[Git][security-tracker-team/security-tracker][master] update fixed status for a number of older nodejs and node-foo packages
Moritz Muehlenhoff
jmm at debian.org
Mon Apr 8 20:20:31 BST 2019
Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c9d96e49 by Moritz Muehlenhoff at 2019-04-08T19:19:58Z
update fixed status for a number of older nodejs and node-foo packages
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -47982,17 +47982,17 @@ CVE-2018-12125
CVE-2018-12124
RESERVED
CVE-2018-12123 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...)
- - nodejs <unfixed> (unimportant)
+ - nodejs 10.15.0~dfsg-6 (unimportant)
NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
NOTE: Nodejs not covered by security support
NOTE: Patch (v8): https://github.com/nodejs/node/commit/53a6e4eb2002efc66eb9aefe24529fb63715094e
CVE-2018-12122 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...)
- - nodejs <unfixed> (unimportant)
+ - nodejs 10.15.0~dfsg-6 (unimportant)
NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
NOTE: Nodejs not covered by security support
NOTE: Patch (v8): https://github.com/nodejs/node/commit/696f063c5e9157fd10859515da00fd8bd190d76d
CVE-2018-12121 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...)
- - nodejs <unfixed> (unimportant)
+ - nodejs 10.15.0~dfsg-6 (unimportant)
NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
NOTE: Nodejs not covered by security support
NOTE: Patch (v8): https://github.com/nodejs/node/commit/93dba83fb0fb46ee2ea87163f435392490b4d59b
@@ -48009,12 +48009,13 @@ CVE-2018-12118
CVE-2018-12117
RESERVED
CVE-2018-12116 (Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request ...)
- - nodejs <unfixed> (unimportant)
+ - nodejs 10.15.0~dfsg-6 (unimportant)
NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/
NOTE: Nodejs not covered by security support
NOTE: Patch (v8): https://github.com/nodejs/node/commit/513e9747a22386bc9c93a12f9698561827a1e631
+ NOTE: Only affects 6.x and 8.x, marking first 10.x release as fixed
CVE-2018-12115 (In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when use ...)
- - nodejs <unfixed> (unimportant)
+ - nodejs 10.15.0~dfsg-6 (unimportant)
NOTE: https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
NOTE: Nodejs not covered by security support
NOTE: https://github.com/nodejs/node/commit/fc14d812b7
@@ -61711,17 +61712,17 @@ CVE-2018-7169 (An issue was discovered in shadow 4.5. newgidmap (in shadow-utils
CVE-2018-7168
RESERVED
CVE-2018-7167 (Calling Buffer.fill() or Buffer.alloc() with some parameters can lead ...)
- - nodejs <unfixed> (unimportant)
+ - nodejs 10.15.0~dfsg-6 (unimportant)
NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#calls-to-buffer-fill-and-or-buffer-alloc-may-hang-cve-2018-7167
+ NOTE: Doesn't affect 10.x, marking first 10.x upload to sid as fixed
CVE-2018-7166 (In all versions of Node.js 10 prior to 10.9.0, an argument processing ...)
- [experimental] - nodejs <unfixed>
- nodejs <not-affected> (Only affects 10.x and later)
NOTE: https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
NOTE: https://github.com/nodejs/node/commit/40a7beeddac9b9ec9ef5b49157daaf8470648b08
CVE-2018-7165
RESERVED
CVE-2018-7164 (Node.js versions 9.7.0 and later and 10.x are vulnerable and the sever ...)
- - nodejs <unfixed> (unimportant)
+ - nodejs 10.15.0~dfsg-6 (unimportant)
[stretch] - nodejs <not-affected> (Only affects >= 9.x)
[jessie] - nodejs <not-affected> (Only affects >= 9.x)
NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#memory-exhaustion-dos-on-v9-x-cve-2018-7164
@@ -61729,24 +61730,24 @@ CVE-2018-7164 (Node.js versions 9.7.0 and later and 10.x are vulnerable and the
CVE-2018-7163
RESERVED
CVE-2018-7162 (All versions of Node.js 9.x and 10.x are vulnerable and the severity i ...)
- - nodejs <unfixed> (unimportant)
+ - nodejs 10.15.0~dfsg-6 (unimportant)
[stretch] - nodejs <not-affected> (Only affects >= 8.x)
[jessie] - nodejs <not-affected> (Only affects >= 8.x)
NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#denial-of-service-vulnerability-in-tls-cve-2018-7162
NOTE: https://github.com/nodejs/node/commit/0cb3325f1
CVE-2018-7161 (All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the seve ...)
- - nodejs <unfixed> (unimportant)
+ - nodejs 10.15.0~dfsg-6 (unimportant)
[stretch] - nodejs <not-affected> (Only affects >= 8.x)
[jessie] - nodejs <not-affected> (Only affects >= 8.x)
NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#denial-of-service-vulnerability-in-http-2-cve-2018-7161
NOTE: https://github.com/nodejs/node/commit/8bf213dbdc7e
CVE-2018-7160 (The Node.js inspector, in 6.x and later is vulnerable to a DNS rebindi ...)
- - nodejs <unfixed> (unimportant)
+ - nodejs 8.11.1~dfsg-2 (unimportant)
[stretch] - nodejs <not-affected> (Vulnerable code not present)
[jessie] - nodejs <not-affected> (Vulnerable code not present)
[wheezy] - nodejs <not-affected> (Vulnerable code not present)
CVE-2018-7159 (The HTTP parser in all current versions of Node.js ignores spaces in t ...)
- - nodejs <unfixed> (unimportant)
+ - nodejs 8.11.1~dfsg-2 (unimportant)
CVE-2018-7158 (The `'path'` module in the Node.js 4.x release line contains a potenti ...)
- nodejs 6.0.0~dfsg-1 (unimportant)
CVE-2018-7157
@@ -85886,7 +85887,7 @@ CVE-2017-16084 (list-n-stream is a server for static files to list and stream lo
CVE-2017-16083 (node-simple-router is a minimalistic router for Node. node-simple-rout ...)
NOT-FOR-US: node-simple-router
CVE-2017-16082 (A remote code execution vulnerability was found within the pg module w ...)
- - node-postgres <unfixed> (unimportant)
+ - node-postgres 7.7.1-1 (unimportant)
NOTE: https://nodesecurity.io/advisories/521
NOTE: nodejs not covered by security support
CVE-2017-16081 (cross-env.js was a malicious module published with the intent to hijac ...)
@@ -86410,7 +86411,7 @@ CVE-2016-10541 (The npm module "shell-quote" 1.6.0 and earlier cannot correctly
NOTE: https://nodesecurity.io/advisories/117
NOTE: nodejs not covered by security support
CVE-2016-10540 (Minimatch is a minimal matching utility that works by converting glob ...)
- - node-minimatch <unfixed> (unimportant)
+ - node-minimatch 3.0.3-1 (unimportant)
NOTE: https://nodesecurity.io/advisories/118
NOTE: https://github.com/isaacs/minimatch/commit/6944abf9e0694bd22fd9dad293faa40c2bc8a955
NOTE: libv8 is not covered by security support
@@ -89795,7 +89796,7 @@ CVE-2017-14921 (Stored XSS vulnerability via IMG element at "Filename" of Filema
CVE-2017-14920 (Stored XSS vulnerability in eGroupware Community Edition before 16.1.2 ...)
NOT-FOR-US: eGroupware
CVE-2017-14919 (Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows r ...)
- - nodejs <unfixed> (unimportant)
+ - nodejs <not-affected> (Debian didn't use an affected zlib version)
NOTE: Debian doesn't use zlib 1.2.9 yet
NOTE: https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
CVE-2017-14918 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...)
@@ -144617,7 +144618,7 @@ CVE-2016-1000024
RESERVED
CVE-2016-1000022
RESERVED
- - node-negotiator <unfixed> (unimportant)
+ - node-negotiator 0.6.1-1 (unimportant)
NOTE: https://nodesecurity.io/advisories/106
NOTE: https://github.com/distributedweaknessfiling/DWF-Database/commit/5e607a0cad2769db2be5aafc4d9b1ec49bd7bbbc
NOTE: nodejs not covered by security support
@@ -151712,14 +151713,14 @@ CVE-2015-8861 (The handlebars package before 4.0.0 for Node.js allows remote att
NOTE: node-handlebars only in experimental for now, fixed in 4.0.0
NOTE: libv8 is not covered by security support
CVE-2015-8860 (The tar package before 2.0.0 for Node.js allows remote attackers to wr ...)
- - node-tar <unfixed> (unimportant)
+ - node-tar 2.2.1-1 (unimportant)
NOTE: libv8 is not covered by security support
CVE-2015-8859 (The send package before 0.11.1 for Node.js allows attackers to obtain ...)
- - node-send <unfixed> (unimportant)
+ - node-send 0.16.2-1 (unimportant)
NOTE: libv8 is not covered by security support
NOTE: https://nodesecurity.io/advisories/56
CVE-2015-8858 (The uglify-js package before 2.6.0 for Node.js allows attackers to cau ...)
- - uglifyjs <unfixed> (unimportant)
+ - uglifyjs 2.7.4-1 (unimportant)
NOTE: libv8 is not covered by security support
NOTE: https://nodesecurity.io/advisories/48
CVE-2015-8854 (The marked package before 0.3.4 for Node.js allows attackers to cause ...)
@@ -151943,7 +151944,7 @@ CVE-2016-4020 (The patch_instruction function in hw/i386/kvmvapic.c in QEMU does
NOTE: http://www.openwall.com/lists/oss-security/2016/04/13/6
CVE-2015-8851
RESERVED
- - node-uuid <unfixed> (unimportant)
+ - node-uuid 1.4.7-1 (unimportant)
NOTE: https://github.com/broofa/node-uuid/issues/108
NOTE: https://github.com/broofa/node-uuid/issues/118
NOTE: https://github.com/broofa/node-uuid/issues/122
@@ -156682,7 +156683,7 @@ CVE-2015-8857 (The uglify-js package before 2.4.24 for Node.js does not properly
NOTE: https://nodesecurity.io/advisories/39
NOTE: nodejs not covered by security support
CVE-2015-XXXX [root path disclosure]
- - node-send <unfixed> (unimportant)
+ - node-send 0.16.2-1 (unimportant)
NOTE: fixed in 0.11.1
NOTE: https://github.com/pillarjs/send/pull/70
NOTE: https://github.com/expressjs/serve-static/blob/master/HISTORY.md#181--2015-01-20
@@ -182961,7 +182962,7 @@ CVE-2015-2311 (Integer underflow in Sandstorm Cap'n Proto before 0.4.1.1 and 0.5
CVE-2015-2310 (Integer overflow in layout.c++ in Sandstorm Cap'n Proto before 0.4.1.1 ...)
- capnproto 0.4.1-3 (bug #780565)
CVE-2015-8856 (Cross-site scripting (XSS) vulnerability in the serve-index package be ...)
- - node-serve-index <unfixed> (unimportant)
+ - node-serve-index 1.9.1-1 (unimportant)
NOTE: libv8 is not covered by security support
NOTE: https://nodesecurity.io/advisories/serve-static-xss
NOTE: https://github.com/expressjs/serve-index/issues/28
@@ -198607,7 +198608,7 @@ CVE-2014-6394 (visionmedia send before 0.8.4 for Node.js uses a partial comparis
- node-send 0.9.4-1
NOTE: https://nodesecurity.io/advisories/send-directory-traversal
CVE-2014-6393 (The Express web framework before 3.11 and 4.x before 4.5 for Node.js d ...)
- - node-express <unfixed> (unimportant)
+ - node-express 4.16.4-1 (unimportant)
NOTE: libv8 is not covered by security support
CVE-2014-6392 (** DISPUTED ** Cross-site scripting (XSS) vulnerability in the Faceboo ...)
NOT-FOR-US: Facebook app and Facebook Messenger app for iOS
@@ -200672,8 +200673,7 @@ CVE-2014-6269 (Multiple integer overflows in the http_request_forward_body funct
NOTE: http://article.gmane.org/gmane.comp.web.haproxy/18097
NOTE: http://git.haproxy.org/?p=haproxy-1.5.git;a=commitdiff;h=b4d05093bc89f71377230228007e69a1434c1a0c
CVE-2014-5256 (Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider th ...)
- - nodejs <unfixed> (unimportant; bug #760385)
- NOTE: libv8 is not covered by security support
+ - nodejs 0.10.38~dfsg-1 (unimportant; bug #760385)
CVE-2014-7402 (The SK encar (aka com.encardirect.app) application @7F050000 for Andro ...)
NOT-FOR-US: SK encar (aka com.encardirect.app) application for Android
CVE-2013-7402 (Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allo ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c9d96e49ef1ce16a831069e716456b249a2db0f7
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c9d96e49ef1ce16a831069e716456b249a2db0f7
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190408/e3d79bcd/attachment-0001.html>
More information about the debian-security-tracker-commits
mailing list