Bug 26293 - http-parser new security issue CVE-2019-15605
Summary: http-parser new security issue CVE-2019-15605
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-03-04 15:01 CET by David Walser
Modified: 2020-03-08 23:38 CET (History)
5 users (show)

See Also:
Source RPM: http-parser-2.9.2-3.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-03-04 15:01:21 CET
RedHat has issued an advisory today (March 4):
https://access.redhat.com/errata/RHSA-2020:0703

The issue is fixed upstream in 2.9.3.

Mageia 7 is also affected.
David Walser 2020-03-04 15:02:34 CET

Status comment: (none) => Fixed upstream in 2.9.3
Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2020-03-04 20:30:12 CET
No obvious maintainer, so assigning globally; CC'ing Stig as having touched this relatively recently.

Assignee: bugsquad => pkg-bugs
CC: (none) => smelror

Comment 2 Stig-Ørjan Smelror 2020-03-04 20:51:30 CET
Version 2.9.3 pushed to Cauldron.
Comment 3 Stig-Ørjan Smelror 2020-03-04 20:56:57 CET
Advisory
========

http-parser has been updated to fix a security issue.

CVE-2019-15605: HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

References
==========

https://nvd.nist.gov/vuln/detail/CVE-2019-15605
https://access.redhat.com/errata/RHSA-2020:0703

Files
=====

Uploaded to core/updates_testing

libhttp-parser-devel-2.9.3-1.mga7
libhttp-parser2-2.9.3-1.mga7

from http-parser-2.9.3-1.mga7.src.rpm

Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)
Assignee: pkg-bugs => qa-bugs

David Walser 2020-03-04 22:03:05 CET

Status comment: Fixed upstream in 2.9.3 => (none)

Thomas Backlund 2020-03-06 23:12:33 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 4 Herman Viaene 2020-03-08 11:00:18 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
# urpmq --whatrequires lib64http-parser2
lib64git2_28
lib64git2_28
lib64http-parser2
nodejs
nodejs-libs
sssd-common
sssd-common
wasn't much help to test
Tried 
# urpmq --whatrequires-recursive lib64http-parser2  
and found among many others kwrite-handbook, so installed that one and ran
$ strace -o httpparser.txt kwrite
and opened handbook via "Help" menu, read a few items and closed.
Found in trace
openat(AT_FDCWD, "/lib64/libhttp_parser.so.2", O_RDONLY|O_CLOEXEC) = 3
So OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-03-08 21:10:28 CET
Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Mageia Robot 2020-03-08 23:38:58 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0131.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.