[Git][security-tracker-team/security-tracker][master] Reserve DLA-3336-1 for node-url-parse
Guilhem Moulin (@guilhem)
guilhem at debian.org
Thu Feb 23 00:34:18 GMT 2023
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ec09bb29 by Guilhem Moulin at 2023-02-23T01:33:53+01:00
Reserve DLA-3336-1 for node-url-parse
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -80117,7 +80117,6 @@ CVE-2022-0692 (Open Redirect on Rudloff/alltube in Packagist rudloff/alltube pri
CVE-2022-0691 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...)
- node-url-parse 1.5.9+~1.4.8-1
[bullseye] - node-url-parse 1.5.3-1+deb11u1
- [buster] - node-url-parse <no-dsa> (Minor issue)
[stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://huntr.dev/bounties/57124ed5-4b68-4934-8325-2c546257f2e4
NOTE: https://github.com/unshiftio/url-parse/commit/0e3fb542d60ddbf6933f22eb9b1e06e25eaa5b63 (1.5.9)
@@ -80137,7 +80136,6 @@ CVE-2022-0687 (The Amelia WordPress plugin before 1.0.47 stores image blobs into
CVE-2022-0686 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...)
- node-url-parse 1.5.9+~1.4.8-1
[bullseye] - node-url-parse 1.5.3-1+deb11u1
- [buster] - node-url-parse <no-dsa> (Minor issue)
[stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://huntr.dev/bounties/55fd06cd-9054-4d80-83be-eb5a454be78c
NOTE: https://github.com/unshiftio/url-parse/commit/d5c64791ef496ca5459ae7f2176a31ea53b127e5 (1.5.8)
@@ -80603,7 +80601,6 @@ CVE-2022-0640 (The Pricing Table Builder WordPress plugin before 1.1.5 does not
CVE-2022-0639 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...)
- node-url-parse 1.5.7-1
[bullseye] - node-url-parse <no-dsa> (Minor issue)
- [buster] - node-url-parse <no-dsa> (Minor issue)
[stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://huntr.dev/bounties/83a6bc9a-b542-4a38-82cd-d995a1481155
NOTE: https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788 (1.5.7)
@@ -83204,7 +83201,6 @@ CVE-2022-0513 (The WP Statistics WordPress plugin is vulnerable to SQL Injection
CVE-2022-0512 (Authorization Bypass Through User-Controlled Key in NPM url-parse prio ...)
- node-url-parse 1.5.7-1
[bullseye] - node-url-parse <no-dsa> (Minor issue)
- [buster] - node-url-parse <no-dsa> (Minor issue)
[stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b
NOTE: https://github.com/unshiftio/url-parse/commit/9be7ee88afd2bb04e4d5a1a8da9a389ac13f8c40 (1.5.6)
@@ -119370,7 +119366,6 @@ CVE-2021-3665
RESERVED
CVE-2021-3664 (url-parse is vulnerable to URL Redirection to Untrusted Site ...)
- node-url-parse 1.5.3-1 (bug #991577)
- [buster] - node-url-parse <no-dsa> (Minor issue)
[stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://huntr.dev/bounties/1625557993985-unshiftio/url-parse/
NOTE: https://github.com/unshiftio/url-parse/commit/81ab967889b08112d3356e451bf03e6aa0cbb7e0
@@ -144550,7 +144545,6 @@ CVE-2021-27516 (URI.js (aka urijs) before 1.19.6 mishandles certain uses of back
NOTE: https://github.com/medialize/URI.js/releases/tag/v1.19.6
CVE-2021-27515 (url-parse before 1.5.0 mishandles certain uses of backslash such as ht ...)
- node-url-parse 1.5.1-1 (bug #985110)
- [buster] - node-url-parse <no-dsa> (Minor issue)
[stretch] - node-url-parse <end-of-life> (Nodejs in stretch not covered by security support)
NOTE: https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0 (1.5.0)
NOTE: https://github.com/unshiftio/url-parse/pull/197
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[23 Feb 2023] DLA-3336-1 node-url-parse - security update
+ {CVE-2021-3664 CVE-2021-27515 CVE-2022-0512 CVE-2022-0639 CVE-2022-0686 CVE-2022-0691}
+ [buster] - node-url-parse 1.2.0-2+deb10u2
[22 Feb 2023] DLA-3335-1 asterisk - security update
{CVE-2022-23537 CVE-2022-23547 CVE-2022-31031 CVE-2022-37325 CVE-2022-39244 CVE-2022-39269 CVE-2022-42705 CVE-2022-42706}
[buster] - asterisk 1:16.28.0~dfsg-0+deb10u2
=====================================
data/dla-needed.txt
=====================================
@@ -183,11 +183,6 @@ node-nth-check
NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby).
NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-nth-check.git
--
-node-url-parse (guilhem)
- NOTE: 20221111: Programming language: JavaScript.
- NOTE: 20221111: Follow fixes from bullseye 11.4 + check postponed issues (Beuc/front-desk)
- NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-url-parse.git
---
nodejs
NOTE: 20221105: Programming language: Javascript, C/C++, Python
NOTE: 20221105: VCS: https://salsa.debian.org/lts-team/packages/nodejs.git
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec09bb2997e72949530d115c876c218051a19622
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ec09bb2997e72949530d115c876c218051a19622
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230223/d02cb2ce/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list