[Git][security-tracker-team/security-tracker][master] new node-y18n, node-nodemailer issues

Moritz Muehlenhoff jmm at debian.org
Wed Nov 18 13:07:59 GMT 2020



Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
9bf419ad by Moritz Muehlenhoff at 2020-11-18T14:07:45+01:00
new node-y18n, node-nodemailer issues
NFUs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -53279,9 +53279,13 @@ CVE-2020-7776
 CVE-2020-7775
 	RESERVED
 CVE-2020-7774 (This affects the package y18n before 5.0.5. PoC by po6ix: const y18n = ...)
-	TODO: check
+	- node-y18n <unfixed>
+	[buster] - node-y18n <no-dsa> (Minor issue)
+	NOTE: https://snyk.io/vuln/SNYK-JS-Y18N-1021887
+	NOTE: https://github.com/yargs/y18n/issues/96
+	NOTE: https://github.com/yargs/y18n/pull/108
 CVE-2020-7773 (This affects the package markdown-it-highlightjs before 3.3.1. It is p ...)
-	TODO: check
+	NOT-FOR-US: Node markdown-it-highlightjs
 CVE-2020-7772 (This affects the package doc-path before 2.1.2. ...)
 	NOT-FOR-US: Node doc-path
 CVE-2020-7771
@@ -53289,15 +53293,17 @@ CVE-2020-7771
 CVE-2020-7770 (This affects the package json8 before 1.0.3. The function adds in the  ...)
 	NOT-FOR-US: Node json8
 CVE-2020-7769 (This affects the package nodemailer before 6.4.16. Use of crafted reci ...)
-	TODO: check
+	- node-nodemailer 6.4.16-1
+	NOTE: https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834
+	NOTE: https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54
 CVE-2020-7768 (The package grpc before 1.24.4; the package @grpc/grpc-js before 1.1.8 ...)
-	TODO: check
+	NOT-FOR-US: Node grpc
 CVE-2020-7767 (All versions of package express-validators are vulnerable to Regular E ...)
-	TODO: check
+	NOT-FOR-US: Node express-validators
 CVE-2020-7766 (This affects all versions of package json-ptr. The issue occurs in the ...)
-	TODO: check
+	NOT-FOR-US: Node json-ptr
 CVE-2020-7765 (This affects the package @firebase/util before 0.3.4. This vulnerabili ...)
-	TODO: check
+	NOT-FOR-US: Node firebase/util
 CVE-2020-7764 (This affects the package find-my-way before 2.2.5, from 3.0.0 and befo ...)
 	NOT-FOR-US: Node find-my-way
 CVE-2020-7763 (This affects the package phantom-html-to-pdf before 0.6.1. ...)
@@ -57767,7 +57773,7 @@ CVE-2020-6021
 CVE-2020-6020 (Check Point Security Management's Internal CA web management before Ju ...)
 	NOT-FOR-US: Check Point
 CVE-2020-6019 (Valve's Game Networking Sockets prior to version v1.2.0 improperly han ...)
-	TODO: check
+	NOT-FOR-US: Valve's Game Networking Sockets
 CVE-2020-6018
 	RESERVED
 CVE-2020-6017



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bf419ad6042207774fbceee79c1f7e84ba9f328

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/9bf419ad6042207774fbceee79c1f7e84ba9f328
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201118/ffc0180f/attachment.html>


More information about the debian-security-tracker-commits mailing list