[Git][security-tracker-team/security-tracker][master] New node-url-parse issue

Moritz Muehlenhoff jmm at debian.org
Mon Aug 13 17:14:01 BST 2018 

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
aee95687 by Moritz Muehlenhoff at 2018-08-13T16:13:37Z
New node-url-parse issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -18349,7 +18349,6 @@ CVE-2018-8011 (By specially crafting HTTP requests, the mod_md challenge handler
 	[jessie] - apache2 <not-affected> (Vulnerable code not present; mod_md module)
 	NOTE: http://www.openwall.com/lists/oss-security/2018/07/18/2
 	NOTE: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011
-	TODO: check, should affect only the specific 2.4.33 version (unless issue backported)
 CVE-2018-8010 (This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 ...)
 	- lucene-solr <not-affected> (Do not allow to upload configsets via the API)
 	NOTE: Versions 5.x and earlier are not affected by the vulnerability, since
@@ -30942,7 +30941,7 @@ CVE-2018-3781
 CVE-2018-3780
 	RESERVED
 CVE-2018-3779 (active-support ruby gem 5.2.0 could allow a remote attacker to execute ...)
-	TODO: check
+	NOT-FOR-US: Trojaned gem release
 CVE-2018-3778 (Improper authorization in aedes version <0.35.0 will publish a LWT in ...)
 	NOT-FOR-US: aedes
 CVE-2018-3777 (Insufficient URI encoding in restforce before 3.0.0 allows attacker to ...)
@@ -30952,7 +30951,11 @@ CVE-2018-3776 (Improper input validator in Nextcloud Server prior to 12.0.3 and 
 CVE-2018-3775 (Improper Authentication in Nextcloud Server prior to version 12.0.3 ...)
 	- nextcloud <itp> (bug #835086)
 CVE-2018-3774 (Incorrect parsing in url-parse <1.4.3 returns wrong hostname which ...)
-	TODO: check
+	- node-url-parse <unfixed> (unimportant)
+	NOTE: https://hackerone.com/reports/384029
+	NOTE: https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a
+	NOTE: https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de
+	NOTE: nodejs not covered by security support
 CVE-2018-3773 (There is a stored Cross-Site Scripting vulnerability in Open Graph ...)
 	NOT-FOR-US: metascrape nodejs module
 CVE-2018-3772 (Concatenating unsanitized user input in the `whereis` npm module < ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aee9568771b46625e2903c3580ab5a9522749160

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/aee9568771b46625e2903c3580ab5a9522749160
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20180813/72eb7196/attachment-0001.html>

More information about the debian-security-tracker-commits mailing list