RedHat has issued an advisory today (March 4): https://access.redhat.com/errata/RHSA-2020:0703 The issue is fixed upstream in 2.9.3. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 2.9.3Whiteboard: (none) => MGA7TOO
No obvious maintainer, so assigning globally; CC'ing Stig as having touched this relatively recently.
Assignee: bugsquad => pkg-bugsCC: (none) => smelror
Version 2.9.3 pushed to Cauldron.
Advisory ======== http-parser has been updated to fix a security issue. CVE-2019-15605: HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed References ========== https://nvd.nist.gov/vuln/detail/CVE-2019-15605 https://access.redhat.com/errata/RHSA-2020:0703 Files ===== Uploaded to core/updates_testing libhttp-parser-devel-2.9.3-1.mga7 libhttp-parser2-2.9.3-1.mga7 from http-parser-2.9.3-1.mga7.src.rpm
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Assignee: pkg-bugs => qa-bugs
Status comment: Fixed upstream in 2.9.3 => (none)
CC: (none) => tmbKeywords: (none) => advisory
MGA7-64 Plasma on Lenovo B50 No installation issues. # urpmq --whatrequires lib64http-parser2 lib64git2_28 lib64git2_28 lib64http-parser2 nodejs nodejs-libs sssd-common sssd-common wasn't much help to test Tried # urpmq --whatrequires-recursive lib64http-parser2 and found among many others kwrite-handbook, so installed that one and ran $ strace -o httpparser.txt kwrite and opened handbook via "Help" menu, read a few items and closed. Found in trace openat(AT_FDCWD, "/lib64/libhttp_parser.so.2", O_RDONLY|O_CLOEXEC) = 3 So OK for me.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0131.html
Status: NEW => RESOLVEDResolution: (none) => FIXED