[Bug 2105075] CVE-2022-31129 moment: inefficient parsing algorithim
resulting in DoS
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2105075
amctagga(a)redhat.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Depends On| |2108746, 2108745, 2108744,
| |2108743, 2108752, 2108749,
| |2108756, 2108751, 2108753,
| |2108750, 2108748, 2108755,
| |2108747, 2108754
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2105075
1 year, 9 months
[Bug 2105075] CVE-2022-31129 moment: inefficient parsing algorithim
resulting in DoS
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2105075
--- Comment #17 from amctagga(a)redhat.com ---
In reply to comment #5:
> You are not authorized to access bug #2105076.
moment is an npm library. Upon running deptopia (depcli -vs moment), we
obtained the affects we have here.
Here is the output for fedora.
fedora-35 ceph (moment@, npm)
fedora-35 cockpit-composer (moment(a)2.29.1, npm)
fedora-35 cockpit-session-recording (moment(a)2.27.0, npm)
fedora-35 couchdb (moment(a)2.27.0, npm)
fedora-35 golang-github-apache-beam-2 (moment(a)2.27.0, npm)
fedora-35 grafana (moment(a)2.27.0, npm) (and 2 more deps)
fedora-35 python-ipyparallel (moment(a)2.29.2, npm)
fedora-35 python-notebook (moment(a)2.19.3, None)
fedora-35 syncthing (moment(a)2.19.4, None)
fedora-35 workrave (moment(a)2.29.1, npm)
fedora-35 zuul (moment(a)2.26.0, npm)
fedora-36 ceph (moment@, npm)
fedora-36 cldr-emoji-annotation (moment(a)2.29.1, npm)
fedora-36 cockpit-composer (moment(a)2.29.1, npm)
fedora-36 cockpit-session-recording (moment(a)2.27.0, npm)
fedora-36 golang-github-apache-beam-2 (moment(a)2.27.0, npm)
fedora-36 grafana (moment(a)2.27.0, npm) (and 2 more deps)
fedora-36 pgadmin4 (moment(a)2.29.3, npm)
fedora-36 python-ipyparallel (moment(a)2.29.2, npm)
fedora-36 python-notebook (moment(a)2.19.3, None)
fedora-36 subscription-manager-cockpit (moment(a)2.29.1, npm)
fedora-36 syncthing (moment(a)2.19.4, None)
fedora-36 workrave (moment(a)2.29.1, npm)
fedora-36 zuul (moment(a)2.26.0, npm)
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2105075
1 year, 9 months
[Bug 2102610] New: CVE-2022-33068 harfbuzz: VUL-0: CVE-2022-33068:
harfbuzz: integer overflow in the component hb-ot-shape-fallback.cc
[fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2102610
Bug ID: 2102610
Summary: CVE-2022-33068 harfbuzz: VUL-0: CVE-2022-33068:
harfbuzz: integer overflow in the component
hb-ot-shape-fallback.cc [fedora-all]
Product: Fedora
Version: 36
Status: NEW
Component: harfbuzz
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: pnemade(a)redhat.com
Reporter: mrehak(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: i18n-bugs(a)lists.fedoraproject.org, klember(a)redhat.com,
moceap(a)hotmail.com, pnemade(a)redhat.com,
psatpute(a)redhat.com
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2102610
1 year, 10 months
[Bug 2104234] New: adapt pango to removal of java on i686
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2104234
Bug ID: 2104234
Summary: adapt pango to removal of java on i686
Product: Fedora
Version: rawhide
Status: NEW
Component: pango
Severity: high
Assignee: pwu(a)redhat.com
Reporter: jvanek(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: caillon+fedoraproject(a)gmail.com,
fonts-bugs(a)lists.fedoraproject.org,
gnome-sig(a)lists.fedoraproject.org,
i18n-bugs(a)lists.fedoraproject.org,
java-maint-sig(a)lists.fedoraproject.org,
jhuttana(a)redhat.com, jvanek(a)redhat.com,
mclasen(a)redhat.com, pmikova(a)redhat.com,
pwu(a)redhat.com, rhughes(a)redhat.com,
rstrode(a)redhat.com, sandmann(a)redhat.com,
sgehwolf(a)redhat.com, tagoh(a)redhat.com,
zzambers(a)redhat.com
Blocks: 2083750
Target Milestone: ---
Classification: Fedora
Dear maintainer, we are going to drop i686 java-openjdk packages in f37 -
https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
Your package (maybe jsut some subpakcage) is transitively affected by this
change:
pango<-libthai<-doxygen<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-git<-subversion<-junit<-java-17-openjdk-headless
pango<-libthai<-doxygen<-git<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-libdatrie<-doxygen<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-ghostscript<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-git<-perl-Git<-git<-subversion<-java-11-openjdk-devel
pango<-fontconfig<-docbook-utils<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-graphviz<-R-devel<-R-java-devel<-java-17-openjdk-devel
pango<-libthai<-doxygen<-graphviz<-ruby<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-git<-acl<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-graphviz<-ocaml<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-git<-subversion<-junit<-hamcrest<-java-17-openjdk-headless
pango<-libthai<-doxygen<-git<-tar<-acl<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-git<-gawk<-git<-subversion<-junit<-java-17-openjdk-headless
pango<-libthai<-libdatrie<-doxygen<-git<-subversion<-junit<-java-17-openjdk-headless
pango<-harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-git<-gawk<-git<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-graphviz<-swig<-R-devel<-R-java-devel<-java-17-openjdk-devel
pango<-libthai<-doxygen<-graphviz<-swig<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-libdatrie<-doxygen<-git<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-ghostscript<-git<-subversion<-junit<-java-17-openjdk-headless
pango<-libthai<-doxygen<-graphviz<-ocaml<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-git<-subversion<-ruby<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-graphviz<-ghostscript<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-git<-gawk<-ghostscript<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-ghostscript<-git<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-graphviz<-swig<-octave-devel<-octave<-java-17-openjdk-headless
pango<-libthai<-libdatrie<-doxygen<-ghostscript<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-graphviz<-libgs<-libijs<-git<-subversion<-java-11-openjdk-devel
pango<-fontconfig<-docbook-utils<-gawk<-git<-subversion<-junit<-java-17-openjdk-headless
pango<-libthai<-doxygen<-graphviz<-lasi<-doxygen<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-git<-perl-Git<-git<-subversion<-junit<-java-17-openjdk-headless
pango<-libthai<-libdatrie<-doxygen<-git<-perl-Git<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-git<-acl<-gawk<-git<-subversion<-junit<-java-17-openjdk-headless
pango<-libthai<-doxygen<-graphviz<-ruby<-git<-subversion<-junit<-java-17-openjdk-headless
pango<-libthai<-doxygen<-git<-gawk<-git<-perl-Git<-git<-subversion<-java-11-openjdk-devel
pango<-fontconfig<-docbook-utils<-gawk<-git<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-git<-perl-Git<-git<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-libdatrie<-doxygen<-git<-acl<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-libdatrie<-doxygen<-graphviz<-ruby<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-graphviz<-ruby<-git<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-git<-cvs<-krb5-libs<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-graphviz<-ocaml<-git<-subversion<-junit<-java-17-openjdk-headless
pango<-libthai<-libdatrie<-doxygen<-graphviz<-R-devel<-R-java-devel<-java-17-openjdk-devel
pango<-libthai<-doxygen<-git<-sed<-libselinux<-ruby<-git<-subversion<-java-11-openjdk-devel
pango<-fontconfig<-docbook-utils<-gawk<-ghostscript<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-libdatrie<-doxygen<-graphviz<-ocaml<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-graphviz<-ocaml<-git<-gawk<-git<-subversion<-java-11-openjdk-devel
pango<-meson<-ninja-build<-asciidoc<-graphviz<-ruby<-git<-subversion<-java-11-openjdk-devel
pango<-libthai<-doxygen<-graphviz<-ruby-devel<-ruby<-git<-subversion<-java-11-openjdk-devel
Shown 50 from 350
This package was selected as one of the most crucial, which when missing, will
burn distro down.
Please take care, and adapt your package to exclude java on i686. For your
convenience, there was added macro %{java_arches}, including all arches java is
available on, which you can use to ifarch-out java specific features out in
i686 (on non-java arches). Although for plain java package, the change is as
simple as
https://src.fedoraproject.org/rpms/maven/c/520942645bfd1e4721dacd536a6ccb...,
you can not use it. The ExclusiveArch: %{java_arches} is not going to work for
you, because your package is not simple java application, and also non-java
world depends on it (even if you are one of dozen noarchs in this set)
See exemplar PR:
https://src.fedoraproject.org/rpms/graphviz/pull-request/9#request_diff
See more details eg in:: https://bugzilla.redhat.com/show_bug.cgi?id=2102298
See why in : https://pagure.io/fesco/issue/2772
Please read carefully proposal:
https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
Please see tracking bug for most up to date informations:
https://bugzilla.redhat.com/show_bug.cgi?id=2083750
(note, that direct dependencies are already work in progress - native reported
and worked on, noarch ones autoadjusted)
I'm terribly sorry to report this bug so late in f37 lifecycle. If you can,
please handle this with priority.
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2083750
[Bug 2083750] Drop i686 builds of jdk8,11,17 and latest (18) rpms from f37
onwards
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2104234
1 year, 10 months
[Bug 2104228] New: adapt harfbuzz to removal of java on i686
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2104228
Bug ID: 2104228
Summary: adapt harfbuzz to removal of java on i686
Product: Fedora
Version: rawhide
Status: NEW
Component: harfbuzz
Severity: high
Assignee: pnemade(a)redhat.com
Reporter: jvanek(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: i18n-bugs(a)lists.fedoraproject.org,
java-maint-sig(a)lists.fedoraproject.org,
jhuttana(a)redhat.com, jvanek(a)redhat.com,
klember(a)redhat.com, moceap(a)hotmail.com,
pmikova(a)redhat.com, pnemade(a)redhat.com,
psatpute(a)redhat.com, sgehwolf(a)redhat.com,
zzambers(a)redhat.com
Blocks: 2083750
Target Milestone: ---
Classification: Fedora
Dear maintainer, we are going to drop i686 java-openjdk packages in f37 -
https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
Your package (maybe jsut some subpakcage) is transitively affected by this
change:
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-subversion<-junit<-java-17-openjdk-headless
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-gawk<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-ghostscript<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-doxygen<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-perl-Git<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-acl<-gawk<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-elinks<-krb5-libs<-gawk<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-freetype<-harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-subversion<-junit<-hamcrest<-java-17-openjdk-headless
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-gawk<-git<-subversion<-junit<-java-17-openjdk-headless
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-graphviz<-ruby<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-w3m<-gpm-devel<-gpm<-gawk<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-graphviz<-R-devel<-R-java-devel<-java-17-openjdk-devel
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-graphviz<-ocaml<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-elinks<-krb5-libs<-libverto<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-ghostscript<-git<-subversion<-junit<-java-17-openjdk-headless
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-subversion<-ruby<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-elinks<-gpm-devel<-gpm<-gawk<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-gawk<-ghostscript<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-ghostscript<-git<-gawk<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-doxygen<-git<-subversion<-junit<-java-17-openjdk-headless
harfbuzz<-freetype<-libX11-devel<-libxcb-devel<-libxcb<-doxygen<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-meson<-ninja-build<-asciidoc<-graphviz<-ruby<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-meson<-ninja-build<-asciidoc<-graphviz<-R-devel<-R-java-devel<-java-17-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-perl-Git<-git<-subversion<-junit<-java-17-openjdk-headless
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-doxygen<-git<-gawk<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-meson<-ninja-build<-asciidoc<-graphviz<-ocaml<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-graphviz<-swig<-R-devel<-R-java-devel<-java-17-openjdk-devel
harfbuzz<-cairo-devel<-cairo-devel<-libxcb-devel<-libxcb<-doxygen<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-doxygen<-ghostscript<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-graphviz<-swig<-gawk<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-graphviz<-ghostscript<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-cairo-devel<-libX11-devel<-libxcb-devel<-libxcb<-doxygen<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-graphviz<-ocaml<-gawk<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-ghostscript<-git<-perl-Git<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb-devel<-libxcb<-doxygen<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-ghostscript<-libgs<-libijs<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-subversion<-swig<-R-devel<-R-java-devel<-java-17-openjdk-devel
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-doxygen<-git<-perl-Git<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-elinks<-krb5-libs<-gawk<-git<-subversion<-junit<-java-17-openjdk-headless
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-graphviz<-swig<-octave-devel<-octave<-java-17-openjdk-headless
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-graphviz<-libgs<-libijs<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-doxygen<-graphviz<-R-devel<-R-java-devel<-java-17-openjdk-devel
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-graphviz<-lasi<-doxygen<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-freetype<-harfbuzz<-gtk-doc<-docbook-utils<-gawk<-git<-subversion<-junit<-java-17-openjdk-headless
harfbuzz<-cairo-devel<-libxcb-devel<-libxcb<-doxygen<-graphviz<-ruby<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-elinks<-krb5-devel<-krb5-libs<-gawk<-git<-subversion<-java-11-openjdk-devel
harfbuzz<-gtk-doc<-meson<-ninja-build<-asciidoc<-graphviz<-swig<-R-devel<-R-java-devel<-java-17-openjdk-devel
harfbuzz<-gtk-doc<-docbook-utils<-elinks<-krb5-libs<-libselinux<-ruby<-git<-subversion<-java-11-openjdk-devel
Shown 50 from 160
This package was selected as one of the most crucial, which when missing, will
burn distro down.
Please take care, and adapt your package to exclude java on i686. For your
convenience, there was added macro %{java_arches}, including all arches java is
available on, which you can use to ifarch-out java specific features out in
i686 (on non-java arches). Although for plain java package, the change is as
simple as
https://src.fedoraproject.org/rpms/maven/c/520942645bfd1e4721dacd536a6ccb...,
you can not use it. The ExclusiveArch: %{java_arches} is not going to work for
you, because your package is not simple java application, and also non-java
world depends on it (even if you are one of dozen noarchs in this set)
See exemplar PR:
https://src.fedoraproject.org/rpms/graphviz/pull-request/9#request_diff
See more details eg in:: https://bugzilla.redhat.com/show_bug.cgi?id=2102298
See why in : https://pagure.io/fesco/issue/2772
Please read carefully proposal:
https://fedoraproject.org/wiki/Changes/Drop_i686_JDKs
Please see tracking bug for most up to date informations:
https://bugzilla.redhat.com/show_bug.cgi?id=2083750
(note, that direct dependencies are already work in progress - native reported
and worked on, noarch ones autoadjusted)
I'm terribly sorry to report this bug so late in f37 lifecycle. If you can,
please handle this with priority.
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2083750
[Bug 2083750] Drop i686 builds of jdk8,11,17 and latest (18) rpms from f37
onwards
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2104228
1 year, 10 months
[Bug 2105075] CVE-2022-31129 moment: inefficient parsing algorithim
resulting in DoS
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2105075
--- Comment #13 from Parag Nemade <pnemade(a)redhat.com> ---
(In reply to Tomas Hoger from comment #8)
> In reply to comment #2:
> > Why have you CC'ed many people or to exact i18n-bugs list to this bug?
>
> i18n-bugs is on the initial CC list for the cldr-emoji-annotation component,
> which was added as possibly affected by this issue. The package is
> considered to include moment because of moment being listed in
> tools/cldr-apps/js/package-lock.json (in sources). However, moment does not
> seem to be included in the srpm and also in any binary rpm, hence this looks
> like false positive.
Thank you for confirming this false positive.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2105075
1 year, 10 months
[Bug 2105075] CVE-2022-31129 moment: inefficient parsing algorithim
resulting in DoS
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2105075
--- Comment #11 from Miro Hrončok <mhroncok(a)redhat.com> ---
(In reply to Tomas Hoger from comment #10)
> In reply to comment #9:
> > In reply to comment #7:
> > > Why is python-sig(a)lists.fedoraproject.org in CC for this RHEL bug? Is there
> > > something the Fedora SIG can/should do here?
> >
> > python-sig is added because of python-notebook, but I do not see why that
> > component was added here as possibly affected.
>
> Sigh, I was checking incorrectly. python-notebook seems to bundle and ship
> moment in site-packages/notebook/static/components/moment/
It does, it also provides bundled(moment) = 2.19.3.
(In reply to Petr Viktorin from comment #7)
> Why is python-sig(a)lists.fedoraproject.org in CC for this RHEL bug? Is there
> something the Fedora SIG can/should do here?
This is not a RHEL bug, but a tracking bug that covers Fedora, RHEL, EPEL, etc.
All the maintainers of all the affected components in all the products are
CC'ed here. That includes python-sig(a)lists.fedoraproject.org.
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2105075
1 year, 10 months
[Bug 2105075] CVE-2022-31129 moment: inefficient parsing algorithim
resulting in DoS
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2105075
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Flags|needinfo?(amctagga(a)redhat.c |
|om) |
--- Comment #10 from Tomas Hoger <thoger(a)redhat.com> ---
In reply to comment #9:
> In reply to comment #7:
> > Why is python-sig(a)lists.fedoraproject.org in CC for this RHEL bug? Is there
> > something the Fedora SIG can/should do here?
>
> python-sig is added because of python-notebook, but I do not see why that
> component was added here as possibly affected.
Sigh, I was checking incorrectly. python-notebook seems to bundled and ship
moment in site-packages/notebook/static/components/moment/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=2105075
1 year, 10 months