Bug 30740 - http-parser new security issue CVE-2020-8287
Summary: http-parser new security issue CVE-2020-8287
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-08-12 18:40 CEST by David Walser
Modified: 2022-10-28 08:55 CEST (History)
6 users (show)

See Also:
Source RPM: http-parser-2.9.4-1.mga8.src.rpm
CVE: CVE-2020-8287
Status comment:


Attachments

Description David Walser 2022-08-12 18:40:00 CEST
Ubuntu has issued an advisory on August 10:
https://ubuntu.com/security/notices/USN-5563-1

Mageia 8 is also affected.
David Walser 2022-08-12 18:40:10 CEST

Status comment: (none) => Patch available from Ubuntu
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2022-08-12 22:56:59 CEST
Assigning to the registered maintainer

Assignee: bugsquad => thierry.vignaud
CC: (none) => marja11

Comment 2 Nicolas Salguero 2022-10-19 14:18:20 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

http-parser could be made to expose sensitive data if it received a specially crafted request. (CVE-2020-8287)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8287
https://ubuntu.com/security/notices/USN-5563-1
========================

Updated packages in core/updates_testing:
========================
lib(64)http-parser2-2.9.4-1.1.mga8
lib(64)http-parser-devel-2.9.4-1.1.mga8

from SRPM:
http-parser-2.9.4-1.1.mga8.src.rpm

Version: Cauldron => 8
CC: (none) => nicolas.salguero
CVE: (none) => CVE-2020-8287
Status: NEW => ASSIGNED
Assignee: thierry.vignaud => qa-bugs
Status comment: Patch available from Ubuntu => (none)
Whiteboard: MGA8TOO => (none)

Comment 3 Herman Viaene 2022-10-25 16:01:38 CEST
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Ref bug 26293 for test:
Installed kwrite-handbook, opened kwrite and jumped around in the handbook, all worked OK.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2022-10-26 20:01:36 CEST
Validating. Advisoryn in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-10-28 03:46:35 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-10-28 08:55:38 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0393.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.