[Git][security-tracker-team/security-tracker][master] drop unimportant status for remaining node-* issues

Tue Apr 16 22:11:24 BST 2019


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c8d37302 by Moritz Muehlenhoff at 2019-04-16T21:10:42Z
drop unimportant status for remaining node-* issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -72534,11 +72534,10 @@ CVE-2018-3776 (Improper input validator in Nextcloud Server prior to 12.0.3 and
 CVE-2018-3775 (Improper Authentication in Nextcloud Server prior to version 12.0.3 wo ...)
 	- nextcloud <itp> (bug #835086)
 CVE-2018-3774 (Incorrect parsing in url-parse <1.4.3 returns wrong hostname which  ...)
-	- node-url-parse 1.2.0-2 (unimportant; bug #906058)
+	- node-url-parse 1.2.0-2 (bug #906058)
 	NOTE: https://hackerone.com/reports/384029
 	NOTE: https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a
 	NOTE: https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de
-	NOTE: nodejs not covered by security support
 CVE-2018-3773 (There is a stored Cross-Site Scripting vulnerability in Open Graph met ...)
 	NOT-FOR-US: metascrape nodejs module
 CVE-2018-3772 (Concatenating unsanitized user input in the `whereis` npm module <  ...)
@@ -72633,10 +72632,9 @@ CVE-2018-3739 (https-proxy-agent before 2.1.1 passes auth option to the Buffer c
 CVE-2018-3738 (protobufjs is vulnerable to ReDoS when parsing crafted invalid .proto  ...)
 	NOT-FOR-US: protobufjs
 CVE-2018-3737 (sshpk is vulnerable to ReDoS when parsing crafted invalid public keys. ...)
-	- node-sshpk 1.13.1+dfsg-2 (unimportant; bug #901093)
+	- node-sshpk 1.13.1+dfsg-2 (bug #901093)
 	NOTE: https://github.com/joyent/node-sshpk/issues/44
 	NOTE: https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957
-	NOTE: nodejs not covered by security support
 CVE-2018-3736
 	REJECTED
 CVE-2018-3735 (bracket-template suffers from reflected XSS possible when variable pas ...)
@@ -72681,9 +72679,8 @@ CVE-2018-3721 (lodash node module before 4.17.5 suffers from a Modification of A
 CVE-2018-3720 (assign-deep node module before 0.4.7 suffers from a Modification of As ...)
 	NOT-FOR-US: assign-deep node module
 CVE-2018-3719 (mixin-deep node module before 1.3.1 suffers from a Modification of Ass ...)
-	- node-mixin-deep <unfixed> (unimportant; bug #898315)
+	- node-mixin-deep <unfixed> (bug #898315)
 	NOTE: https://nodesecurity.io/advisories/578
-	NOTE: nodejs not covered by security support
 CVE-2018-3718 (serve node module suffers from Improper Handling of URL Encoding by pe ...)
 	NOT-FOR-US: serve node module
 CVE-2018-3717 (connect node module before 2.14.0 suffers from a Cross-Site Scripting  ...)
@@ -80589,10 +80586,9 @@ CVE-2018-1110 [Improper Input Validation]
 	NOTE: http://www.openwall.com/lists/oss-security/2018/04/23/2
 CVE-2018-1109
 	RESERVED
-	- node-braces <unfixed> (unimportant)
+	- node-braces <unfixed>
 	NOTE: https://snyk.io/vuln/npm:braces:20180219
 	NOTE: https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451
-	NOTE: nodejs not covered by security support
 CVE-2018-1108 (kernel drivers before version 4.17-rc1 are vulnerable to a weakness in ...)
 	- linux 4.16.5-1
 	[jessie] - linux <not-affected> (Vulnerable code not present)
@@ -86717,10 +86713,9 @@ CVE-2017-16131 (unicorn-list is a web framework. unicorn-list is vulnerable to a
 CVE-2017-16130 (exxxxxxxxxxx is an Http eX Frame Google Style JavaScript Guide. exxxxx ...)
 	NOT-FOR-US: exxxxxxxxxxx
 CVE-2017-16129 (The HTTP client module superagent is vulnerable to ZIP bomb attacks. I ...)
-	- node-superagent <unfixed> (unimportant)
+	- node-superagent <unfixed>
 	NOTE: https://github.com/visionmedia/superagent/issues/1259
 	NOTE: https://nodesecurity.io/advisories/479
-	NOTE: nodejs not covered by security support
 CVE-2017-16128 (The module npm-script-demo opened a connection to a command and contro ...)
 	NOT-FOR-US: npm-script-demo
 CVE-2017-16127 (The module pandora-doomsday infects other modules. It's since been unp ...)
@@ -86740,9 +86735,8 @@ CVE-2017-16121 (datachannel-client is a signaling implementation for DataChannel
 CVE-2017-16120 (liyujing is a static file server. liyujing is vulnerable to a director ...)
 	NOT-FOR-US: liyujing
 CVE-2017-16119 (Fresh is a module used by the Express.js framework for HTTP response f ...)
-	- node-fresh <unfixed> (unimportant)
+	- node-fresh <unfixed>
 	NOTE: https://nodesecurity.io/advisories/526
-	NOTE: nodejs not covered by security support
 CVE-2017-16118 (The forwarded module is used by the Express.js framework to handle the ...)
 	NOT-FOR-US: forwarded nodejs module
 CVE-2017-16117 (slug is a module to slugify strings, even if they contain unicode. slu ...)
@@ -86935,11 +86929,10 @@ CVE-2017-16028 (react-native-meteor-oauth is a library for Oauth2 login to a Met
 CVE-2017-16027
 	RESERVED
 CVE-2017-16026 (Request is an http client. If a request is made using ```multipart```, ...)
-	- node-request <unfixed> (unimportant; bug #901708)
+	- node-request <unfixed> (bug #901708)
 	NOTE: https://github.com/request/request/issues/1904
 	NOTE: https://nodesecurity.io/advisories/309
 	NOTE: https://github.com/request/request/pull/2018
-	NOTE: nodejs not covered by security support
 CVE-2017-16025 (Nes is a websocket extension library for hapi. Hapi is a webserver fra ...)
 	NOT-FOR-US: Nes
 CVE-2017-16024 (The sync-exec module is used to simulate child_process.execSync in nod ...)
@@ -87332,10 +87325,9 @@ CVE-2016-10544 (uws is a WebSocket server library. By sending a 256mb websocket
 CVE-2016-10543 (call is an HTTP router that is primarily used by the hapi framework. T ...)
 	NOT-FOR-US: call HTTP router
 CVE-2016-10542 (ws is a "simple to use, blazing fast and thoroughly tested websocket c ...)
-	- node-ws <unfixed> (unimportant)
+	- node-ws <unfixed>
 	NOTE: https://nodesecurity.io/advisories/120
 	NOTE: https://github.com/nodejs/node/issues/7388
-	NOTE: nodejs not covered by security support
 CVE-2016-10541 (The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ...)
 	- node-shell-quote <not-affected> (Fixed before initial upload to Debian)
 	NOTE: https://nodesecurity.io/advisories/117



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c8d373022c2be072f87df84ce36fda7f970d7409

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c8d373022c2be072f87df84ce36fda7f970d7409
You're receiving this email because of your account on salsa.debian.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190416/498b38b0/attachment-0001.html>
