Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1014779: angular.js: CVE-2022-25844
108 views
Skip to first unread message
Moritz Mühlenhoff
Jul 11, 2022, 3:30:03 PM7/11/22
to
Source: angular.js
X-Debbugs-CC: te...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for angular.js.
CVE-2022-25844[0]:
| The package angular after 1.7.0 are vulnerable to Regular Expression
| Denial of Service (ReDoS) by providing a custom locale rule that makes
| it possible to assign the parameter in posPre: ' '.repeat() of
| NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1)
| This package has been deprecated and is no longer maintained. 2) The
| vulnerable versions are 1.7.0 and higher.
https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735
Notably, the website states that AngularJS support ended in January 2022
and that angular.io is the successor?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-25844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25844
Please adjust the affected versions in the BTS as needed.
X-Debbugs-CC: te...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for angular.js.
CVE-2022-25844[0]:
| The package angular after 1.7.0 are vulnerable to Regular Expression
| Denial of Service (ReDoS) by providing a custom locale rule that makes
| it possible to assign the parameter in posPre: ' '.repeat() of
| NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1)
| This package has been deprecated and is no longer maintained. 2) The
| vulnerable versions are 1.7.0 and higher.
https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735
Notably, the website states that AngularJS support ended in January 2022
and that angular.io is the successor?
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-25844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25844
Please adjust the affected versions in the BTS as needed.
László Böszörményi
Jul 12, 2022, 10:50:04 AM7/12/22
to
Hi Moritz,
On Mon, Jul 11, 2022 at 9:27 PM Moritz Mühlenhoff <j...@inutil.org> wrote:
> The following vulnerability was published for angular.js.
>
> CVE-2022-25844[0]:
I don't think this will be fixed officially.
> Notably, the website states that AngularJS support ended in January 2022
> and that angular.io is the successor?
Quick timeline for clarification. Indeed, Angular.io is the successor
of AngularJS. I think it was first released in 2016. That time
upstream, Google stated the support of AngularJS will end in January,
2018. Maybe because big projects were still using it, the support was
extended to January, 2022 (this year). This time it really finished,
the projects remained online but read-only. The successor, Angular.io
still lives and is developed.
I don't have numbers, but it seems enough big projects still use
AngularJS, at least two commercial companies still support it (one to
the end of [?] 2023, the other till 2027 as I know) for money of
course. That is, I doubt the fix will be publicly available. Google
already supported it for six years after it was deprecated.
What's the option of the Security Team? Should I wait for long if a
fix becomes available or simply ask for the removal of the package in
some months?
Regards,
Laszlo/GCS
On Mon, Jul 11, 2022 at 9:27 PM Moritz Mühlenhoff <j...@inutil.org> wrote:
> The following vulnerability was published for angular.js.
>
> CVE-2022-25844[0]:
> Notably, the website states that AngularJS support ended in January 2022
> and that angular.io is the successor?
of AngularJS. I think it was first released in 2016. That time
upstream, Google stated the support of AngularJS will end in January,
2018. Maybe because big projects were still using it, the support was
extended to January, 2022 (this year). This time it really finished,
the projects remained online but read-only. The successor, Angular.io
still lives and is developed.
I don't have numbers, but it seems enough big projects still use
AngularJS, at least two commercial companies still support it (one to
the end of [?] 2023, the other till 2027 as I know) for money of
course. That is, I doubt the fix will be publicly available. Google
already supported it for six years after it was deprecated.
What's the option of the Security Team? Should I wait for long if a
fix becomes available or simply ask for the removal of the package in
some months?
Regards,
Laszlo/GCS
Moritz Mühlenhoff
May 24, 2023, 4:00:07 AM5/24/23
to
my backlog of mail.
There's too many dependencies to remove it at this point, but let's
remove it after the bookworm release by filing RC bugs against
the rdeps?
Cheers,
Moritz
Checking reverse dependencies...
# Broken Depends:
glowing-bear: glowing-bear
lemonldap-ng: liblemonldap-ng-manager-perl
libjs-angular-file-upload: libjs-angular-file-upload
libjs-angular-gettext: libjs-angular-gettext
libjs-angular-schema-form: libjs-angular-schema-form
libjs-angularjs-smart-table: libjs-angularjs-smart-table
libjs-lrdragndrop: libjs-lrdragndrop
libjs-magic-search: libjs-magic-search
nqp: nqp
nqp-data
ola: ola
python-xstatic-angular: python3-xstatic-angular
python-xstatic-angular-cookies: python3-xstatic-angular-cookies
python-xstatic-angular-mock: python3-xstatic-angular-mock
python-xstatic-angular-schema-form: python3-xstatic-angular-schema-form
qcumber: qcumber
rally: python3-rally
# Broken Build-Depends:
civicrm: libjs-angularjs
Dependency problem found.
0 new messages