[Git][security-tracker-team/security-tracker][master] 3 commits: CVE-2022-21227/node-sqlite3: buster not-affected

Sylvain Beucler (@beuc) beuc at debian.org
Fri Nov 11 11:35:10 GMT 2022



Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
af25ae6a by Sylvain Beucler at 2022-11-11T12:20:38+01:00
CVE-2022-21227/node-sqlite3: buster not-affected

- - - - -
cfa302c1 by Sylvain Beucler at 2022-11-11T12:27:46+01:00
CVE-2021-33623/node-trim-newlines: reference patches

- - - - -
fea4d7f9 by Sylvain Beucler at 2022-11-11T12:34:30+01:00
dla: add NodeJS packages with bullseye-pu to backport

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -55390,11 +55390,12 @@ CVE-2022-21230 (This affects all versions of package org.nanohttpd:nanohttpd. Wh
 CVE-2022-21227 (The package sqlite3 before 5.0.3 are vulnerable to Denial of Service ( ...)
 	- node-sqlite3 5.0.6+ds1-1
 	[bullseye] - node-sqlite3 5.0.0+ds1-1+deb11u1
-	[buster] - node-sqlite3 <no-dsa> (minor issue)
+	[buster] - node-sqlite3 <not-affected> (Vulnerable code introduced later)
 	[stretch] - node-sqlite3 <end-of-life> (Nodejs in stretch not covered by security support)
 	NOTE: https://github.com/advisories/GHSA-9qrh-qjmc-5w2p
 	NOTE: Fixed by: https://github.com/TryGhost/node-sqlite3/commit/593c9d498be2510d286349134537e3bf89401c4a (v5.0.3)
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-SQLITE3-2388645
+	NOTE: Introduced by: https://github.com/TryGhost/node-sqlite3/commit/dd3ef522088bb5cafede25b9fe661f892b6f10ba (v5.0.0)
 CVE-2022-21223 (The package cocoapods-downloader before 1.6.2 are vulnerable to Comman ...)
 	NOT-FOR-US: cocoapods-downloader
 CVE-2022-21222 (The package css-what before 2.1.3 are vulnerable to Regular Expression ...)
@@ -104866,6 +104867,8 @@ CVE-2021-33623 (The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for
 	[buster] - node-trim-newlines <no-dsa> (Minor issue)
 	[stretch] - node-trim-newlines <end-of-life> (Nodejs in stretch not covered by security support)
 	NOTE: https://github.com/advisories/GHSA-7p7h-4mm5-852v
+	NOTE: https://github.com/sindresorhus/trim-newlines/commit/25246c6ce5eea1c82d448998733a6302a4350d91 (v4.0.1)
+	NOTE: https://github.com/sindresorhus/trim-newlines/commit/b10d5f4afef832b16bc56d49fc52c68cbd403869 (v3.0.1)
 CVE-2021-33622 (Sylabs Singularity 3.5.x and 3.6.x, and SingularityPRO before 3.5-8, h ...)
 	[experimental] - singularity-container 3.9.4+ds2-1
 	- singularity-container 3.9.5+ds1-2 (bug #990201)


=====================================
data/dla-needed.txt
=====================================
@@ -164,12 +164,68 @@ netatalk
   NOTE: 20220816: Programming language: C.
   NOTE: 20220912: We get errors in the log, not present on bookworm. Needs more investigation. (stefanor)
 --
+node-cached-path-relative
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
+--
 node-css-what
   NOTE: 20221031: Programming language: Javascript.
 --
+node-eventsource
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: Follow fixes from bullseye 11.4 (Beuc/front-desk)
+--
+node-fetch
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
+--
+node-follow-redirects
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
+--
+node-got
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: Follow fixes from bullseye 11.4 (Beuc/front-desk)
+--
+node-json-schema
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: Follow fixes from bullseye 11.2 (Beuc/front-desk)
+--
+node-loader-utils
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: upcoming bullseye PU https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1023798 (Beuc/front-desk)
+--
+node-log4js
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: Follow fixes from bullseye 11.5 (Beuc/front-desk)
+--
+node-moment
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: Follow fixes from bullseye 11.4 and 11.5 (Beuc/front-desk)
+--
+node-nth-check
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
+--
+node-object-path
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: Follow fixes from bullseye 11.1 (Beuc/front-desk)
+--
+node-set-value
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: Follow fixes from bullseye 11.1 (Beuc/front-desk)
+--
 node-tar
   NOTE: 20220907: Programming language: JavaScript.
 --
+node-trim-newlines
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
+--
+node-url-parse
+  NOTE: 20221111: Programming language: JavaScript.
+  NOTE: 20221111: Follow fixes from bullseye 11.4 + check postponed issues (Beuc/front-desk)
+--
 nodejs
   NOTE: 20221105: Programming language: Javascript, C/C++, Python
   NOTE: 20221105: VCS: https://salsa.debian.org/lts-team/packages/nodejs.git



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ed88d9e44bbe54b8b4497a912af00a1d1acab7c6...fea4d7f9f38f203364dfb0401cef272a94a55a86

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ed88d9e44bbe54b8b4497a912af00a1d1acab7c6...fea4d7f9f38f203364dfb0401cef272a94a55a86
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221111/9015e586/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list