Bug 31313 - nodejs-hawk new security issue CVE-2022-29167
Summary: nodejs-hawk new security issue CVE-2022-29167
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-12-23 17:47 CET by David Walser
Modified: 2024-03-24 05:58 CET (History)
4 users (show)

See Also:
Source RPM: nodejs-hawk-7.0.10-4.mga9.src.rpm
CVE: CVE-2022-29167
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-12-23 17:47:18 CET 
Debian-LTS has issued an advisory today (December 23):
https://www.debian.org/lts/security/2022/dla-3246

The issue is fixed upstream in 9.0.1:
https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq

Mageia 8 is also affected.
David Walser 2022-12-23 17:47:28 CET

Status comment: (none) => Fixed upstream in 9.0.1
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-12-23 20:59:48 CET 
This is clearly for you, Stig (registered pkger, and did last version). Just a version upgrade.

Assignee: bugsquad => smelror

Comment 2 David Walser 2023-06-20 14:45:45 CEST 
Ubuntu has issued an advisory for this on May 30:
https://ubuntu.com/security/notices/USN-6116-1
Comment 3 Nicolas Salguero 2024-03-18 15:32:48 CET 
Suggested advisory:
========================

The updated package fixes a security vulnerability:

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`. (CVE-2022-29167)

References:
https://www.debian.org/lts/security/2022/dla-3246
https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq
https://ubuntu.com/security/notices/USN-6116-1
========================

Updated package in core/updates_testing:
========================
nodejs-hawk-7.0.10-4.1.mga9

from SRPM:
nodejs-hawk-7.0.10-4.1.mga9.src.rpm

Status: NEW => ASSIGNED
CC: (none) => nicolas.salguero
Version: Cauldron => 9
Assignee: smelror => qa-bugs
Status comment: Fixed upstream in 9.0.1 => (none)
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2022-29167

Comment 4 Herman Viaene 2024-03-23 11:53:56 CET 
MGA9-64 Plasma Wayland on HP-Pavillion
No instlaation issues.
Developer's territory, OK on clean install

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2024-03-23 13:47:00 CET 
As I'm sure Herman found, there are no previous Mageia updates, and urpmq reports it's only required by itself. 

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

katnatek 2024-03-23 19:24:33 CET

Keywords: (none) => advisory

Comment 6 katnatek 2024-03-23 19:25:29 CET 
I create it 4 days ago but forget to put the keyword :P
Comment 7 Mageia Robot 2024-03-24 05:58:31 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0086.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.