[Git][security-tracker-team/security-tracker][master] CVE-2021-22930,CVE-2021-22940/nodejs: reference issues and complete patch

Sylvain Beucler (@beuc) beuc at debian.org
Tue Sep 6 18:05:01 BST 2022 


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b59278eb by Sylvain Beucler at 2022-09-06T19:04:45+02:00
CVE-2021-22930,CVE-2021-22940/nodejs: reference issues and complete patch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -115429,6 +115429,8 @@ CVE-2021-22940 (Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a u
 	[bullseye] - nodejs <not-affected> (Incomplete fix for CVE-2021-22930 not applied)
 	[buster] - nodejs <not-affected> (Incomplete fix for CVE-2021-22930 not applied)
 	[stretch] - nodejs <not-affected> (Incomplete fix for CVE-2021-22930 not applied)
+	NOTE: https://github.com/nodejs/node/pull/39423
+	NOTE: https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b (v12.22.5)
 	NOTE: https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22940
 CVE-2021-22939 (If the Node.js https API was used incorrectly and "undefined" was in p ...)
 	- nodejs 12.22.5~dfsg-1
@@ -115456,7 +115458,8 @@ CVE-2021-22930 (Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a u
 	- nodejs 12.22.4~dfsg-1
 	[bullseye] - nodejs 12.22.5~dfsg-2~11u1
 	[stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by security support)
-	NOTE: https://github.com/nodejs/node/commit/b263f2585ab53f56e0e22b46cf1f8519a8af8a05
+	NOTE: https://github.com/nodejs/node/issues/38964
+	NOTE: https://github.com/nodejs/node/commit/b263f2585ab53f56e0e22b46cf1f8519a8af8a05 (v12.22.4)
 	NOTE: https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22930
 	NOTE: Possible incomplete fix (at least for v12): https://github.com/nodejs/node/issues/38964#issuecomment-889936936
 	NOTE: CVE for the incomplete fix tracked as CVE-2021-22940



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b59278eb311b5db0ed165e604e41ec4e70c01c54

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b59278eb311b5db0ed165e604e41ec4e70c01c54
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20220906/a2b40afc/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list