[Git][security-tracker-team/security-tracker][master] Reserve DLA-3291-1 for node-object-path

Sun Jan 29 16:06:39 GMT 2023


Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker


Commits:
86672ee3 by Guilhem Moulin at 2023-01-29T17:05:53+01:00
Reserve DLA-3291-1 for node-object-path

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -104131,7 +104131,6 @@ CVE-2021-3806 (A path traversal vulnerability on Pardus Software Center's "extra
 CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification of Obj ...)
 	- node-object-path 0.11.8-1
 	[bullseye] - node-object-path 0.11.5-3+deb11u1
-	[buster] - node-object-path <no-dsa> (Minor issue)
 	[stretch] - node-object-path <end-of-life> (Nodejs in stretch not covered by security support)
 	NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053
 	NOTE: https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884 (v0.11.8)
@@ -149287,7 +149286,6 @@ CVE-2021-23435 (This affects the package clearance before 2.5.0. The vulnerabili
 CVE-2021-23434 (This affects the package object-path before 0.11.6. A type confusion v ...)
 	- node-object-path 0.11.7-1
 	[bullseye] - node-object-path 0.11.5-3+deb11u1
-	[buster] - node-object-path <no-dsa> (Minor issue)
 	[stretch] - node-object-path <end-of-life> (Nodejs in stretch not covered by security support)
 	NOTE: https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453
 	NOTE: https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[29 Jan 2023] DLA-3291-1 node-object-path - security update
+	{CVE-2021-3805 CVE-2021-23434}
+	[buster] - node-object-path 0.11.4-2+deb10u2
 [29 Jan 2023] DLA-3290-1 libzen - security update
 	{CVE-2020-36646}
 	[buster] - libzen 0.4.37-1+deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -177,11 +177,6 @@ node-nth-check
   NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
   NOTE: 20221223: Module has been rewritten in Typescript since Buster released (lamby).
 --
-node-object-path (guilhem)
-  NOTE: 20221111: Programming language: JavaScript.
-  NOTE: 20221111: Follow fixes from bullseye 11.1 (Beuc/front-desk)
-  NOTE: 20221223: Functional part of CVE-2021-3805 might be https://gist.github.com/lamby/ebf0633837f16d174138bbf36bef38f3/raw (lamby)
---
 node-qs
   NOTE: 20230105: Programming language: JavaScript.
   NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86672ee355229f340c3fa92a00d7ba7903893d1d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86672ee355229f340c3fa92a00d7ba7903893d1d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230129/ed8baff6/attachment.htm>
