[Git][security-tracker-team/security-tracker][master] Add tracking for CVE-2024-55565 and CVE-2021-23566 for node-mocha
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Fri Dec 27 13:06:41 GMT 2024
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
e8901bfa by Salvatore Bonaccorso at 2024-12-27T14:03:29+01:00
Add tracking for CVE-2024-55565 and CVE-2021-23566 for node-mocha
node-mocha up to 9.1.4+ds1+~cs28.2.8-1 did include an embedded copy of
nanoid, which was affected by the two updated CVEs. The code was not
fixed up to that version, so mark the version which rmeoves the code as
the fixing one for src:mocha.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -4417,9 +4417,11 @@ CVE-2024-55565 (nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values.
{DLA-4003-1}
- node-postcss 8.4.49+~cs9.2.32-1
[bookworm] - node-postcss <no-dsa> (Minor issue)
+ - node-mocha 9.1.4+ds1+~cs28.2.8-1
NOTE: node-postcss bundles nanoid
NOTE: https://github.com/ai/nanoid/pull/510
NOTE: https://github.com/ai/nanoid/commit/d643045f40d6dc8afa000a644d857da1436ed08c (3.3.8)
+ NOTE: node-mocha/9.1.4+ds1+~cs28.2.8-1 removes the node-nanoid copy
CVE-2024-55564 (The POSIX::2008 package before 0.24 for Perl has a potential _execve50 ...)
- libposix-2008-perl 0.24-1
[bookworm] - libposix-2008-perl <no-dsa> (Minor issue)
@@ -305754,8 +305756,10 @@ CVE-2021-23567 (The package colors after 1.4.0 are vulnerable to Denial of Servi
CVE-2021-23566 (The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Info ...)
{DLA-4003-1}
- node-postcss 8.4.5+~cs7.1.51-1
+ - node-mocha 9.1.4+ds1+~cs28.2.8-1
NOTE: https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575 (3.1.31)
NOTE: https://github.com/ai/nanoid/pull/328
+ NOTE: node-mocha/9.1.4+ds1+~cs28.2.8-1 removes the node-nanoid copy
CVE-2021-23565
RESERVED
CVE-2021-23564
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8901bfaf235248a4ad924c776245361db674b25
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8901bfaf235248a4ad924c776245361db674b25
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241227/bf50ea1e/attachment.htm>
More information about the debian-security-tracker-commits
mailing list