A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks.
CVE: (none) => CVE-2017-18869
Whiteboard: (none) => MGA7TOOSummary: nodejs-chownr security issue CVE-2017-18869 => nodejs-chownr new security issue CVE-2017-18869Status comment: (none) => Fixed upstream in 1.1.0
This is for you Stig.
CC: (none) => ouaurelienAssignee: bugsquad => smelror
version 1.1.4 pushed in cauldron
CC: (none) => mageiaVersion: Cauldron => 7Whiteboard: MGA7TOO => (none)
fixed in mga7: src: - nodejs-chownr-1.1.0-1.mga7
Status comment: Fixed upstream in 1.1.0 => (none)Assignee: smelror => qa-bugs
Advisory: ======================== Updated nodejs-chownr package fixes security vulnerability: A TOCTOU issue in the chownr package before 1.1.0 for Node.js 10.10 could allow a local attacker to trick it into descending into unintended directories via symlink attacks (CVE-2017-18869). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18869
MGA7-64 MATE on Peaq C1011 No installation issues This is a developers library. OK on clean install.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA7-64-OK
Thank you, Herman. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0169.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED