[Git][security-tracker-team/security-tracker][master] Add initial tracking for CVEs in nodejs

[Salvatore Bonaccorso (@carnil)]

Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a2bf113d by Salvatore Bonaccorso at 2023-06-21T12:04:58+02:00
Add initial tracking for CVEs in nodejs

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -6727,24 +6727,45 @@ CVE-2023-30591
 	RESERVED
 CVE-2023-30590
 	RESERVED
+	- nodejs <unfixed>
+	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590
 CVE-2023-30589
 	RESERVED
+	- nodejs <unfixed>
+	- llhttp <itp> (bug #977716)
+	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589
 CVE-2023-30588
 	RESERVED
+	- nodejs <unfixed>
+	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#process-interuption-due-to-invalid-public-key-information-in-x509-certificates-medium-cve-2023-30588
 CVE-2023-30587
 	RESERVED
+	- nodejs <not-affected> (Vulnerable code introduced in 20.x)
+	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#inspector-protocol-bypass-the-experimental-permission-model-high-cve-2023-30587
 CVE-2023-30586
 	RESERVED
+	- nodejs <not-affected> (Vulnerable code introduced in 20.x)
+	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#openssl-engines-can-be-used-to-bypass-the-permission-model-medium-cve-2023-30586
 CVE-2023-30585
 	RESERVED
+	- nodejs <not-affected> (Only affects installation process on Windows)
+	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#privilege-escalation-via-malicious-registry-key-manipulation-during-nodejs-installer-repair-process-medium-cve-2023-30585
 CVE-2023-30584
 	RESERVED
+	- nodejs <not-affected> (Vulnerable code introduced in 20.x)
+	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#path-traversal-bypass-in-experimental-permission-model-high-cve-2023-30584
 CVE-2023-30583
 	RESERVED
+	- nodejs <not-affected> (Vulnerable code introduced in 20.x)
+	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#fsopenasblob-bypass-in-experimental-permission-model-medium-cve-2023-30583
 CVE-2023-30582
 	RESERVED
+	- nodejs <not-affected> (Vulnerable code introduced in 20.x)
+	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#fswatchfile-bypass-in-experimental-permission-model-medium-cve-2023-30582
 CVE-2023-30581
 	RESERVED
+	- nodejs <unfixed>
+	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#mainmoduleproto-bypass-experimental-policy-mechanism-high-cve-2023-30581
 CVE-2023-30580
 	RESERVED
 CVE-2023-30579



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2bf113dd20ee52078cbcecce6f237e308240dcb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a2bf113dd20ee52078cbcecce6f237e308240dcb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230621/94d0424c/attachment.htm>