[Git][security-tracker-team/security-tracker][master] four nodejs issues ignored for bullseye

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
0084a5ac by Moritz Muehlenhoff at 2023-12-22T20:15:49+01:00
four nodejs issues ignored for bullseye

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -22162,6 +22162,7 @@ CVE-2023-33241 (Crypto wallets implementing the GG18 or GG20 TSS protocol might
 	NOT-FOR-US: Crypto wallets implementing the GG18 or GG20 TSS protocol
 CVE-2023-32559 (A privilege escalation vulnerability exists in the experimental policy ...)
 	- nodejs 18.13.0+dfsg1-1.1 (bug #1050739)
+	[bullseye] - nodejs <ignored> (Only affects experimental policy manifests)
 	[buster] - nodejs <not-affected> (v10.x doesn't support policy manifests)
 	NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-processbinding-mediumcve-2023-32559
 	NOTE: https://github.com/nodejs/node/commit/d4570fae358693b8f7fec05294b9bb92a966226d (v18.x)
@@ -22171,6 +22172,7 @@ CVE-2023-32558 (The use of the deprecated API `process.binding()` can bypass the
 	NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#processbinding-can-bypass-the-permission-model-through-path-traversal-highcve-2023-32558
 CVE-2023-32006 (The use of `module.constructor.createRequire()` can bypass the policy  ...)
 	- nodejs 18.13.0+dfsg1-1.1 (bug #1050739)
+	[bullseye] - nodejs <ignored> (Only affects experimental policy manifests)
 	[buster] - nodejs <not-affected> (v10.x doesn't support policy manifests)
 	NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-impersonate-other-modules-in-using-moduleconstructorcreaterequire-mediumcve-2023-32006
 	NOTE: https://github.com/nodejs/node/commit/15bced0bde93f24115b779a309d517845c87e17a (v18.x)
@@ -22186,6 +22188,7 @@ CVE-2023-32003 (`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the
 	NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#fsmkdtemp-and-fsmkdtempsync-are-missing-getvalidatedpath-checks-lowcve-2023-32003
 CVE-2023-32002 (The use of `Module._load()` can bypass the policy mechanism and requir ...)
 	- nodejs 18.13.0+dfsg1-1.1 (bug #1050739)
+	[bullseye] - nodejs <ignored> (Only affects experimental policy manifests)
 	[buster] - nodejs <not-affected> (v10.x doesn't support policy manifests)
 	NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-module_load-highcve-2023-32002
 	NOTE: https://github.com/nodejs/node/commit/15bced0bde93f24115b779a309d517845c87e17a (v18.x)
@@ -35819,6 +35822,7 @@ CVE-2023-30591 (Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated at
 	NOT-FOR-US: NodeBB
 CVE-2023-30590 (The generateKeys() API function returned from crypto.createDiffieHellm ...)
 	- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
+	[bullseye] - nodejs <ignored> (Minor issue, only updates documentation to clarify an API)
 	[buster] - nodejs <postponed> (minor issue - Inconsistency Between Implementation and Documented Design)
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 (v16.x)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0084a5ac631fa4c7cea61a5269eb99dedf8d54ee

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/0084a5ac631fa4c7cea61a5269eb99dedf8d54ee
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231222/ee00bd6e/attachment.htm>