[Git][security-tracker-team/security-tracker][master] 2 commits: Update information on CVE-2020-8252

Fri Oct 2 23:04:45 BST 2020


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e9bebf3c by Salvatore Bonaccorso at 2020-10-03T00:04:03+02:00
Update information on CVE-2020-8252

- - - - -
234ee99a by Salvatore Bonaccorso at 2020-10-03T00:04:26+02:00
Remove libuv1 from dsa-needed list

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -43065,7 +43065,7 @@ CVE-2020-8254
 CVE-2020-8253 (Improper authentication in Citrix XenMobile Server 10.12 before RP2, C ...)
 	NOT-FOR-US: Citrix
 CVE-2020-8252 (The implementation of realpath in libuv < 10.22.1, < 12.18.4, an ...)
-	- libuv1 1.39.0-1
+	- libuv1 1.39.0-1 (unimportant)
 	[stretch] - libuv1 <not-affected> (Vulnerable code introduced later)
 	NOTE: https://hackerone.com/reports/965914
 	NOTE: https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/#fs-realpath-native-on-may-cause-buffer-overflow-medium-cve-2020-8252
@@ -43074,6 +43074,8 @@ CVE-2020-8252 (The implementation of realpath in libuv < 10.22.1, < 12.18.
 	NOTE: https://github.com/libuv/libuv/issues/2965
 	NOTE: Introduced by: https://github.com/libuv/libuv/commit/b56d279b172fbe78dee2fb1d29cae9c9c5c6d1c4 (v1.24.0)
 	NOTE: Fixed by: https://github.com/libuv/libuv/commit/0e6e8620496dff0eb285589ef1e37a7f407f3ddd (v1.39.0)
+	NOTE: Broken path in uv__fs_realpath() only taken when libuv1 build in
+	NOTE: pre-POSIX.2008 mode (defined(_POSIX_VERSION) && _POSIX_VERSION < 200809L).
 CVE-2020-8251 (Node.js < 14.11.0 is vulnerable to HTTP denial of service (DoS) att ...)
 	- nodejs <not-affected> (Only affects 14.x series)
 	NOTE: https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/#denial-of-service-by-resource-exhaustion-cwe-400-due-to-unfinished-http-1-1-requests-critical-cve-2020-8251


=====================================
data/dsa-needed.txt
=====================================
@@ -21,8 +21,6 @@ curl (ghedo)
 knot-resolver
   Santiago Ruano Rincón proposed a debdiff for review
 --
-libuv1
---
 linux (carnil)
   Wait until more issues have piled up
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ca132793af0eafa7dc15ce9c5ec8f6f90d35a26a...234ee99a5fca0afa8bf6c8c723b416f8557fed4d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ca132793af0eafa7dc15ce9c5ec8f6f90d35a26a...234ee99a5fca0afa8bf6c8c723b416f8557fed4d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20201002/05bd2001/attachment-0001.html>
