Source: angular.js X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security
Hi, The following vulnerability was published for angular.js. CVE-2022-25844[0]: | The package angular after 1.7.0 are vulnerable to Regular Expression | Denial of Service (ReDoS) by providing a custom locale rule that makes | it possible to assign the parameter in posPre: ' '.repeat() of | NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) | This package has been deprecated and is no longer maintained. 2) The | vulnerable versions are 1.7.0 and higher. https://snyk.io/vuln/SNYK-JS-ANGULAR-2772735 Notably, the website states that AngularJS support ended in January 2022 and that angular.io is the successor? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-25844 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25844 Please adjust the affected versions in the BTS as needed.
