Bug 1588890 (CVE-2017-16030)

Summary:	CVE-2017-16030 nodejs-useragent: Regular expression Denial-of-Service via long UserAgent header
Product:	[Other] Security Response	Reporter:	Sam Fowler <sfowler>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED WONTFIX	QA Contact:
Severity:	medium	Docs Contact:
Priority:	medium
Version:	unspecified	CC:	dffrench, drusso, jmadigan, jshepherd, lgriffin, ngough, pwright, rrajasek, trepel
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	nodejs-useragent 2.1.13	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-08-08 07:18:17 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1588891

Description Sam Fowler 2018-06-08 02:34:41 UTC

nodejs-useragent before version 2.1.13 is vulnerable to regular expression denial of service when an arbitrarily long User-Agent header is parsed.


Reference:

https://nodesecurity.io/advisories/312#


Upstream Patches:

https://github.com/3rd-Eden/useragent/commit/cbc106584bc417bd5843d3e0fa4d89ef81cd6988
https://github.com/3rd-Eden/useragent/commit/b18cf7c2a13c994ea8d6d0d132feef4eb8193c36

Comment 1 Jason Shepherd 2019-08-08 04:32:14 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 2 Jason Shepherd 2019-08-08 04:32:31 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 3 Jason Shepherd 2019-08-08 04:32:38 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 4 Jason Shepherd 2019-08-08 04:33:15 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 5 Jason Shepherd 2019-08-08 04:33:25 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 6 Jason Shepherd 2019-08-08 04:33:31 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 7 Jason Shepherd 2019-08-08 04:33:37 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 8 Jason Shepherd 2019-08-08 04:33:43 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 9 Jason Shepherd 2019-08-08 04:33:50 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 10 Jason Shepherd 2019-08-08 04:33:56 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 11 Jason Shepherd 2019-08-08 04:34:02 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 12 Jason Shepherd 2019-08-08 04:34:08 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 13 Jason Shepherd 2019-08-08 04:34:15 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 14 Jason Shepherd 2019-08-08 04:34:23 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 15 Jason Shepherd 2019-08-08 04:34:28 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 16 Jason Shepherd 2019-08-08 04:34:35 UTC

This vulnerability is out of security support scope for the following product:

 * Red Hat Mobile Application Platform

 Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details

Comment 17 Product Security DevOps Team 2019-08-08 07:18:17 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2017-16030