moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input. https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 https://github.com/moment/moment/pull/6015#issuecomment-1152961973 https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
Why have you CC'ed many people or to exact i18n-bugs list to this bug?
In reply to comment #2: > Why have you CC'ed many people or to exact i18n-bugs list to this bug? The default CC list is based off the affects, and is based off who is on the CC list for affected products.
I still don't get how moment project CVE is related to i18n packages. The Fedora repository search only shows $ sudo dnf search moment Last metadata expiration check: 4 days, 19:21:18 ago on Thu 07 Jul 2022 12:24:40 PM IST. ==================================================================================== Name Matched: moment ==================================================================================== perl-Time-Moment.x86_64 : Represents a date and time of day with an offset from UTC ================================================================================== Summary Matched: moment =================================================================================== R-FMStable.x86_64 : Finite Moment Stable Distributions Is moment a bundled Javascript library in some nodejs module package in Fedora?
You are not authorized to access bug #2105076.
Why is python-sig.org in CC for this RHEL bug? Is there something the Fedora SIG can/should do here?
In reply to comment #2: > Why have you CC'ed many people or to exact i18n-bugs list to this bug? i18n-bugs is on the initial CC list for the cldr-emoji-annotation component, which was added as possibly affected by this issue. The package is considered to include moment because of moment being listed in tools/cldr-apps/js/package-lock.json (in sources). However, moment does not seem to be included in the srpm and also in any binary rpm, hence this looks like false positive.
In reply to comment #7: > Why is python-sig.org in CC for this RHEL bug? Is there > something the Fedora SIG can/should do here? python-sig is added because of python-notebook, but I do not see why that component was added here as possibly affected.
In reply to comment #9: > In reply to comment #7: > > Why is python-sig.org in CC for this RHEL bug? Is there > > something the Fedora SIG can/should do here? > > python-sig is added because of python-notebook, but I do not see why that > component was added here as possibly affected. Sigh, I was checking incorrectly. python-notebook seems to bundle and ship moment in site-packages/notebook/static/components/moment/
(In reply to Tomas Hoger from comment #10) > In reply to comment #9: > > In reply to comment #7: > > > Why is python-sig.org in CC for this RHEL bug? Is there > > > something the Fedora SIG can/should do here? > > > > python-sig is added because of python-notebook, but I do not see why that > > component was added here as possibly affected. > > Sigh, I was checking incorrectly. python-notebook seems to bundle and ship > moment in site-packages/notebook/static/components/moment/ It does, it also provides bundled(moment) = 2.19.3. (In reply to Petr Viktorin from comment #7) > Why is python-sig.org in CC for this RHEL bug? Is there > something the Fedora SIG can/should do here? This is not a RHEL bug, but a tracking bug that covers Fedora, RHEL, EPEL, etc. All the maintainers of all the affected components in all the products are CC'ed here. That includes python-sig.org.
> python-sig is added because of python-notebook I see, thanks. For the future, where can I find the list of affected components?
(In reply to Tomas Hoger from comment #8) > In reply to comment #2: > > Why have you CC'ed many people or to exact i18n-bugs list to this bug? > > i18n-bugs is on the initial CC list for the cldr-emoji-annotation component, > which was added as possibly affected by this issue. The package is > considered to include moment because of moment being listed in > tools/cldr-apps/js/package-lock.json (in sources). However, moment does not > seem to be included in the srpm and also in any binary rpm, hence this looks > like false positive. Thank you for confirming this false positive.
In reply to comment #5: > You are not authorized to access bug #2105076. moment is an npm library. Upon running deptopia (depcli -vs moment), we obtained the affects we have here. Here is the output for fedora. fedora-35 ceph (moment@, npm) fedora-35 cockpit-composer (moment.1, npm) fedora-35 cockpit-session-recording (moment.0, npm) fedora-35 couchdb (moment.0, npm) fedora-35 golang-github-apache-beam-2 (moment.0, npm) fedora-35 grafana (moment.0, npm) (and 2 more deps) fedora-35 python-ipyparallel (moment.2, npm) fedora-35 python-notebook (moment.3, None) fedora-35 syncthing (moment.4, None) fedora-35 workrave (moment.1, npm) fedora-35 zuul (moment.0, npm) fedora-36 ceph (moment@, npm) fedora-36 cldr-emoji-annotation (moment.1, npm) fedora-36 cockpit-composer (moment.1, npm) fedora-36 cockpit-session-recording (moment.0, npm) fedora-36 golang-github-apache-beam-2 (moment.0, npm) fedora-36 grafana (moment.0, npm) (and 2 more deps) fedora-36 pgadmin4 (moment.3, npm) fedora-36 python-ipyparallel (moment.2, npm) fedora-36 python-notebook (moment.3, None) fedora-36 subscription-manager-cockpit (moment.1, npm) fedora-36 syncthing (moment.4, None) fedora-36 workrave (moment.1, npm) fedora-36 zuul (moment.0, npm)
Created cldr-emoji-annotation tracking bugs for this issue: Affects: fedora-36 [bug 2110850] Created couchdb tracking bugs for this issue: Affects: fedora-35 [bug 2110846] Created golang-github-apache-beam-2 tracking bugs for this issue: Affects: fedora-35 [bug 2110847] Affects: fedora-36 [bug 2110851] Created python-ipyparallel tracking bugs for this issue: Affects: fedora-35 [bug 2110848] Affects: fedora-36 [bug 2110852] Created subscription-manager-cockpit tracking bugs for this issue: Affects: fedora-36 [bug 2110853] Created syncthing tracking bugs for this issue: Affects: epel-8 [bug 2110845] Created workrave tracking bugs for this issue: Affects: fedora-35 [bug 2110849] Affects: fedora-36 [bug 2110854]
This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2022:5913 https://access.redhat.com/errata/RHSA-2022:5913
This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:5914 https://access.redhat.com/errata/RHSA-2022:5914
This issue has been addressed in the following products: OSSM-2.2-RHEL-8 Via RHSA-2022:5915 https://access.redhat.com/errata/RHSA-2022:5915
This issue has been addressed in the following products: Red Hat OpenShift Data Foundation 4.11 on RHEL8 Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2022:6271 https://access.redhat.com/errata/RHSA-2022:6271
This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2022:6272 https://access.redhat.com/errata/RHSA-2022:6272
This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:6277 https://access.redhat.com/errata/RHSA-2022:6277
This issue has been addressed in the following products: multicluster engine for Kubernetes 2.1 for RHEL 8 Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8 Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2022:6392 https://access.redhat.com/errata/RHSA-2022:6392
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:6393 https://access.redhat.com/errata/RHSA-2022:6393
This issue has been addressed in the following products: multicluster engine for Kubernetes 2.0 for RHEL 8 Via RHSA-2022:6422 https://access.redhat.com/errata/RHSA-2022:6422
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8 Via RHSA-2022:6507 https://access.redhat.com/errata/RHSA-2022:6507
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:6696 https://access.redhat.com/errata/RHSA-2022:6696
This issue has been addressed in the following products: RHPAM 7.13.1 async Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813
This issue has been addressed in the following products: RHINT Service Registry 2.3.0 GA Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835
This issue has been addressed in the following products: Red Hat Openshift distributed tracing 2.6 Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:7276 https://access.redhat.com/errata/RHSA-2022:7276
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8 Via RHSA-2022:7313 https://access.redhat.com/errata/RHSA-2022:7313
This issue has been addressed in the following products: Red Hat Fuse 7.11.1 Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045
This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049
This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Via RHSA-2023:1486 https://access.redhat.com/errata/RHSA-2023:1486
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-31129
This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:3623 https://access.redhat.com/errata/RHSA-2023:3623