[Git][security-tracker-team/security-tracker][master] Reserve DLA-3221-1 for node-cached-path-relative
Guilhem Moulin (@guilhem)
guilhem at debian.org
Sun Dec 4 23:42:31 GMT 2022
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker
Commits:
182c83f1 by Guilhem Moulin at 2022-12-05T00:42:09+01:00
Reserve DLA-3221-1 for node-cached-path-relative
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -135265,7 +135265,6 @@ CVE-2021-23519
CVE-2021-23518 (The package cached-path-relative before 1.1.0 are vulnerable to Protot ...)
- node-cached-path-relative 1.1.0+~1.0.0-1 (bug #1004338)
[bullseye] - node-cached-path-relative 1.0.2-1+deb11u1
- [buster] - node-cached-path-relative <no-dsa> (Minor issue)
NOTE: https://github.com/ashaffer/cached-path-relative/commit/40c73bf70c58add5aec7d11e4f36b93d144bb760
NOTE: results from incomplete fix for https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
NOTE: which was CVE-2018-16472.
@@ -291873,7 +291872,6 @@ CVE-2018-16473 (A path traversal in takeapeek module versions <=0.2.2 allows
NOT-FOR-US: takeapeek
CVE-2018-16472 (A prototype pollution attack in cached-path-relative versions <=1.0 ...)
- node-cached-path-relative 1.0.2-1
- [buster] - node-cached-path-relative <no-dsa> (Minor issue)
NOTE: https://hackerone.com/reports/390847
NOTE: https://github.com/ashaffer/cached-path-relative/issues/3
NOTE: Fixed by: https://github.com/ashaffer/cached-path-relative/commit/a43cffec84ed0e9eceecb43b534b6937a8028fc0
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[05 Dec 2022] DLA-3221-1 node-cached-path-relative - security update
+ {CVE-2018-16472 CVE-2021-23518}
+ [buster] - node-cached-path-relative 1.0.1-2+deb10u1
[04 Dec 2022] DLA-3220-1 clamav - new upstream version
[buster] - clamav 0.103.7+dfsg-0+deb10u1
[04 Dec 2022] DLA-3219-1 jhead - security update
=====================================
data/dla-needed.txt
=====================================
@@ -165,10 +165,6 @@ nextcloud-desktop
NOTE: 20221128: VCS: https://salsa.debian.org/owncloud-team/nextcloud-desktop
NOTE: 20221128: Please coordinate with maintainer the usage of their git-repo (gladk).
--
-node-cached-path-relative (guilhem)
- NOTE: 20221111: Programming language: JavaScript.
- NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
---
node-css-what
NOTE: 20221031: Programming language: Javascript.
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/182c83f195c2fd06ce7571ea8594fa66ffbdd023
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/182c83f195c2fd06ce7571ea8594fa66ffbdd023
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221204/937e3b72/attachment.htm>
More information about the debian-security-tracker-commits
mailing list