[Git][security-tracker-team/security-tracker][master] Track fixed version for nodejs issues fixed with unstable upload

Salvatore Bonaccorso (@carnil) carnil at debian.org
Wed Nov 22 19:53:28 GMT 2023 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
b814656b by Salvatore Bonaccorso at 2023-11-22T20:52:52+01:00
Track fixed version for nodejs issues fixed with unstable upload

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -5083,7 +5083,7 @@ CVE-2023-5625 (A regression was introduced in the Red Hat build of python-eventl
 	- python-eventlet <not-affected> (Red Hat-specific regression)
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=2244717
 CVE-2023-39333
-	- nodejs <unfixed> (bug #1054892)
+	- nodejs 18.13.0+dfsg1-1.1 (bug #1054892)
 	[bullseye] - nodejs <not-affected> (Only affects 18.x and later)
 	[buster] - nodejs <not-affected> (Only affects 18.x and later)
 	NOTE: https://nodejs.org/en/blog/vulnerability/october-2023-security-releases#code-injection-via-webassembly-export-names-low---cve-2023-39333
@@ -5896,7 +5896,7 @@ CVE-2023-39277 (SonicOS post-authentication stack-based buffer overflow vulnerab
 CVE-2023-39276 (SonicOS post-authentication stack-based buffer overflow vulnerability  ...)
 	NOT-FOR-US: SonicOS
 CVE-2023-38552 (When the Node.js policy feature checks the integrity of a resource aga ...)
-	- nodejs <unfixed> (bug #1054892)
+	- nodejs 18.13.0+dfsg1-1.1 (bug #1054892)
 	[bullseye] - nodejs <not-affected> (Only affects 18.x and later)
 	[buster] - nodejs <not-affected> (Only affects 18.x and later)
 	NOTE: https://nodejs.org/en/blog/vulnerability/october-2023-security-releases#integrity-checks-according-to-policies-can-be-circumvented-medium---cve-2023-38552
@@ -16127,7 +16127,7 @@ CVE-2023-33242 (Crypto wallets implementing the Lindell17 TSS protocol might all
 CVE-2023-33241 (Crypto wallets implementing the GG18 or GG20 TSS protocol might allow  ...)
 	NOT-FOR-US: Crypto wallets implementing the GG18 or GG20 TSS protocol
 CVE-2023-32559 (A privilege escalation vulnerability exists in the experimental policy ...)
-	- nodejs <unfixed> (bug #1050739)
+	- nodejs 18.13.0+dfsg1-1.1 (bug #1050739)
 	[buster] - nodejs <not-affected> (v10.x doesn't support policy manifests)
 	NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-processbinding-mediumcve-2023-32559
 	NOTE: https://github.com/nodejs/node/commit/d4570fae358693b8f7fec05294b9bb92a966226d (v18.x)
@@ -16136,7 +16136,7 @@ CVE-2023-32558 (The use of the deprecated API `process.binding()` can bypass the
 	- nodejs <not-affected> (Only affects 20.x and later)
 	NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#processbinding-can-bypass-the-permission-model-through-path-traversal-highcve-2023-32558
 CVE-2023-32006 (The use of `module.constructor.createRequire()` can bypass the policy  ...)
-	- nodejs <unfixed> (bug #1050739)
+	- nodejs 18.13.0+dfsg1-1.1 (bug #1050739)
 	[buster] - nodejs <not-affected> (v10.x doesn't support policy manifests)
 	NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-impersonate-other-modules-in-using-moduleconstructorcreaterequire-mediumcve-2023-32006
 	NOTE: https://github.com/nodejs/node/commit/15bced0bde93f24115b779a309d517845c87e17a (v18.x)
@@ -16151,7 +16151,7 @@ CVE-2023-32003 (`fs.mkdtemp()` and `fs.mkdtempSync()` can be used to bypass the
 	- nodejs <not-affected> (Only affects 20.x and later)
 	NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#fsmkdtemp-and-fsmkdtempsync-are-missing-getvalidatedpath-checks-lowcve-2023-32003
 CVE-2023-32002 (The use of `Module._load()` can bypass the policy mechanism and requir ...)
-	- nodejs <unfixed> (bug #1050739)
+	- nodejs 18.13.0+dfsg1-1.1 (bug #1050739)
 	[buster] - nodejs <not-affected> (v10.x doesn't support policy manifests)
 	NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-module_load-highcve-2023-32002
 	NOTE: https://github.com/nodejs/node/commit/15bced0bde93f24115b779a309d517845c87e17a (v18.x)
@@ -29777,12 +29777,12 @@ CVE-2023-30591 (Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated at
 	NOT-FOR-US: NodeBB
 CVE-2023-30590
 	RESERVED
-	- nodejs <unfixed> (bug #1039990)
+	- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
 	[buster] - nodejs <postponed> (minor issue - Inconsistency Between Implementation and Documented Design)
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 (v16.x)
 CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not strictly ...)
-	- nodejs <unfixed> (bug #1039990)
+	- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
 	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
 	- llhttp <itp> (bug #977716)
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589
@@ -29791,7 +29791,7 @@ CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not st
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/e42ff4b0180f4e0f5712364dd6ea015559640152 (v16.x)
 CVE-2023-30588
 	RESERVED
-	- nodejs <unfixed> (bug #1039990)
+	- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
 	[buster] - nodejs <not-affected> (X509Certificate API introduced later)
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#process-interuption-due-to-invalid-public-key-information-in-x509-certificates-medium-cve-2023-30588
 	NOTE: https://hackerone.com/reports/1884159
@@ -29821,7 +29821,7 @@ CVE-2023-30582
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#fswatchfile-bypass-in-experimental-permission-model-medium-cve-2023-30582
 CVE-2023-30581
 	RESERVED
-	- nodejs <unfixed> (bug #1039990)
+	- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
 	[buster] - nodejs <not-affected> (v10.x doesn't support policy manifests)
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#mainmoduleproto-bypass-experimental-policy-mechanism-high-cve-2023-30581
 	NOTE: https://hackerone.com/reports/1877919
@@ -50226,12 +50226,12 @@ CVE-2023-0407
 	RESERVED
 CVE-2023-23920 (An untrusted search path vulnerability exists in Node.js. <19.6.1, <18 ...)
 	{DSA-5395-1 DLA-3344-1}
-	- nodejs <unfixed> (bug #1031834)
+	- nodejs 18.13.0+dfsg1-1.1 (bug #1031834)
 	[bookworm] - nodejs <postponed> (Can be fixed along with next update)
 	NOTE: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/#node-js-insecure-loading-of-icu-data-through-icu_data-environment-variable-low-cve-2023-23920
 	NOTE: https://github.com/nodejs/node/commit/f369c0a739b9f0182ededa834a2a44e6fec322d1
 CVE-2023-23919 (A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16 ...)
-	- nodejs <unfixed> (bug #1031834)
+	- nodejs 18.13.0+dfsg1-1.1 (bug #1031834)
 	[bookworm] - nodejs <postponed> (Can be fixed along with next update)
 	[bullseye] - nodejs <not-affected> (X509Certificate API introduced in v15.6.0)
 	[buster] - nodejs <not-affected> (X509Certificate API introduced in v15.6.0)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b814656bd38386be853df7d8a62dc841c64b1e50

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b814656bd38386be853df7d8a62dc841c64b1e50
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231122/76f87808/attachment.htm>

More information about the debian-security-tracker-commits mailing list