[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 3295-1] node-moment security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -----------------------------------------------------------------------
Debian LTS Advisory DLA-3295-1              debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Utkarsh Gupta
January 31, 2023                            https://wiki.debian.org/LTS
- -----------------------------------------------------------------------

Package        : node-moment
Version        : 2.24.0+ds-1+deb10u1
CVE ID         : CVE-2022-24785 CVE-2022-31129
Debian Bug     : 1009327 1014845

Moment.js is a JavaScript date library for parsing, validating,
manipulating, and formatting dates. A couple of vulnerabilities
were reported as follows:

CVE-2022-24785

    A path traversal vulnerability impacts npm (server) users of
    Moment.js, especially if a user-provided locale string is directly
    used to switch moment locale.

CVE-2022-31129

    Affected versions of moment were found to use an inefficient
    parsing algorithm. Specifically using string-to-date parsing in
    moment (more specifically rfc2822 parsing, which is tried by
    default) has quadratic (N^2) complexity on specific inputs. Users
    may notice a noticeable slowdown is observed with inputs above 10k
    characters. Users who pass user-provided strings without sanity
    length checks to moment constructor are vulnerable to (Re)DoS
    attacks.

For Debian 10 buster, these problems have been fixed in version
2.24.0+ds-1+deb10u1.

We recommend that you upgrade your node-moment packages.

For the detailed security status of node-moment please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-moment

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmPYNnwACgkQgj6WdgbD
S5b0dQ//adipaXq1omaIrfeKCPHTUunXuJIkhKtBeR4IyfxaBbOqVQohEMafpd1Q
r27b6tNfRQXe2s55ui5PUHqcN7O62FdZTKC9xFNYx2ZQKMXsycXbgo5i84YAtTgE
RPPVAqZEAqZF2hgGGinxTt2qr3F2C4oCI9e2XAec5PJkNv2LDIUxagsvTECqMX0g
zZ31i8wtlH7QrQd2BDpp6dsGbHPRpV6b7uuGHaeq3wOqeGzsq92wrjVDOnzrHK1S
sJy1TIlim7E5WeVbLkWdg5CutRuo6ZwDyXZv6W6KrOKhGu1vtiUXa7lsLwRrbeoH
rGNvf2Bj9HN8NQ3G7m0sQvtGxLlOTokN/SO03UV8P0LlIMLWba93tFO1/qdHiI0p
j+qC3ZhNjjO4DU+65zEUVXuq4O6zafAb/yUcDSsWYfMISLRBQs9HET618+KCvC57
kMUjoS48KJbMuY9CTWgW81Z31SZUJ9lrgMwiJcx04RVK0h8IxruKtNSq4oaQUSPo
m0Up+IvpiJY6U+ACF59817Hu+nEchz0EBr3erMv8Y47wMhs9INMiAMK1GK/kS34O
zfpDYHOnUARtABsnY8hQRr1nOZVm04KlSv90MaGDssYuYCxtF0Ny1B6XqCFFWt4Y
ZDk8Ww4mA+ZcwTmLrT01OX1MHXDzGl0XAcZvPHHtcJCZFGjQFqQ=
=uLuB
-----END PGP SIGNATURE-----


Reply to: