.2-1.mga6 nodejs-lodash-3.10.1-7.mga6 nodejs-fs.realpath-1.0.0-2.mga6 Most of those were pulled in when nodejs was reinstalled. So, is it a bundling problem? Does 'npm install' use Mageia repositories? I am assuming not because although later packages can be installed that way, the rpm database does not seem to be updated. Unbundled packages seem to be invisible so the problem seems to be missing dependencies or not all required packages having updated versions. I am not a packager so for me this is all guesswork (hence the "seems").
Continuing from comment 9; $ urpmq --requires nodejs-js-yaml nodejs nodejs(engine) npm(argparse)[>= 1.0.2] npm(argparse)[< 2] npm(esprima)[>= 2.6.0] npm(esprima)[< 3] This is getting very confusing - e.g. compare the argparse statement in comment 9 with the above.
Mga 6 EOL
CC: (none) => tmbResolution: (none) => WONTFIXStatus: NEW => RESOLVED
Please use OLD for EOL.
Resolution: WONTFIX => OLD
Ah, indeed. Thanks