[Bug 2135472] New: CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [fedora-all] - Epel-packagers-sig - Fedora Mailing-Lists

2024

2023

2022

2021

[Bug 2135472] New: CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [fedora-all]

[Bug 2127348] CVE-2020-7677...

[Bug 2127008] New: CVE-2021-43138...

bugzilla＠redhat.com

Monday, 17 October 2022 Mon, 17 Oct '22

11:52 a.m.

https://bugzilla.redhat.com/show_bug.cgi?id=2135472 Bug ID: 2135472 Summary: CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [fedora-all] Product: Fedora Version: 36 Status: NEW Component: yarnpkg Keywords: Security, SecurityTracking Severity: medium Priority: medium Assignee: zsvetlik(a)redhat.com Reporter: gsuckevi(a)redhat.com QA Contact: extras-qa(a)fedoraproject.org CC: epel-packagers-sig(a)lists.fedoraproject.org, ngompa13(a)gmail.com, zsvetlik(a)redhat.com Target Milestone: --- Classification: Fedora More information about this security flaw is available in the following bug: http://bugzilla.redhat.com/show_bug.cgi?id=2134609 Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2135472

Reply

Show replies by date

bugzilla＠redhat.com

Monday, 17 October Mon, 17 Oct

11:52 a.m.

New subject: [Bug 2135472] CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2135472 --- Comment #1 from Guilherme de Almeida Suckevicz <gsuckevi(a)redhat.com> --- Use the following template to for the 'fedpkg update' request to submit an update for this issue as it contains the top-level parent bug(s) as well as this tracking bug. This will ensure that all associated bugs get updated when new packages are pushed to stable. ===== # bugfix, security, enhancement, newpackage (required) type=security # low, medium, high, urgent (required) severity=medium # testing, stable request=testing # Bug numbers: 1234,9876 bugs=2134609,2135472 # Description of your update notes=Security fix for [PUT CVEs HERE] # Enable request automation based on the stable/unstable karma thresholds autokarma=True stable_karma=3 unstable_karma=-3 # Automatically close bugs when this marked as stable close_bugs=True # Suggest that users restart after update suggest_reboot=False ====== Additionally, you may opt to use the bodhi web interface to submit updates: https://bodhi.fedoraproject.org/updates/new -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2135472

Reply

bugzilla＠redhat.com

11:52 a.m.

New subject: [Bug 2135472] CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2135472 Guilherme de Almeida Suckevicz <gsuckevi(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2134609 | |(CVE-2022-3517,PRISMA-2022- | |0039) Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2134609 [Bug 2134609] CVE-2022-3517 nodejs-minimatch: ReDoS via the braceExpand function -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2135472

Reply

bugzilla＠redhat.com

Wednesday, 11 January Wed, 11 Jan

9:24 a.m.

New subject: [Bug 2135472] CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2135472 Fedora Update System <updates(a)fedoraproject.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |MODIFIED --- Comment #2 from Fedora Update System <updates(a)fedoraproject.org> --- FEDORA-2023-ce8943223c has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-ce8943223c -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2135472

Reply

bugzilla＠redhat.com

9:24 a.m.

New subject: [Bug 2135472] CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2135472 --- Comment #3 from Fedora Update System <updates(a)fedoraproject.org> --- FEDORA-2023-18fd476362 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2023-18fd476362 -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2135472

Reply

bugzilla＠redhat.com

8:41 p.m.

New subject: [Bug 2135472] CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2135472 Fedora Update System <updates(a)fedoraproject.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |ON_QA --- Comment #4 from Fedora Update System <updates(a)fedoraproject.org> --- FEDORA-2023-18fd476362 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-18fd476362` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-18fd476362 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2135472

Reply

bugzilla＠redhat.com

9:05 p.m.

New subject: [Bug 2135472] CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2135472 --- Comment #5 from Fedora Update System <updates(a)fedoraproject.org> --- FEDORA-2023-ce8943223c has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-ce8943223c` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-ce8943223c See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2135472

Reply

bugzilla＠redhat.com

Friday, 20 January Fri, 20 Jan

9:30 p.m.

New subject: [Bug 2135472] CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2135472 Fedora Update System <updates(a)fedoraproject.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |yarnpkg-1.22.19-3.fc37 Resolution|--- |ERRATA Status|ON_QA |CLOSED Last Closed| |2023-01-21 03:30:45 --- Comment #6 from Fedora Update System <updates(a)fedoraproject.org> --- FEDORA-2023-ce8943223c has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2135472

Reply

bugzilla＠redhat.com

9:40 p.m.

New subject: [Bug 2135472] CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2135472 Fedora Update System <updates(a)fedoraproject.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version|yarnpkg-1.22.19-3.fc37 |yarnpkg-1.22.19-3.fc37 | |yarnpkg-1.22.19-3.fc36 --- Comment #7 from Fedora Update System <updates(a)fedoraproject.org> --- FEDORA-2023-18fd476362 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2135472

Reply

bugzilla＠redhat.com

Monday, 5 June Mon, 5 Jun

4:29 p.m.

New subject: [Bug 2135472] CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2135472 Carl George 🤠 <carl(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2212561 Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2212561 [Bug 2212561] CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [epel-all] -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2135472

Reply

bugzilla＠redhat.com

4:32 p.m.

New subject: [Bug 2135472] CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=2135472 Carl George 🤠 <carl(a)redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2212561 | Referenced Bugs: https://bugzilla.redhat.com/show_bug.cgi?id=2212561 [Bug 2212561] CVE-2022-3517 yarnpkg: nodejs-minimatch: ReDoS via the braceExpand function [epel-all] -- You are receiving this mail because: You are on the CC list for the bug. https://bugzilla.redhat.com/show_bug.cgi?id=2135472

Reply

348

days inactive

579

days old

epel-packagers-sig@lists.fedoraproject.org

Manage subscription

10 comments

1 participants

tags (0)

participants (1)

bugzilla＠redhat.com