[Git][security-tracker-team/security-tracker][master] Add note fore CVE-2023-29827 on fix
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sun Apr 28 19:51:04 BST 2024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
c22898dd by Salvatore Bonaccorso at 2024-04-28T20:49:02+02:00
Add note fore CVE-2023-29827 on fix
Actually upstream said that the issue is disputed and the issue not
directly fixed. Later v3.1.10 still added the referenced commit.
Might be disputed for us as well and revert the fixed version tracking
which does not matter much as we consider the issue unimportant, with a
clear enough note.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -69416,6 +69416,8 @@ CVE-2023-29827 (ejs v3.1.9 is vulnerable to server-side template injection. If t
NOTE: https://github.com/mde/ejs/issues/720
NOTE: Not considered a security issue by upstream, requires to never give unfiltered
NOTE: input to the EJS's render function.
+ NOTE: v3.1.10 implements a basic pollution protection, tracking this as fix:
+ NOTE: https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5 (v3.1.10)
CVE-2023-29826
RESERVED
CVE-2023-29825
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c22898dd789f4d39c11a004fcdc0547e1b78589f
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c22898dd789f4d39c11a004fcdc0547e1b78589f
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240428/fed0397d/attachment.htm>
More information about the debian-security-tracker-commits
mailing list