Bug 1212573 - VUL-0: CVE-2022-25883: cockpit,cockpit-tukit,cockpit-podman,cockpit-machines: semver: Versions of the package semver before 7.5.2 are vulnerable to ReDos
Summary: VUL-0: CVE-2022-25883: cockpit,cockpit-tukit,cockpit-podman,cockpit-machines:...
Status: RESOLVED INVALID
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/370063/
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2022-25883
  Show dependency treegraph
 
Reported: 2023-06-21 11:40 UTC by Cathy Hu
Modified: 2023-06-22 09:23 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Cathy Hu 2023-06-21 11:42:50 UTC 
From a quick scan, semver is embedded in the following codestreams, so tracking as affected:

- SUSE:SLE-15-SP3:Update:Products:MicroOS51:Update/cockpit                                    
- SUSE:SLE-15-SP3:Update:Products:MicroOS51:Update/cockpit-podman    
                                                                                              
- SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update/cockpit
- SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update/cockpit-machines                           
- SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update/cockpit-podman                             
- SUSE:SLE-15-SP3:Update:Products:MicroOS52:Update/cockpit-tukit                              
                                                                                          
- SUSE:SLE-15-SP4:Update:Products:Micro53:Update/cockpit
- SUSE:SLE-15-SP4:Update:Products:Micro53:Update/cockpit-machines    
- SUSE:SLE-15-SP4:Update:Products:Micro53:Update/cockpit-podman
- SUSE:SLE-15-SP4:Update:Products:Micro53:Update/cockpit-tukit
                                                                                          
- SUSE:SLE-15-SP4:Update:Products:Micro54:Update/cockpit
- SUSE:SLE-15-SP4:Update:Products:Micro54:Update/cockpit-machines    
- SUSE:SLE-15-SP4:Update:Products:Micro54:Update/cockpit-podman
- SUSE:SLE-15-SP4:Update:Products:Micro54:Update/cockpit-tukit
                                                                                          
- openSUSE:Factory/cockpit                                           
- openSUSE:Factory/cockpit-machines                                  
- openSUSE:Factory/cockpit-podman                                    
- openSUSE:Factory/cockpit-tukit


Please let me know in case this is not affecting the cockpit parts and is not used and shipped, then i will adjust the tracking.
Comment 2 Luna D Dragon 2023-06-22 01:52:24 UTC 
From a initial glance, this is not directly used in any package mentioned and is not a issue, will confirm with upstream. (Cockpit-tukit is definitely not exposed)
Comment 3 Luna D Dragon 2023-06-22 04:49:06 UTC 
confirmed with upstream. semver is used as a build time dependency and hence the cve does not affect cockpit
Comment 4 Cathy Hu 2023-06-22 09:23:51 UTC 
okay, thanks, closing