Debian-LTS has issued an advisory today (December 23): https://www.debian.org/lts/security/2022/dla-3246 The issue is fixed upstream in 9.0.1: https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 9.0.1Whiteboard: (none) => MGA8TOO
This is clearly for you, Stig (registered pkger, and did last version). Just a version upgrade.
Assignee: bugsquad => smelror
Ubuntu has issued an advisory for this on May 30: https://ubuntu.com/security/notices/USN-6116-1
Suggested advisory: ======================== The updated package fixes a security vulnerability: Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. `parseHost()` was patched in `9.0.1` to use built-in `URL` class to parse hostname instead. `Hawk.authenticate()` accepts `options` argument. If that contains `host` and `port`, those would be used instead of a call to `utils.parseHost()`. (CVE-2022-29167) References: https://www.debian.org/lts/security/2022/dla-3246 https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq https://ubuntu.com/security/notices/USN-6116-1 ======================== Updated package in core/updates_testing: ======================== nodejs-hawk-7.0.10-4.1.mga9 from SRPM: nodejs-hawk-7.0.10-4.1.mga9.src.rpm
Status: NEW => ASSIGNEDCC: (none) => nicolas.salgueroVersion: Cauldron => 9Assignee: smelror => qa-bugsStatus comment: Fixed upstream in 9.0.1 => (none)Whiteboard: MGA8TOO => (none)CVE: (none) => CVE-2022-29167
MGA9-64 Plasma Wayland on HP-Pavillion No instlaation issues. Developer's territory, OK on clean install
CC: (none) => herman.viaeneWhiteboard: (none) => MGA9-64-OK
As I'm sure Herman found, there are no previous Mageia updates, and urpmq reports it's only required by itself. Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
I create it 4 days ago but forget to put the keyword :P
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0086.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED