All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking. References: https://stackblitz.com/edit/angularjs-vulnerability-inpur-url-validation-redos https://security.snyk.io/vuln/SNYK-JS-ANGULAR-3373046
Created firefox tracking bugs for this issue: Affects: fedora-all [bug 2208194] Created icecat tracking bugs for this issue: Affects: fedora-all [bug 2208195] Created mozjs102 tracking bugs for this issue: Affects: fedora-all [bug 2208196] Created mozjs78 tracking bugs for this issue: Affects: fedora-all [bug 2208197] Created qpid-dispatch tracking bugs for this issue: Affects: openstack-rdo [bug 2208199] Created thunderbird tracking bugs for this issue: Affects: fedora-all [bug 2208198]
@mrehak please don't open any bugs for RHEL 8 Firefox and Thunderbird Flatpaks as these were obsoleted by their RHEL 9 version at the time of RHEL 8.7.0 GA. I was assured several times that the templates/scripts that Product Security is using will be/were adapted, but still bugs are opened for these.