Bug 2082458
| Summary: | CVE-2022-29167 dotnet3.1: hawk: REDoS in hawk.utils.parseHost() when parsing Host header [fedora-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | dotnet3.1 | Assignee: | Omair Majid <omajid> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 35 | CC: | crummel, dotnet-packagers, francisco.vergarat, harold, omajid, rjanekov |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-08-08 21:05:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2082387 | ||
|
Description
Avinash Hanwate
2022-05-06 08:11:14 UTC
Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=medium # testing, stable request=testing # Bug numbers: 1234,9876 bugs=2082387,2082458 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new The only uses of the hawk npmjs module is in these .NET Core 3.1 files (looking at 3.1.421 source tarball in Fedora):
packages/reference/staging/microsoft.dotnet.web.spa.projecttemplates.2.1/2.1.34/content/React-CSharp/ClientApp/package-lock.json
3724: "hawk": {
3726: "resolved": "https://registry.npmjs.org/hawk/-/hawk-6.0.2.tgz",
7755: "hawk": "6.0.2",
packages/reference/staging/microsoft.dotnet.web.spa.projecttemplates.2.1/2.1.34/content/Angular-CSharp/ClientApp/package-lock.json
5225: "node_modules/hawk": {
5227: "resolved": "https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz",
5229: "deprecated": "This module moved to @hapi/hawk. Please make sure to switch over as this distribution is no longer supported and may contain bugs and critical security issues.",
7015: "hawk": "~3.1.3",
17904: "hawk": {
17906: "resolved": "https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz",
19296: "hawk": "~3.1.3",
packages/reference/staging/microsoft.dotnet.web.spa.projecttemplates.2.1/2.1.34/content/ReactRedux-CSharp/ClientApp/package-lock.json
3724: "hawk": {
3726: "resolved": "https://registry.npmjs.org/hawk/-/hawk-6.0.2.tgz",
7799: "hawk": "6.0.2",
These are:
- Used as reference packages (think C header files)
- Correspond to versions 2.1.x of the .NET SDK/Runtime, which reached its End of Life in August 2021
- Only used to build the .NET SDK, but not included in the built product
- Project templates: that means users, if they ever end up with this (and they wont, see previous items), can change/override them after generating the projects from templates
I don't see how .NET Core 3.1 itself is vulnerable here.
|