File _patchinfo of Package patchinfo.36129

<patchinfo incident="36129">
  <issue tracker="bnc" id="1227248">VUL-0: CVE-2024-38998: pgadmin4: requirejs: prototype pollution via function config</issue>
  <issue tracker="bnc" id="1229861">VUL-0: CVE-2024-43788: pgadmin4: webpack: DOM clobbering gadget in AutoPublicPathRuntimeModule could lead to XSS</issue>
  <issue tracker="bnc" id="1224366">VUL-0: CVE-2024-4067: pgadmin4: the npm package `micromatch` is vulnerable to Regular Expression Denial of Service (ReDoS)</issue>
  <issue tracker="bnc" id="1224295">VUL-0: CVE-2024-4068: pgadmin4: the npm package `braces` fails to limit the number of characters it can handle, which could lead to Memory Exhaustion</issue>
  <issue tracker="bnc" id="1231564">VUL-0: CVE-2024-48949: pgadmin4: elliptic: Missing Validation in Elliptic's EDDSA Signature Verification</issue>
  <issue tracker="bnc" id="1227252">VUL-0: CVE-2024-38999: pgadmin4: prototype pollution via function s.contexts._.configure</issue>
  <issue tracker="bnc" id="1226967">VUL-0: CVE-2024-38355: pgadmin4: socket.io: unhandled 'error' event</issue>
  <issue tracker="bnc" id="1230928">VUL-0: CVE-2024-9014: pgadmin4: OAuth2 issue in pgAdmin 4</issue>
  <issue tracker="bnc" id="1229423">VUL-0: CVE-2024-39338: pgadmin4: axios: server-side request forgery due to requests for path relative URLs being processed as protocol relative URLs</issue>
  <issue tracker="bnc" id="1231684">VUL-0: CVE-2024-48948: pgadmin4: elliptic: ECDSA signature verification error due to leading zero may reject legitimate transactions</issue>
  <issue tracker="cve" id="2024-48949"/>
  <issue tracker="cve" id="2024-4067"/>
  <issue tracker="cve" id="2024-48948"/>
  <issue tracker="cve" id="2024-9014"/>
  <issue tracker="cve" id="2024-4068"/>
  <issue tracker="cve" id="2024-43788"/>
  <issue tracker="cve" id="2024-38998"/>
  <issue tracker="cve" id="2024-38355"/>
  <issue tracker="cve" id="2024-39338"/>
  <issue tracker="cve" id="2024-38999"/>
  <packager>alarrosa</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for pgadmin4</summary>
  <description>This update for pgadmin4 fixes the following issues:

- CVE-2024-38355: Fixed socket.io: unhandled 'error' event (bsc#1226967)
- CVE-2024-38998: Fixed requirejs: prototype pollution via function config (bsc#1227248)
- CVE-2024-38999: Fixed requirejs: prototype pollution via function s.contexts._.configure (bsc#1227252)
- CVE-2024-39338: Fixed axios: server-side request forgery due to requests for path relative URLs being processed as protocol relative URLs in axios (bsc#1229423)
- CVE-2024-4067: Fixed micromatch: vulnerable to Regular Expression Denial of Service (ReDoS) (bsc#1224366)
- CVE-2024-4068: Fixed braces: fails to limit the number of characters it can handle, which could lead to Memory Exhaustion (bsc#1224295)
- CVE-2024-43788: Fixed webpack: DOM clobbering gadget in AutoPublicPathRuntimeModule could lead to XSS (bsc#1229861)
- CVE-2024-48948: Fixed elliptic: ECDSA signature verification error due to leading zero may reject legitimate transactions in elliptic (bsc#1231684)
- CVE-2024-48949: Fixed elliptic: Missing Validation in Elliptic's EDDSA Signature Verification (bsc#1231564)
- CVE-2024-9014: Fixed OAuth2 issue that could lead to information leak (bsc#1230928)
</description>
</patchinfo>