drucken bookmarks versenden konfigurieren admin pdf Sicherheit: Mehrere Probleme in url-parse
| Name: |
Mehrere Probleme in url-parse |
|
| ID: |
USN-5973-1 |
|
| Distribution: |
Ubuntu |
|
| Plattformen: |
Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 16.04 ESM |
|
| Datum: |
Mo, 27. März 2023, 23:12 |
|
| Referenzen: |
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3774
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8124
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0686
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0512
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0639
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515 |
|
| Applikationen: |
url-parse |
|
Originalnachricht |
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============2465983668624953173==
Content-Language: en-US
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="------------s5iONTr3gNpdWfre0DFZf8gx"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--------------s5iONTr3gNpdWfre0DFZf8gx
Content-Type: multipart/mixed;
boundary="------------s6V7QGGKt61WMd2zWU0C9RWd";
protected-headers="v1"
From: Amir Naseredini <amir.naseredini@canonical.com>
To: ubuntu-security-announce@lists.ubuntu.com
Message-ID: <036706fc-b5c3-0014-6dc1-ee8db982d9cc@canonical.com>
Subject: [USN-5973-1] url-parse vulnerabilities
--------------s6V7QGGKt61WMd2zWU0C9RWd
Content-Type: multipart/mixed;
boundary="------------wuVdhsqfGLx5wNa7ST57zNs7"
--------------wuVdhsqfGLx5wNa7ST57zNs7
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: base64
==========================================================================
Ubuntu Security Notice USN-5973-1
March 27, 2023
node-url-parse vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
Summary:
Several security issues were fixed in url-parse.
Software Description:
- node-url-parse: Small footprint URL parser that works across Node.js
and browsers
Details:
It was discovered that url-parse incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service, or to perform a server-side request forgery attack or
open
redirect attack. (CVE-2018-3774)
It was discovered that url-parse incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to bypass input
validation. This issue was only fixed in Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-8124)
Yaniv Nizry discovered that url-parse incorrectly handled certain inputs.
If a user or an automated system were tricked into opening a specially
crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service, or to perform a server-side request forgery attack or
open
redirect attack. This issue was only fixed in Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-27515)
It was discovered that url-parse incorrectly handled certain inputs.
If a user or an automated system were tricked into opening a specially
crafted
input file, a remote attacker could possibly use this issue to cause a
denial of service, or to perform a server-side request forgery attack or
open
redirect attack. This issue was only fixed in Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-3664)
It was discovered that url-parse incorrectly handled certain inputs. If a
user or an automated system were tricked into opening a specially crafted
input file, a remote attacker could possibly use this issue to bypass
authorization. This issue was only fixed in Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2022-0512, CVE-2022-0639, CVE-2022-0691)
Rohan Sharma discovered that url-parse incorrectly handled certain inputs.
If a user or an automated system were tricked into opening a specially
crafted
input file, a remote attacker could possibly use this issue to bypass
authorization. This issue was only fixed in Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2022-0686)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
node-url-parse 1.4.7-3ubuntu0.1
Ubuntu 18.04 LTS:
node-url-parse 1.2.0-1ubuntu0.1
Ubuntu 16.04 ESM:
node-url-parse 1.0.5-2ubuntu0.1~esm2
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5973-1
CVE-2018-3774, CVE-2020-8124, CVE-2021-27515, CVE-2021-3664,
CVE-2022-0512, CVE-2022-0639, CVE-2022-0686, CVE-2022-0691
Package Information:
https://launchpad.net/ubuntu/+source/node-url-parse/1.4.7-3ubuntu0.1
https://launchpad.net/ubuntu/+source/node-url-parse/1.2.0-1ubuntu0.1
--------------wuVdhsqfGLx5wNa7ST57zNs7
Content-Type: application/pgp-keys;
name="OpenPGP_0x56383E35D153B8B2.asc"
Content-Disposition: attachment;
filename="OpenPGP_0x56383E35D153B8B2.asc"
Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsDNBGO/60oBDADb8Iw1QscMxjlKh+9QZcJ6NQwruJEuvbH4qi6hRKJt3441GR2F
sJRcmGrQOp87R2QdMoRSaifa96QOWLVu740PVq4/ztQkoqyB7yVMxc8L986H79xL
b+pcExy4Rvn++CQyTJ2/L/QEaOzN/Rq8ZCCDLtWUwxYOwYKZCW3Hw1/Fjzs0kpz6
oNlX4jiq76tJmA7vuVCydB9FuuC7/6K7/wUZrm2sHMnQ3JSv3G2vhHI0KANyVPIB
fNGplCqGc3aSRMIJ04KVukuzVPUKeLqkfLydiwdmG/IuS4jpWGL1bSWRPds0W2Ct
/N7hFcStudDlbV36DhGdpMeDxrhLL9aRpeZQro1LGhHHAA4oadE20vk1+9JS2pQC
CjtxxWnyDsC9j5eXN8Gr61yiLorxIRzO37arPVLxFMjafrP0rAweTivWCp2C+BOm
FsNilHHr57pDQOmc3LXDqdz8qqSVHaAK0CEH3YQA5ZUnWDbjj2D8aHcvrwSAk8pl
OxFmmOns8W6p/eEAEQEAAc1BQW1pciBOYXNlcmVkaW5pIChQcml2YXRlIEVtYWls
IEFkZHJlc3MpIDxzYWhuYXNlcmVkaW5pQGdtYWlsLmNvbT7CwRQEEwEKAD4WIQQt
F2HPcpjsUaJwwPxWOD410VO4sgUCY7/sHAIbAwUJA8JnAAULCQgHAwUVCgkICwUW
AgMBAAIeAQIXgAAKCRBWOD410VO4spcWDACioxx6/W7LDOkfKGx741eFLTHjeOR0
RMGL20Qd6cK4pdFjfrHU3PPBXKlZBSAT3JCcPKVE5ecu49Behqnzj4obGPJ0XBwM
hGRWeLhVQhsPmtGYy4irgXsm3+n2xbru9iq5CPobesDam6Z84OZoKDT/7XD5I8C/
ntJ8mD/+v2P4VeQ1iwvO3wAwh0zKna+Bi55mX1neLJj1T3/3+fIRnudclESE+JR0
A6309kotXRPLLse9LOzE8u3uM/zqHoJukc5G2CFbxSsdUE8MP4lQOff54vkb7NkM
hQzDDgvVKXTl5OF+gECHIeR4Dv7yjafLwt+3sDBwWK0HPaf6vvfi227G/urMKCxf
D5VWglvZfm64j0v+/apMUDtmkqw2PxFulJ8iwWA39owP0vH8jNp5YWJASOrNoDXn
nPzbvJLdy2gP59W2n038V59hH7vdA86ywmiWuP0n1pw95UjzkZiYGoaPCLrefiY9
SG5Jp3XoWVGP8mB87FfHTzccm2Dzm6pPbzHNL0FtaXIgTmFzZXJlZGluaSA8YW1p
ci5uYXNlcmVkaW5pQGNhbm9uaWNhbC5jb20+wsEXBBMBCgBBAhsDBQkDwmcABQsJ
CAcDBRUKCQgLBRYCAwEAAh4BAheAFiEELRdhz3KY7FGicMD8Vjg+NdFTuLIFAmO/
7aUCGQEACgkQVjg+NdFTuLJ9WQv/R0lA8yFIZGs2d6f3skai5QBeCGkBNdAatjeP
JNeFATvXbv8tNyXSJqhpQi2mVdNIq4uVdhzxzGbWrFGKcZh+aLNFe6XhqO/dupnm
fhAaCeTFmKlqU2VPbXGznIffK5s4IjEy0+6haF2mDwFokuav+JNFn9REPESQ9sJq
/zWC5LDm8ZzF0+ElPlJS3SrRG+BSx44qFASkbMMvKWj/huwplWOvjED6O8XU91Ii
ydlndFpk6xJE5cu3030R47Szn58z3iXTNWsWBgzVxy3rmr97MniOuLeAKWgK7NqE
TWE9OjG/lLEgtSP5suv/k07oufIAJtaIIjNZTTgyKZKfMaaKoekYCVMpXI6lwiLE
97nw4uQ/7hCi0TOzWVdOlRP58O3f3ATWyGrijn6c/N1CDAABgJvz6nJihS5Vkpc4
3qe8V3zgi173BbEpGcf2nOEMukBV4E4vNviFDNoKoUMNv+jxDiPPCDUJQa/oDxJ4
73KaXIIddyEUw3mqCRZlwtKhisy2zsDNBGO/60oBDACg+zE4kmu2CzeSFHEV/mSi
8P4u/MGN2Orq/pXFcpsN4fI3nsAS1qy7SfSmB8n6x8VZABRTPikznAochiFiD9U7
6tz7xsb5LWVXY+bdPzkMjsdB9UExhbARAiNaAZ1uvUI2YjD5+NVTDEuWpCyoVf7y
qfzth39p70KmdJE32PJC26+a7dV+dZKV7DM+pOH3PW0iXGaokzoO/hfWnIo4EanE
3IxtGG85E/PTxrSs0qDrOcQ9t0RLN0kCHwrjlDaAiN/amB4nx1BQLsUofripb10x
drLXdcGCPeqyNnuDKA++eGxMs4rf/gZqpriZe/c5GOZYOEWf94eyEfY7Ap3iXYhG
3bcNIKxikOY+N8i7CNuaZcFrosK6pGIgzUX3jCxjZpYYfP4CI1AcPPnqIgEWH4qQ
wmaWYNQ8gVQAnF097hKKbLozvKkg5App66v3DdDERKkB1YPPDPAXmQR9RiPUnXxQ
p89wveOLCemuROqq9hWnVTq+d9SElOipRXfY3r2xzTUAEQEAAcLA/AQYAQoAJhYh
BC0XYc9ymOxRonDA/FY4PjXRU7iyBQJjv+tKAhsMBQkDwmcAAAoJEFY4PjXRU7iy
ZSML/iIEflaHoQnViezZwZq0Jjwvy4SljggpUzKiF65aZK7VXd5JHH8J4cCOTJUy
0a4p+g7XMChLMVY8zj4GjnaQ9AG0LT9pvbDPNnFAQ37W8LgoSmaJ9oAo1wYbjoDJ
9wYsfATPveltC04LQ5ODH+R+3AkG15gBEX7lImyNSHabLedrYQUvAcWDo66C4Gwk
k7Q/GgwYteCwRYvG+Rmv1OWcjSZmqWJArk4vwdGuaEWmPsTldTgU0T1jjhny81eI
FYTwAtL175x+ScIhrVuvBpsxV2htrJCOPCPZTYPyd8sXZZgAfhjyAepWAqgONIoJ
Npog1dAZDpUCihQviQ0kzPokaPXKUCahY/hKm+nncKCOR/FB8l2iQHTC6rlDhZ4a
8DSRjElpOJ9Q94aWUuUEQ+7VnwBFFbTClwAo51ejvZ3ZKaEX6lAo4VMchQYpqb6A
FXf9+sS2VJ2HRD1wsHZ2hTLxApu16lVJphpGM90Zc81qc3uXR7fDTi6G0FDzRx0/
PrhDFw=3D=3D
=3DgrCX
-----END PGP PUBLIC KEY BLOCK-----
--------------wuVdhsqfGLx5wNa7ST57zNs7--
--------------s6V7QGGKt61WMd2zWU0C9RWd--
--------------s5iONTr3gNpdWfre0DFZf8gx
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"
-----BEGIN PGP SIGNATURE-----
wsD5BAABCAAjFiEELRdhz3KY7FGicMD8Vjg+NdFTuLIFAmQhyIUFAwAAAAAACgkQVjg+NdFTuLIa
dAv8Db9OzlYlMOCgrTZSxQY99DDEiccqinGr83TRaAfZT//b+vhrwcrxxsBULrcCVD5Mcbt7TO0w
IhApk2+cM3AMt4FKGlrTN2eVIhtkEsGLZX2Ke+AJiaNGexAOMyUtSAMMpJwDr2ulBXg/MHnCXwvL
KBJ0qSWy35DfNgbZmqQJds9+RA4WAmgh70A8fxDcLQC3KwH/yI8k5z7IBGXuaQeLiDQtMO7Dz+LT
4CGMsd33+oKf8nYpEqZLNmG2YfDuuoxAQUSZ6z7q9ThMSRLRP3CKtW+abq8XVrqKE8aqQN1DdOfC
m60512PMErpiA8Uvlf7MYdVNofV/gYcnCs93yXSVbbJ16Tmd94hO7Vqo/UICE8M5hT+AOozLVqGz
pbT/zx3RHH+kaU6fIKdb6Tvs386qVmtHy6K1lpQl2YNnij8uZxBghR8pT1NTsfPs0dvtZyWdjZWY
21RKPlyDhK2RpakqMYFLF+cFCV9p3kULeCuHjCSaohpHmA5JJWgzasFf1+he
=hToI
-----END PGP SIGNATURE-----
--------------s5iONTr3gNpdWfre0DFZf8gx--
--===============2465983668624953173==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline
Cg==
--===============2465983668624953173==--
|
|
|
|
