Debian-LTS has issued an advisory on July 10: https://www.debian.org/lts/security/2023/dla-3488 The issue is fixed upstream in 4.1.3. Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOOStatus comment: (none) => Fixed upstream in 4.1.3
This is one for Stig (last touched 5y ago!).
Assignee: bugsquad => smelror
Suggested advisory: ======================== The updated package fixes a security vulnerability: Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized. (CVE-2023-26136) References: https://www.debian.org/lts/security/2023/dla-3488 ======================== Updated package in core/updates_testing: ======================== nodejs-tough-cookie-2.3.4-5.1.mga9 from SRPM: nodejs-tough-cookie-2.3.4-5.1.mga9.src.rpm
Assignee: smelror => qa-bugsVersion: Cauldron => 9Status comment: Fixed upstream in 4.1.3 => (none)Status: NEW => ASSIGNEDWhiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroCVE: (none) => CVE-2023-26136
Keywords: (none) => advisory
RH mageia 9 x86_64 Install current package LC_ALL=C urpmi nodejs-tough-cookie https://mirror.math.princeton.edu/pub/mageia/distrib/9/x86_64/media/core/release/nodejs-tough-cookie-2.3.4-5.mga9.noarch.rpm installing nodejs-tough-cookie-2.3.4-5.mga9.noarch.rpm from /var/cache/urpmi/rpms Preparing... ###################################################################################### 1/1: nodejs-tough-cookie ###################################################################################### Update to testing version LC_ALL=C urpmi --auto --auto-update medium "QA Testing (32-bit)" is up-to-date medium "QA Testing (64-bit)" is up-to-date medium "Core Release (distrib1)" is up-to-date medium "Core Updates (distrib3)" is up-to-date medium "Nonfree Release (distrib11)" is up-to-date medium "Nonfree Updates (distrib13)" is up-to-date medium "Tainted Release (distrib21)" is up-to-date medium "Tainted Updates (distrib23)" is up-to-date medium "Core 32bit Release (distrib31)" is up-to-date medium "Core 32bit Updates (distrib32)" is up-to-date medium "Nonfree 32bit Release (distrib36)" is up-to-date medium "Tainted 32bit Release (distrib41)" is up-to-date medium "Tainted 32bit Updates (distrib42)" is up-to-date installing nodejs-tough-cookie-2.3.4-5.1.mga9.noarch.rpm from //home/katnatek/qa-testing/x86_64 Preparing... ###################################################################################### 1/1: nodejs-tough-cookie ###################################################################################### 1/1: removing nodejs-tough-cookie-2.3.4-5.mga9.noarch ###################################################################################### Remove package LC_ALL=C urpme nodejs-tough-cookie removing nodejs-tough-cookie-2.3.4-5.1.mga9.noarch removing package nodejs-tough-cookie-2.3.4-5.1.mga9.noarch 1/1: removing nodejs-tough-cookie-2.3.4-5.1.mga9.noarch ######################################################################################
CC: (none) => andrewsfarm
Not previous rounds of the package Give OK
Whiteboard: (none) => MGA9-64-OK
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Assuming the version number is correct as-is and shouldn't be rotated right once to 1.2.3-4.5 :-)
CC: (none) => dan
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0080.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED