Bugzilla – Bug 1217325
VUL-0: CVE-2023-26364: cockpit-wicked: css-tools: improper input validation during CSS parsing causes denial of service
Last modified: 2024-04-24 12:30:25 UTC
+++ This bug was initially created as a clone of Bug #1217322 +++ @adobe/css-tools version 4.3.0 and earlier are affected by an Improper Input Validation vulnerability that could result in a minor denial of service while attempting to parse CSS. Exploitation of this issue does not require user interaction or privileges. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26364
- openSUSE:Factory/cockpit-wicked embeds @adobe/css-tools (v4.3.0) - SUSE:SLE-15-SP5:Update:Products:Micro55:Update/cockpit-wicked embeds @adobe/css-tools (v4.3.0)
Hi! I created PR on github that addresses this issue: https://github.com/openSUSE/cockpit-wicked/pull/142 I'll update the OBS packages after the PR is merged
Oh, I overlooked this one. I have approved and merged the PR. We will submit the updated version.
Hi all, First of all, sorry for the delay. Let's try to put things in order. ## Version 4.x vs 5.x We have like two different branches of cockpit-wicked: * 4.x, which is the version that we developed in the YaST team and it is available in Micro 5.4 and before. In that case, "npm audit" reported a handful of security issues, so I updated the dependencies and submitted the code to SLE Micro 5.4 (as version 4.5). See https://build.suse.de/request/show/327548. Should I submit the fixed version to older Micro versions? * 5.x which codewise is basically the same but it was adapted to work with the new Cockpit's build system. It was driven through https://jira.suse.com/browse/CPT-40. In this case, I have submitted the package to Micro 5.5: https://build.suse.de/request/show/327564. Both packages are building just fine. ## Factory Things are more interesting in Factory. The package was deleted from openSUSE:Factory because it was not building for 6 weeks (sorry, I did not noticed). I have refreshed the sources in the devel project (systemsmanagement/cockpit-wicked) but it does not build. Miika, do you have any idea, please? Thanks! Regards, Imo PS: there are a CSS problem in the 5.x versions, but I guess I should open a separate bug report.
SUSE-SU-2024:1416-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1217325 CVE References: CVE-2023-26364 Maintenance Incident: [SUSE:Maintenance:33561](https://smelt.suse.de/incident/33561/) Sources used: SUSE Linux Enterprise Micro for Rancher 5.4 (src): cockpit-wicked-4.5-150400.3.3.1 SUSE Linux Enterprise Micro 5.4 (src): cockpit-wicked-4.5-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2024:1415-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1217325 CVE References: CVE-2023-26364 Maintenance Incident: [SUSE:Maintenance:33560](https://smelt.suse.de/incident/33560/) Sources used: SUSE Linux Enterprise Micro 5.5 (src): cockpit-wicked-5~git8.c06c55b-150500.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.