cvrf2cusa/cvrf/2022/cvrf-openEuler-SA-2022-1667.xml

<?xml version="1.0" encoding="UTF-8"?>
<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">
	<DocumentTitle xml:lang="en">An update for nodejs-hawk is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS</DocumentTitle>
	<DocumentType>Security Advisory</DocumentType>
	<DocumentPublisher Type="Vendor">
		<ContactDetails>openeuler-security@openeuler.org</ContactDetails>
		<IssuingAuthority>openEuler security committee</IssuingAuthority>
	</DocumentPublisher>
	<DocumentTracking>
		<Identification>
			<ID>openEuler-SA-2022-1667</ID>
		</Identification>
		<Status>Final</Status>
		<Version>1.0</Version>
		<RevisionHistory>
			<Revision>
				<Number>1.0</Number>
				<Date>2022-05-20</Date>
				<Description>Initial</Description>
			</Revision>
		</RevisionHistory>
		<InitialReleaseDate>2022-05-20</InitialReleaseDate>
		<CurrentReleaseDate>2022-05-20</CurrentReleaseDate>
		<Generator>
			<Engine>openEuler SA Tool V1.0</Engine>
			<Date>2022-05-20</Date>
		</Generator>
	</DocumentTracking>
	<DocumentNotes>
		<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">nodejs-hawk security update</Note>
		<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for nodejs-hawk is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.</Note>
		<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Hawk is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial HTTP request cryptographic verification.

Security Fix(es):

Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker s input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead. Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().(CVE-2022-29167)</Note>
		<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for nodejs-hawk is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.

openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>
		<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>
		<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">nodejs-hawk</Note>
	</DocumentNotes>
	<DocumentReferences>
		<Reference Type="Self">
			<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1667</URL>
		</Reference>
		<Reference Type="openEuler CVE">
			<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-29167</URL>
		</Reference>
		<Reference Type="Other">
			<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-29167</URL>
		</Reference>
	</DocumentReferences>
	<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">
		<Branch Type="Product Name" Name="openEuler">
			<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>
			<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>
			<FullProductName ProductID="openEuler-22.03-LTS" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">openEuler-22.03-LTS</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="src">
			<FullProductName ProductID="nodejs-hawk-4.1.2-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-hawk-4.1.2-2.oe1.src.rpm</FullProductName>
			<FullProductName ProductID="nodejs-hawk-4.1.2-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-hawk-4.1.2-2.oe1.src.rpm</FullProductName>
			<FullProductName ProductID="nodejs-hawk-4.1.2-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">nodejs-hawk-4.1.2-2.oe2203.src.rpm</FullProductName>
		</Branch>
		<Branch Type="Package Arch" Name="noarch">
			<FullProductName ProductID="nodejs-hawk-4.1.2-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-hawk-4.1.2-2.oe1.noarch.rpm</FullProductName>
			<FullProductName ProductID="nodejs-hawk-4.1.2-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-hawk-4.1.2-2.oe1.noarch.rpm</FullProductName>
			<FullProductName ProductID="nodejs-hawk-4.1.2-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">nodejs-hawk-4.1.2-2.oe2203.noarch.rpm</FullProductName>
		</Branch>
	</ProductTree>
	<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">
		<Notes>
			<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker s input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead. Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().</Note>
		</Notes>
		<ReleaseDate>2022-05-20</ReleaseDate>
		<CVE>CVE-2022-29167</CVE>
		<ProductStatuses>
			<Status Type="Fixed">
				<ProductID>openEuler-20.03-LTS-SP1</ProductID>
				<ProductID>openEuler-20.03-LTS-SP3</ProductID>
				<ProductID>openEuler-22.03-LTS</ProductID>
			</Status>
		</ProductStatuses>
		<Threats>
			<Threat Type="Impact">
				<Description>High</Description>
			</Threat>
		</Threats>
		<CVSSScoreSets>
			<ScoreSet>
				<BaseScore>7.5</BaseScore>
				<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>
			</ScoreSet>
		</CVSSScoreSets>
		<Remediations>
			<Remediation Type="Vendor Fix">
				<Description>nodejs-hawk security update</Description>
				<DATE>2022-05-20</DATE>
				<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1667</URL>
			</Remediation>
		</Remediations>
	</Vulnerability>
</cvrfdoc>
增加测试用的配置和目录 Signed-off-by: Jia Chao <jiac13@chinaunicom.cn> 2024-07-02 07:51:55 +00:00			`<?xml version="1.0" encoding="UTF-8"?>`
			`<cvrfdoc xmlns="http://www.icasi.org/CVRF/schema/cvrf/1.1" xmlns:cvrf="http://www.icasi.org/CVRF/schema/cvrf/1.1">`
			`<DocumentTitle xml:lang="en">An update for nodejs-hawk is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS</DocumentTitle>`
			`<DocumentType>Security Advisory</DocumentType>`
			`<DocumentPublisher Type="Vendor">`
			`<ContactDetails>openeuler-security@openeuler.org</ContactDetails>`
			`<IssuingAuthority>openEuler security committee</IssuingAuthority>`
			`</DocumentPublisher>`
			`<DocumentTracking>`
			`<Identification>`
			`<ID>openEuler-SA-2022-1667</ID>`
			`</Identification>`
			`<Status>Final</Status>`
			`<Version>1.0</Version>`
			`<RevisionHistory>`
			`<Revision>`
			`<Number>1.0</Number>`
			`<Date>2022-05-20</Date>`
			`<Description>Initial</Description>`
			`</Revision>`
			`</RevisionHistory>`
			`<InitialReleaseDate>2022-05-20</InitialReleaseDate>`
			`<CurrentReleaseDate>2022-05-20</CurrentReleaseDate>`
			`<Generator>`
			`<Engine>openEuler SA Tool V1.0</Engine>`
			`<Date>2022-05-20</Date>`
			`</Generator>`
			`</DocumentTracking>`
			`<DocumentNotes>`
			`<Note Title="Synopsis" Type="General" Ordinal="1" xml:lang="en">nodejs-hawk security update</Note>`
			`<Note Title="Summary" Type="General" Ordinal="2" xml:lang="en">An update for nodejs-hawk is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.</Note>`
			`<Note Title="Description" Type="General" Ordinal="3" xml:lang="en">Hawk is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial HTTP request cryptographic verification.`

			`Security Fix(es):`

			Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker s input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead. Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().(CVE-2022-29167)</Note>
			`<Note Title="Topic" Type="General" Ordinal="4" xml:lang="en">An update for nodejs-hawk is now available for openEuler-20.03-LTS-SP1, openEuler-20.03-LTS-SP3 and openEuler-22.03-LTS.`

			`openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.</Note>`
			`<Note Title="Severity" Type="General" Ordinal="5" xml:lang="en">High</Note>`
			`<Note Title="Affected Component" Type="General" Ordinal="6" xml:lang="en">nodejs-hawk</Note>`
			`</DocumentNotes>`
			`<DocumentReferences>`
			`<Reference Type="Self">`
			`<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1667</URL>`
			`</Reference>`
			`<Reference Type="openEuler CVE">`
			`<URL>https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-29167</URL>`
			`</Reference>`
			`<Reference Type="Other">`
			`<URL>https://nvd.nist.gov/vuln/detail/CVE-2022-29167</URL>`
			`</Reference>`
			`</DocumentReferences>`
			`<ProductTree xmlns="http://www.icasi.org/CVRF/schema/prod/1.1">`
			`<Branch Type="Product Name" Name="openEuler">`
			`<FullProductName ProductID="openEuler-20.03-LTS-SP1" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">openEuler-20.03-LTS-SP1</FullProductName>`
			`<FullProductName ProductID="openEuler-20.03-LTS-SP3" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">openEuler-20.03-LTS-SP3</FullProductName>`
			`<FullProductName ProductID="openEuler-22.03-LTS" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">openEuler-22.03-LTS</FullProductName>`
			`</Branch>`
			`<Branch Type="Package Arch" Name="src">`
			`<FullProductName ProductID="nodejs-hawk-4.1.2-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-hawk-4.1.2-2.oe1.src.rpm</FullProductName>`
			`<FullProductName ProductID="nodejs-hawk-4.1.2-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-hawk-4.1.2-2.oe1.src.rpm</FullProductName>`
			`<FullProductName ProductID="nodejs-hawk-4.1.2-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">nodejs-hawk-4.1.2-2.oe2203.src.rpm</FullProductName>`
			`</Branch>`
			`<Branch Type="Package Arch" Name="noarch">`
			`<FullProductName ProductID="nodejs-hawk-4.1.2-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP1">nodejs-hawk-4.1.2-2.oe1.noarch.rpm</FullProductName>`
			`<FullProductName ProductID="nodejs-hawk-4.1.2-2" CPE="cpe:/a:openEuler:openEuler:20.03-LTS-SP3">nodejs-hawk-4.1.2-2.oe1.noarch.rpm</FullProductName>`
			`<FullProductName ProductID="nodejs-hawk-4.1.2-2" CPE="cpe:/a:openEuler:openEuler:22.03-LTS">nodejs-hawk-4.1.2-2.oe2203.noarch.rpm</FullProductName>`
			`</Branch>`
			`</ProductTree>`
			`<Vulnerability Ordinal="1" xmlns="http://www.icasi.org/CVRF/schema/vuln/1.1">`
			`<Notes>`
			<Note Title="Vulnerability Description" Type="General" Ordinal="1" xml:lang="en">Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker s input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead. Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().</Note>
			`</Notes>`
			`<ReleaseDate>2022-05-20</ReleaseDate>`
			`<CVE>CVE-2022-29167</CVE>`
			`<ProductStatuses>`
			`<Status Type="Fixed">`
			`<ProductID>openEuler-20.03-LTS-SP1</ProductID>`
			`<ProductID>openEuler-20.03-LTS-SP3</ProductID>`
			`<ProductID>openEuler-22.03-LTS</ProductID>`
			`</Status>`
			`</ProductStatuses>`
			`<Threats>`
			`<Threat Type="Impact">`
			`<Description>High</Description>`
			`</Threat>`
			`</Threats>`
			`<CVSSScoreSets>`
			`<ScoreSet>`
			`<BaseScore>7.5</BaseScore>`
			`<Vector>AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</Vector>`
			`</ScoreSet>`
			`</CVSSScoreSets>`
			`<Remediations>`
			`<Remediation Type="Vendor Fix">`
			`<Description>nodejs-hawk security update</Description>`
			`<DATE>2022-05-20</DATE>`
			`<URL>https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1667</URL>`
			`</Remediation>`
			`</Remediations>`
			`</Vulnerability>`
			`</cvrfdoc>`