[Git][security-tracker-team/security-tracker][master] 3 commits: node-*: clarify stretch triage
Sylvain Beucler (@beuc)
beuc at debian.org
Thu Apr 21 07:59:24 BST 2022
Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker
Commits:
52b3b18f by Sylvain Beucler at 2022-04-21T08:51:31+02:00
node-*: clarify stretch triage
- - - - -
ba251893 by Sylvain Beucler at 2022-04-21T08:54:47+02:00
Revert lts-cve-triage.py changes
This reverts commit 3fceb4e21a287674f166442ed8f5e563010710ff.
- - - - -
22d869d9 by Sylvain Beucler at 2022-04-21T08:56:58+02:00
lts-cve-triage: track buster/stable updates suited for LTS
(re-committed with proper authorship and commit information)
See https://lists.debian.org/debian-lts/2022/04/msg00011.html
- - - - -
2 changed files:
- bin/lts-cve-triage.py
- data/CVE/list
Changes:
=====================================
bin/lts-cve-triage.py
=====================================
@@ -156,6 +156,7 @@ for pkg in tracker.iterate_packages():
if status_in_next_lts.status == 'resolved':
add_to_list('possible_easy_fixes', pkg, issue)
+
# <no-dsa>/<postponed>/<ignored>/<unimportant>/<undetermined>
elif status_in_lts.status == 'ignored':
if (status_in_lts.reason == 'no-dsa' and
=====================================
data/CVE/list
=====================================
@@ -60725,7 +60725,7 @@ CVE-2021-32641 (auth0-lock is Auth0's signin solution. Versions of nauth0-lock b
CVE-2021-32640 (ws is an open source WebSocket client and server library for Node.js. ...)
- node-ws 7.4.2+~cs18.0.8-2
[buster] - node-ws 1.1.0+ds1.e6ddaae4-5+deb10u1
- [stretch] - node-ws <no-dsa> (Minor issue)
+ [stretch] - node-ws <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
NOTE: https://github.com/websockets/ws/commit/00c425ec77993773d823f018f64a5c44e17023ff
CVE-2021-32639 (Emissary is a P2P-based, data-driven workflow engine. Emissary version ...)
@@ -63600,7 +63600,7 @@ CVE-2021-31598 (An issue was discovered in libezxml.a in ezXML 0.8.6. The functi
CVE-2021-31597 (The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL c ...)
- node-xmlhttprequest-ssl <unfixed>
[buster] - node-xmlhttprequest-ssl <ignored> (Minor issue, should possibly be removed from stable as well)
- [stretch] - node-xmlhttprequest-ssl <no-dsa> (Minor issue)
+ [stretch] - node-xmlhttprequest-ssl <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/mjwwit/node-XMLHttpRequest/commit/bf53329b61ca6afc5d28f6b8d2dc2e3ca740a9b2
NOTE: https://people.kingsds.network/wesgarland/xmlhttprequest-ssl-vuln.txt
CVE-2021-31596
@@ -74157,7 +74157,7 @@ CVE-2021-27516 (URI.js (aka urijs) before 1.19.6 mishandles certain uses of back
CVE-2021-27515 (url-parse before 1.5.0 mishandles certain uses of backslash such as ht ...)
- node-url-parse 1.5.1-1 (bug #985110)
[buster] - node-url-parse <no-dsa> (Minor issue)
- [stretch] - node-url-parse <no-dsa> (Minor issue)
+ [stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0 (1.5.0)
NOTE: https://github.com/unshiftio/url-parse/pull/197
CVE-2021-27514 (EyesOfNetwork 5.3-10 uses an integer of between 8 and 10 digits for th ...)
@@ -84071,7 +84071,7 @@ CVE-2021-23440 (This affects the package set-value before <2.0.1, >=3.0.0
- node-set-value 3.0.1-3 (bug #994448)
[bullseye] - node-set-value 3.0.1-2+deb11u1
[buster] - node-set-value <no-dsa> (Minor issue)
- [stretch] - node-set-value <no-dsa> (Minor issue)
+ [stretch] - node-set-value <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/jonschlinkert/set-value/commit/7cf8073bb06bf0c15e08475f9f952823b4576452 (v4.0.1)
NOTE: https://github.com/jonschlinkert/set-value/pull/33/commits/383b72d47c74a55ae8b6e231da548f9280a4296a
NOTE: https://github.com/jonschlinkert/set-value/pull/33
@@ -101262,7 +101262,7 @@ CVE-2020-28470 (This affects the package @scullyio/scully before 1.0.9. The tran
CVE-2020-28469 (This affects the package glob-parent before 5.1.2. The enclosure regex ...)
- node-glob-parent 5.1.1+~5.1.0-2
[buster] - node-glob-parent 3.1.0-1+deb10u1
- [stretch] - node-glob-parent <postponed> (Minor issue; can be fixed in next update)
+ [stretch] - node-glob-parent <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
NOTE: https://github.com/gulpjs/glob-parent/commit/f9231168b0041fea3f8f954b3cceb56269fc6366
CVE-2020-28468 (This affects the package pwntools before 4.3.1. The shellcraft generat ...)
@@ -103265,7 +103265,7 @@ CVE-2020-28282 (Prototype pollution vulnerability in 'getobject' version 0.1.0 a
- node-getobject 1.0.2-1
[bullseye] - node-getobject 0.1.0-2+deb11u1
[buster] - node-getobject 0.1.0-2+deb10u1
- [stretch] - node-getobject <no-dsa> (Minor issue)
+ [stretch] - node-getobject <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/cowboy/node-getobject/commit/84071748fa407caa8f824e0d0b9c1cde9ec56633 (v1.0.0)
CVE-2020-28281 (Prototype pollution vulnerability in 'set-object-value' versions 0.0.0 ...)
NOT-FOR-US: react-atomic-organism
@@ -133702,7 +133702,7 @@ CVE-2020-15257 (containerd is an industry-standard container runtime and is avai
CVE-2020-15256 (A prototype pollution vulnerability has been found in `object-path` &l ...)
- node-object-path 0.11.5-3
[buster] - node-object-path 0.11.4-2+deb10u1
- [stretch] - node-object-path <postponed> (Minor issue)
+ [stretch] - node-object-path <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/mariocasciaro/object-path/security/advisories/GHSA-cwx2-736x-mf6w
CVE-2020-15255 (In Anuko Time Tracker before verion 1.19.23.5325, due to not properly ...)
NOT-FOR-US: Anuko Time Tracker
@@ -154979,7 +154979,7 @@ CVE-2020-7775 (This affects all versions of package freediskspace. The vulnerabi
CVE-2020-7774 (This affects the package y18n before 3.2.2, 4.0.1 and 5.0.5. PoC by po ...)
- node-y18n 4.0.0-3 (bug #976390)
[buster] - node-y18n 3.2.1-2+deb10u1
- [stretch] - node-y18n <no-dsa> (Minor issue)
+ [stretch] - node-y18n <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://snyk.io/vuln/SNYK-JS-Y18N-1021887
NOTE: https://github.com/yargs/y18n/issues/96
NOTE: https://github.com/yargs/y18n/pull/108
@@ -164583,7 +164583,7 @@ CVE-2020-3940 (VMware Workspace ONE SDK and dependent mobile application updates
CVE-2019-20149 (ctorName in index.js in kind-of v6.0.2 allows external user input to o ...)
- node-kind-of 6.0.3+dfsg-1 (bug #948095)
[buster] - node-kind-of 6.0.2+dfsg-1+deb10u1
- [stretch] - node-kind-of <no-dsa> (Minor issue; can be fixed via point release)
+ [stretch] - node-kind-of <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/jonschlinkert/kind-of/issues/30
NOTE: https://github.com/jonschlinkert/kind-of/pull/31
CVE-2019-20148 (An issue was discovered in GitLab Community Edition (CE) and Enterpris ...)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b3d94a24023b533b7083d384f7dcecb6189f1f2b...22d869d989da3d4fa8ae376b5a69fcf5c8367da2
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b3d94a24023b533b7083d384f7dcecb6189f1f2b...22d869d989da3d4fa8ae376b5a69fcf5c8367da2
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220421/bfa2bd5a/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list