Bug 31494 - nodejs-qs new security issue CVE-2022-24999
Summary: nodejs-qs new security issue CVE-2022-24999
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2023-02-01 17:41 CET by David Walser
Modified: 2023-02-20 22:27 CET (History)
6 users (show)

See Also:
Source RPM: nodejs-qs-6.5.1-4.mga9.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2023-02-01 17:41:06 CET
Debian-LTS has issued an advisory on January 30:
https://www.debian.org/lts/security/2023/dla-3299

The issue is fixed upstream in 6.5.3.

Mageia 8 is also affected.
David Walser 2023-02-01 17:41:17 CET

Status comment: (none) => Fixed upstream in 6.5.3
Whiteboard: (none) => MGA8TOO

Comment 1 Marja Van Waes 2023-02-04 22:27:32 CET
Assigning to our registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => smelror

Comment 2 Stig-Ørjan Smelror 2023-02-05 08:25:30 CET
Advisory
========
Updated to fix a security issue.

CVE-2022-24999: qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. 

References
==========
https://www.debian.org/lts/security/2023/dla-3299
https://security-tracker.debian.org/tracker/CVE-2022-24999

Files
=====

Uploaded to core/updates_testing

nodejs-qs-6.5.3-1.mga8

from nodejs-qs-6.5.3-1.mga8.src.rpm

Assignee: smelror => qa-bugs
Version: Cauldron => 8
Status comment: Fixed upstream in 6.5.3 => (none)
Whiteboard: MGA8TOO => (none)

David Walser 2023-02-05 14:56:09 CET

CC: (none) => smelror

Comment 3 Herman Viaene 2023-02-14 12:01:51 CET
MGA8-64 MATE on Acer Aspire 5253
No installation issues.
This is a developer's library. After looking in vain for an example I could understand, decided to treat this as other developer's stuff: OK on clean install.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2023-02-15 21:38:54 CET
Validating, Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-20 21:02:06 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2023-02-20 22:27:04 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0053.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.