RedHat has issued an advisory today (January 23): https://access.redhat.com/errata/RHSA-2023:0321 The issue is fixed upstream in 1.2.6. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 1.2.6
This is something hardly touched (the current version is 2y old), no evident packager, so assigning globally.
Assignee: bugsquad => pkg-bugs
Suggested advisory: ======================== The updated package fixes a security vulnerability: Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95). (CVE-2021-44906) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44906 https://access.redhat.com/errata/RHSA-2023:0321 ======================== Updated package in core/updates_testing: ======================== nodejs-minimist-1.2.7-1.mga8 from SRPM: nodejs-minimist-1.2.7-1.mga8.src.rpm
Status comment: Fixed upstream in 1.2.6 => (none)CC: (none) => nicolas.salgueroWhiteboard: MGA8TOO => (none)Source RPM: nodejs-minimist-1.2.5-2.mga9.src.rpm => nodejs-minimist-1.2.5-1.mga8.src.rpmVersion: Cauldron => 8CVE: (none) => CVE-2021-44906Status: NEW => ASSIGNEDAssignee: pkg-bugs => qa-bugs
MGA8-64 MATE on Aver Aspire 5253 No installation issues No wiki, no previous updates, so googled a little to find out what this is. Turms out to be a Javascript library, so I give the OK on clean install as with other developer's stuff.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Validating. Advisory in Comment 2.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0035.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED