|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2023-26364: cockpit-wicked: css-tools: improper input validation during CSS parsing causes denial of service | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Carlos López <carlos.lopez> |
| Component: | Incidents | Assignee: | Miika Alikirri <miika.alikirri> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | igonzalezsosa, kanderssen, miika.alikirri, security-team, stoyan.manolov, yast2-maintainers |
| Version: | unspecified | Flags: | stoyan.manolov:
needinfo?
(miika.alikirri) |
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/385567/ | ||
| Whiteboard: | |||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | 1217322 | ||
| Bug Blocks: | |||
|
Description
Carlos López
2023-11-20 09:06:32 UTC
- openSUSE:Factory/cockpit-wicked embeds @adobe/css-tools (v4.3.0) - SUSE:SLE-15-SP5:Update:Products:Micro55:Update/cockpit-wicked embeds @adobe/css-tools (v4.3.0) Hi! I created PR on github that addresses this issue: https://github.com/openSUSE/cockpit-wicked/pull/142 I'll update the OBS packages after the PR is merged Oh, I overlooked this one. I have approved and merged the PR. We will submit the updated version. Hi all, First of all, sorry for the delay. Let's try to put things in order. ## Version 4.x vs 5.x We have like two different branches of cockpit-wicked: * 4.x, which is the version that we developed in the YaST team and it is available in Micro 5.4 and before. In that case, "npm audit" reported a handful of security issues, so I updated the dependencies and submitted the code to SLE Micro 5.4 (as version 4.5). See https://build.suse.de/request/show/327548. Should I submit the fixed version to older Micro versions? * 5.x which codewise is basically the same but it was adapted to work with the new Cockpit's build system. It was driven through https://jira.suse.com/browse/CPT-40. In this case, I have submitted the package to Micro 5.5: https://build.suse.de/request/show/327564. Both packages are building just fine. ## Factory Things are more interesting in Factory. The package was deleted from openSUSE:Factory because it was not building for 6 weeks (sorry, I did not noticed). I have refreshed the sources in the devel project (systemsmanagement/cockpit-wicked) but it does not build. Miika, do you have any idea, please? Thanks! Regards, Imo PS: there are a CSS problem in the 5.x versions, but I guess I should open a separate bug report. SUSE-SU-2024:1416-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1217325 CVE References: CVE-2023-26364 Maintenance Incident: [SUSE:Maintenance:33561](https://smelt.suse.de/incident/33561/) Sources used: SUSE Linux Enterprise Micro for Rancher 5.4 (src): cockpit-wicked-4.5-150400.3.3.1 SUSE Linux Enterprise Micro 5.4 (src): cockpit-wicked-4.5-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. SUSE-SU-2024:1415-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1217325 CVE References: CVE-2023-26364 Maintenance Incident: [SUSE:Maintenance:33560](https://smelt.suse.de/incident/33560/) Sources used: SUSE Linux Enterprise Micro 5.5 (src): cockpit-wicked-5~git8.c06c55b-150500.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. |