[Git][security-tracker-team/security-tracker][master] nodejs: reflect security-support-limited ->...

Sylvain Beucler beuc at debian.org
Sat Feb 22 14:11:36 GMT 2020 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
083abf1f by Sylvain Beucler at 2020-02-22T15:06:44+01:00
nodejs: reflect security-support-limited -> security-support-ended.deb8,security-support-ended.deb9 in debian-security-support

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -29041,21 +29041,21 @@ CVE-2019-16777 (Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arb
 	[experimental] - npm 6.13.4+ds-1
 	- npm 6.13.4+ds-2 (bug #947127)
 	[buster] - npm <no-dsa> (Minor issue)
-	[jessie] - npm <ignored> (Nodejs in Jessie not covered by security support)
+	[jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://github.com/npm/cli/security/advisories/GHSA-4328-8hgf-7wjr
 	NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
 CVE-2019-16776 (Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary ...)
 	[experimental] - npm 6.13.4+ds-1
 	- npm 6.13.4+ds-2 (bug #947127)
 	[buster] - npm <no-dsa> (Minor issue)
-	[jessie] - npm <ignored> (Nodejs in Jessie not covered by security support)
+	[jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46
 	NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
 CVE-2019-16775 (Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary ...)
 	[experimental] - npm 6.13.4+ds-1
 	- npm 6.13.4+ds-2 (bug #947127)
 	[buster] - npm <no-dsa> (Minor issue)
-	[jessie] - npm <ignored> (Nodejs in Jessie not covered by security support)
+	[jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://github.com/npm/cli/security/advisories/GHSA-m6cx-g6qm-p2cx
 	NOTE: https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli
 CVE-2019-16774 (In phpfastcache before 5.1.3, there is a possible object injection vul ...)
@@ -32424,18 +32424,18 @@ CVE-2019-15607 (A stored XSS vulnerability is present within node-red (version:
 	NOT-FOR-US: node-red
 CVE-2019-15606 (Including trailing white space in HTTP header values in Nodejs 10, 12, ...)
 	- nodejs <unfixed>
-	[jessie] - nodejs <ignored> (Nodejs in Jessie not covered by security support)
+	[jessie] - nodejs <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://hackerone.com/reports/730779
 	NOTE: https://github.com/nodejs/node/commit/2eee90e959ca4abaf53caf238d063c396f2ea17c (10.x)
 CVE-2019-15605 (HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payl ...)
 	- nodejs <unfixed>
-	[jessie] - nodejs <ignored> (Nodejs in Jessie not covered by security support)
+	[jessie] - nodejs <end-of-life> (Nodejs in jessie not covered by security support)
 	- http-parser <unfixed>
 	NOTE: https://hackerone.com/reports/735748
 	NOTE: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b (http-parser)
 CVE-2019-15604 (Improper Certificate Validation in Node.js 10, 12, and 13 causes the p ...)
 	- nodejs <unfixed>
-	[jessie] - nodejs <ignored> (Nodejs in Jessie not covered by security support)
+	[jessie] - nodejs <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://hackerone.com/reports/746733
 	NOTE: https://github.com/nodejs/node/commit/f940bee3b7da865e28093472dee9ce664f273f6d (10.x)
 CVE-2019-15603 (The seefl package v0.1.1 is vulnerable to a stored Cross-Site Scriptin ...)
@@ -34554,8 +34554,8 @@ CVE-2019-14940 (In Storage Performance Development Kit (SPDK) before 19.07, a us
 	NOT-FOR-US: Storage Performance Development Kit
 CVE-2019-14939 (An issue was discovered in the mysql (aka mysqljs) module 2.17.1 for N ...)
 	- node-mysql 2.18.0-1 (bug #934712)
-	[stretch] - node-mysql <ignored> (Nodejs in stretch not covered by security support)
-	[jessie] - node-mysql <ignored> (Nodejs in Jessie not covered by security support)
+	[stretch] - node-mysql <end-of-life> (Nodejs in stretch not covered by security support)
+	[jessie] - node-mysql <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://github.com/mysqljs/mysql/issues/2257
 CVE-2019-14938
 	RESERVED
@@ -41322,7 +41322,7 @@ CVE-2019-13173 (fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite.
 	- node-fstream 1.0.12-1 (bug #931408)
 	[buster] - node-fstream 1.0.10-1+deb10u1
 	[stretch] - node-fstream 1.0.10-1+deb9u1
-	[jessie] - node-fstream <ignored> (Nodejs in jessie not covered by security support)
+	[jessie] - node-fstream <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://www.npmjs.com/advisories/886
 	NOTE: https://github.com/npm/fstream/commit/6a77d2fa6e1462693cf8e46f930da96ec1b0bb22
 CVE-2019-13172
@@ -45765,8 +45765,8 @@ CVE-2018-20835 (A vulnerability was found in tar-fs before 1.16.2. An Arbitrary
 	- node-tar-fs <itp> (bug #897023)
 CVE-2018-20834 (A vulnerability was found in node-tar before version 4.4.2 (excluding  ...)
 	- node-tar 4.4.4+ds1-2
-	[stretch] - node-tar <ignored> (Nodejs in stretch not covered by security support)
-	[jessie] - node-tar <no-dsa> (Minor issue)
+	[stretch] - node-tar <end-of-life> (Nodejs in stretch not covered by security support, minor issue)
+	[jessie] - node-tar <end-of-life> (Nodejs in jessie not covered by security support, minor issue)
 	NOTE: https://github.com/npm/node-tar/commit/b0c58433c22f5e7fe8b1c76373f27e3f81dcd4c8
 	NOTE: https://hackerone.com/reports/344595
 CVE-2018-20833
@@ -48148,8 +48148,8 @@ CVE-2019-10745 (assign-deep is vulnerable to Prototype Pollution in versions bef
 CVE-2019-10744 (Versions of lodash lower than 4.17.12 are vulnerable to Prototype Poll ...)
 	- node-lodash 4.17.15+dfsg-1 (bug #933079)
 	[buster] - node-lodash 4.17.11+dfsg-2+deb10u1
-	[stretch] - node-lodash <ignored> (Nodejs in stretch not covered by security support)
-	[jessie] - node-lodash <ignored> (Nodejs in stretch not covered by security support)
+	[stretch] - node-lodash <end-of-life> (Nodejs in stretch not covered by security support)
+	[jessie] - node-lodash <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://snyk.io/vuln/SNYK-JS-LODASH-450202
 	NOTE: https://github.com/lodash/lodash/issues/4348
 	NOTE: https://github.com/lodash/lodash/pull/4336
@@ -135984,7 +135984,7 @@ CVE-2017-16130 (exxxxxxxxxxx is an Http eX Frame Google Style JavaScript Guide.
 CVE-2017-16129 (The HTTP client module superagent is vulnerable to ZIP bomb attacks. I ...)
 	- node-superagent 0.20.0+dfsg-2
 	[stretch] - node-superagent 0.20.0+dfsg-1+deb9u2
-	[jessie] - node-superagent <ignored> (Nodejs in jessie not covered by security support)
+	[jessie] - node-superagent <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://github.com/visionmedia/superagent/issues/1259
 	NOTE: https://nodesecurity.io/advisories/479
 CVE-2017-16128 (The module npm-script-demo opened a connection to a command and contro ...)
@@ -136007,8 +136007,8 @@ CVE-2017-16120 (liyujing is a static file server. liyujing is vulnerable to a di
 	NOT-FOR-US: liyujing
 CVE-2017-16119 (Fresh is a module used by the Express.js framework for HTTP response f ...)
 	- node-fresh 0.2.0-2 (bug #927715)
-	[stretch] - node-fresh <ignored> (Nodejs in stretch not covered by security support)
-	[jessie] - node-fresh <ignored> (Nodejs in jessie not covered by security support)
+	[stretch] - node-fresh <end-of-life> (Nodejs in stretch not covered by security support)
+	[jessie] - node-fresh <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://nodesecurity.io/advisories/526
 CVE-2017-16118 (The forwarded module is used by the Express.js framework to handle the ...)
 	NOT-FOR-US: forwarded nodejs module
@@ -136204,8 +136204,8 @@ CVE-2017-16027
 	RESERVED
 CVE-2017-16026 (Request is an http client. If a request is made using ```multipart```, ...)
 	- node-request 2.88.1-1 (bug #901708)
-	[stretch] - node-request <ignored> (Nodejs in stretch not covered by security support)
-	[jessie] - node-request <ignored> (Nodejs in jessie not covered by security support)
+	[stretch] - node-request <end-of-life> (Nodejs in stretch not covered by security support)
+	[jessie] - node-request <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://github.com/request/request/issues/1904
 	NOTE: https://nodesecurity.io/advisories/309
 	NOTE: https://github.com/request/request/pull/2018
@@ -136603,7 +136603,7 @@ CVE-2016-10543 (call is an HTTP router that is primarily used by the hapi framew
 CVE-2016-10542 (ws is a "simple to use, blazing fast and thoroughly tested websocket c ...)
 	- node-ws 1.1.0+ds1.e6ddaae4-5 (bug #927671)
 	[stretch] - node-ws 1.1.0+ds1.e6ddaae4-3+deb9u1
-	[jessie] - node-ws <ignored> (Nodejs in jessie not covered by security support)
+	[jessie] - node-ws <end-of-life> (Nodejs in jessie not covered by security support)
 	NOTE: https://nodesecurity.io/advisories/120
 	NOTE: https://github.com/nodejs/node/issues/7388
 CVE-2016-10541 (The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ...)
@@ -202312,7 +202312,7 @@ CVE-2016-3957 (The secure_load function in gluon/utils.py in web2py before 2.14.
 	[wheezy] - web2py <not-affected> (Vulnerable code not present)
 CVE-2016-3956 (The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js  ...)
 	- npm 5.8.0+ds-2 (bug #850322)
-	[jessie] - npm <no-dsa> (Minor issue)
+	[jessie] - npm <end-of-life> (Nodejs in jessie not covered by security support, minor issue)
 	NOTE: https://github.com/npm/npm/issues/8380
 	NOTE: https://github.com/npm/npm/commit/fea8cc92cee02c720b58f95f14d315507ccad401 (2.15.1)
 	NOTE: https://github.com/npm/npm/commit/f67ecad59e99a03e5aad8e93cd1a086ae087cb29 (3.8.3)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/083abf1f6b828ce633c8c6f4460b0eeac3c34c51

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/083abf1f6b828ce633c8c6f4460b0eeac3c34c51
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200222/d5110215/attachment.html>

More information about the debian-security-tracker-commits mailing list