Bug 27972 - nodejs-handlebars new security issue CVE-2019-20922
Summary: nodejs-handlebars new security issue CVE-2019-20922
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Stig-Ørjan Smelror
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-29 10:23 CET by Zombie Ryushu
Modified: 2021-07-01 18:27 CEST (History)
2 users (show)

See Also:
Source RPM: nodejs-handlebars-4.0.13-4.mga8.src
CVE: CVE-2019-20922
Status comment: Fixed upstream in 4.4.5

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Zombie Ryushu 2020-12-29 10:23:36 CET 
Handlebars before 4.4.5 allows Regular Expression Denial of Service (ReDoS) because of eager matching. The parser may be forced into an endless loop while processing crafted templates. This may allow attackers to exhaust system resources.
Zombie Ryushu 2020-12-29 10:23:47 CET

CVE: (none) => CVE-2019-20922

David Walser 2020-12-29 17:10:30 CET

Whiteboard: (none) => MGA7TOO
Summary: nodejs-handlebars security issue CVE-2019-20922 => nodejs-handlebars new security issue CVE-2019-20922
Status comment: (none) => Fixed upstream in 4.4.5

Comment 1 Aurelien Oudelet 2020-12-29 21:12:07 CET 
This is also for you Stig.

CC: (none) => ouaurelien
Assignee: bugsquad => smelror

Comment 2 Nicolas Lécureuil 2020-12-31 00:25:06 CET 
version 4.4.5 pushed in cauldron

Whiteboard: MGA7TOO => (none)
CC: (none) => mageia
Version: Cauldron => 7

Comment 3 David Walser 2021-07-01 18:27:32 CEST 
https://blog.mageia.org/en/2021/06/08/mageia-7-will-reach-end-of-support-on-30th-of-june-the-king-is-dead-long-live-the-king/

Resolution: (none) => OLD
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.