Bug#1014779: angular.js: CVE-2022-25844
Am Tue, Jul 12, 2022 at 04:44:36PM +0200 schrieb László Böszörményi (GCS): > Hi Moritz, > > On Mon, Jul 11, 2022 at 9:27 PM Moritz Mühlenhoff wrote: > > The following vulnerability was published for angular.js. > > > > CVE-2022-25844[0]: > I don't think this will be fixed officially. > > > Notably, the website states that AngularJS support ended in January 2022 > > and that angular.io is the successor? > Quick timeline for clarification. Indeed, Angular.io is the successor > of AngularJS. I think it was first released in 2016. That time > upstream, Google stated the support of AngularJS will end in January, > 2018. Maybe because big projects were still using it, the support was > extended to January, 2022 (this year). This time it really finished, > the projects remained online but read-only. The successor, Angular.io > still lives and is developed. > I don't have numbers, but it seems enough big projects still use > AngularJS, at least two commercial companies still support it (one to > the end of [?] 2023, the other till 2027 as I know) for money of > course. That is, I doubt the fix will be publicly available. Google > already supported it for six years after it was deprecated. > What's the option of the Security Team? Should I wait for long if a > fix becomes available or simply ask for the removal of the package in > some months? Sorry, this fell through the cracks and I'm currently working through my backlog of mail. There's too many dependencies to remove it at this point, but let's remove it after the bookworm release by filing RC bugs against the rdeps? Cheers, Moritz Checking reverse dependencies... # Broken Depends: glowing-bear: glowing-bear lemonldap-ng: liblemonldap-ng-manager-perl libjs-angular-file-upload: libjs-angular-file-upload libjs-angular-gettext: libjs-angular-gettext libjs-angular-schema-form: libjs-angular-schema-form libjs-angularjs-smart-table: libjs-angularjs-smart-table libjs-lrdragndrop: libjs-lrdragndrop libjs-magic-search: libjs-magic-search nqp: nqp nqp-data ola: ola python-xstatic-angular: python3-xstatic-angular python-xstatic-angular-cookies: python3-xstatic-angular-cookies python-xstatic-angular-mock: python3-xstatic-angular-mock python-xstatic-angular-schema-form: python3-xstatic-angular-schema-form qcumber: qcumber rally: python3-rally # Broken Build-Depends: civicrm: libjs-angularjs Dependency problem found.
Bug#1014779: angular.js: CVE-2022-25844
Hi Moritz, On Mon, Jul 11, 2022 at 9:27 PM Moritz Mühlenhoff wrote: > The following vulnerability was published for angular.js. > > CVE-2022-25844[0]: I don't think this will be fixed officially. > Notably, the website states that AngularJS support ended in January 2022 > and that angular.io is the successor? Quick timeline for clarification. Indeed, Angular.io is the successor of AngularJS. I think it was first released in 2016. That time upstream, Google stated the support of AngularJS will end in January, 2018. Maybe because big projects were still using it, the support was extended to January, 2022 (this year). This time it really finished, the projects remained online but read-only. The successor, Angular.io still lives and is developed. I don't have numbers, but it seems enough big projects still use AngularJS, at least two commercial companies still support it (one to the end of [?] 2023, the other till 2027 as I know) for money of course. That is, I doubt the fix will be publicly available. Google already supported it for six years after it was deprecated. What's the option of the Security Team? Should I wait for long if a fix becomes available or simply ask for the removal of the package in some months? Regards, Laszlo/GCS
Bug#1014779: angular.js: CVE-2022-25844
Source: angular.js X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for angular.js. CVE-2022-25844[0]: | The package angular after 1.7.0 are vulnerable to Regular Expression | Denial of Service (ReDoS) by providing a custom locale rule that makes | it possible to assign the parameter in posPre: ' '.repeat() of | NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) | This package has been deprecated and is no longer maintained. 2) The | vulnerable versions are 1.7.0 and higher. https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735 Notably, the website states that AngularJS support ended in January 2022 and that angular.io is the successor? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-25844 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25844 Please adjust the affected versions in the BTS as needed.