Debian-LTS has issued an advisory on January 30: https://www.debian.org/lts/security/2023/dla-3299 The issue is fixed upstream in 6.5.3. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 6.5.3Whiteboard: (none) => MGA8TOO
Assigning to our registered maintainer.
CC: (none) => marja11Assignee: bugsquad => smelror
Advisory ======== Updated to fix a security issue. CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. References ========== https://www.debian.org/lts/security/2023/dla-3299 https://security-tracker.debian.org/tracker/CVE-2022-24999 Files ===== Uploaded to core/updates_testing nodejs-qs-6.5.3-1.mga8 from nodejs-qs-6.5.3-1.mga8.src.rpm
Assignee: smelror => qa-bugsVersion: Cauldron => 8Status comment: Fixed upstream in 6.5.3 => (none)Whiteboard: MGA8TOO => (none)
CC: (none) => smelror
MGA8-64 MATE on Acer Aspire 5253 No installation issues. This is a developer's library. After looking in vain for an example I could understand, decided to treat this as other developer's stuff: OK on clean install.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA8-64-OK
Validating, Advisory in Comment 2.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0053.html
Status: NEW => RESOLVEDResolution: (none) => FIXED