[Git][security-tracker-team/security-tracker][master] CVE-2018-20834,node-tar: no-dsa for Jessie
Markus Koschany
apo at debian.org
Wed May 1 15:26:24 BST 2019
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
81af438c by Markus Koschany at 2019-05-01T14:23:06Z
CVE-2018-20834,node-tar: no-dsa for Jessie
The vulnerable code is in extract.js. There are more sanity checks missing that
were only added in later versions but the overall impact for Debian users is
minor.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -65,6 +65,7 @@ CVE-2018-20835 (A vulnerability was found in tar-fs before 1.16.2. An Arbitrary
CVE-2018-20834 (A vulnerability was found in node-tar before version 4.4.2. An Arbitra ...)
- node-tar 4.4.4+ds1-2
[stretch] - node-tar <ignored> (Nodejs in stretch not covered by security support)
+ [jessie] - node-tar <no-dsa> (Minor issue)
NOTE: https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8
NOTE: https://hackerone.com/reports/344595
CVE-2018-20833
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81af438c312ea47374a4aa599fd9efbb5e74052d
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/81af438c312ea47374a4aa599fd9efbb5e74052d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20190501/c92fefd8/attachment.html>
More information about the debian-security-tracker-commits
mailing list