[Git][security-tracker-team/security-tracker][master] Add tracking for CVE-2024-55565 and CVE-2021-23566 for node-mocha

Salvatore Bonaccorso (@carnil) carnil at debian.org
Fri Dec 27 13:06:41 GMT 2024



Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e8901bfa by Salvatore Bonaccorso at 2024-12-27T14:03:29+01:00
Add tracking for CVE-2024-55565 and CVE-2021-23566 for node-mocha

node-mocha up to 9.1.4+ds1+~cs28.2.8-1 did include an embedded copy of
nanoid, which was affected by the two updated CVEs. The code was not
fixed up to that version, so mark the version which rmeoves the code as
the fixing one for src:mocha.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -4417,9 +4417,11 @@ CVE-2024-55565 (nanoid (aka Nano ID) before 5.0.9 mishandles non-integer values.
 	{DLA-4003-1}
 	- node-postcss 8.4.49+~cs9.2.32-1
 	[bookworm] - node-postcss <no-dsa> (Minor issue)
+	- node-mocha 9.1.4+ds1+~cs28.2.8-1
 	NOTE: node-postcss bundles nanoid
 	NOTE: https://github.com/ai/nanoid/pull/510
 	NOTE: https://github.com/ai/nanoid/commit/d643045f40d6dc8afa000a644d857da1436ed08c (3.3.8)
+	NOTE: node-mocha/9.1.4+ds1+~cs28.2.8-1 removes the node-nanoid copy
 CVE-2024-55564 (The POSIX::2008 package before 0.24 for Perl has a potential _execve50 ...)
 	- libposix-2008-perl 0.24-1
 	[bookworm] - libposix-2008-perl <no-dsa> (Minor issue)
@@ -305754,8 +305756,10 @@ CVE-2021-23567 (The package colors after 1.4.0 are vulnerable to Denial of Servi
 CVE-2021-23566 (The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Info ...)
 	{DLA-4003-1}
 	- node-postcss 8.4.5+~cs7.1.51-1
+	- node-mocha 9.1.4+ds1+~cs28.2.8-1
 	NOTE: https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575 (3.1.31)
 	NOTE: https://github.com/ai/nanoid/pull/328
+	NOTE: node-mocha/9.1.4+ds1+~cs28.2.8-1 removes the node-nanoid copy
 CVE-2021-23565
 	RESERVED
 CVE-2021-23564



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8901bfaf235248a4ad924c776245361db674b25

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8901bfaf235248a4ad924c776245361db674b25
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20241227/bf50ea1e/attachment.htm>


More information about the debian-security-tracker-commits mailing list