[Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE-2024-22019/nodejs for buster.

Tue Mar 26 22:58:42 GMT 2024


Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker


Commits:
62b82fc8 by Guilhem Moulin at 2024-03-26T23:57:10+01:00
Triage CVE-2024-22019/nodejs for buster.

nodejs v10.x uses http_parser and ignores chunk extensions.

- - - - -
57c98716 by Guilhem Moulin at 2024-03-26T23:57:43+01:00
Reserve DLA-3776-1 for nodejs

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -10094,6 +10094,7 @@ CVE-2024-21896 (The permission model protects itself against path traversal atta
 	NOTE: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#path-traversal-by-monkey-patching-buffer-internals-cve-2024-21896---high
 CVE-2024-22019 (A vulnerability in Node.js HTTP servers allows an attacker to send a s ...)
 	- nodejs 18.19.1+dfsg-1 (bug #1064055)
+	[buster] - nodejs <not-affected> (Vulnerable code not present)
 	NOTE: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high
 	NOTE: https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171 (v18.x)
 	NOTE: https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171 (main)
@@ -56734,7 +56735,6 @@ CVE-2023-30590 (The generateKeys() API function returned from crypto.createDiffi
 	{DSA-5589-1}
 	- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
 	[bullseye] - nodejs <ignored> (Minor issue, only updates documentation to clarify an API)
-	[buster] - nodejs <postponed> (minor issue - Inconsistency Between Implementation and Documented Design)
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 (v16.x)
 CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not strictly ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[26 Mar 2024] DLA-3776-1 nodejs - security update
+	{CVE-2023-30590 CVE-2023-46809 CVE-2024-22025}
+	[buster] - nodejs 10.24.0~dfsg-1~deb10u4
 [25 Mar 2024] DLA-3775-1 firefox-esr - security update
 	{CVE-2023-5388 CVE-2024-0743 CVE-2024-2607 CVE-2024-2608 CVE-2024-2610 CVE-2024-2611 CVE-2024-2612 CVE-2024-2614 CVE-2024-2616 CVE-2024-29944}
 	[buster] - firefox-esr 115.9.1esr-1~deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -167,10 +167,6 @@ linux-5.10
 lucene-solr
   NOTE: 20240213: Added by Front-Desk (lamby)
 --
-nodejs (guilhem)
-  NOTE: 20240218: Added by Front-Desk (lamby)
-  NOTE: 20240325: Final tests before upload (guilhem)
---
 nova
   NOTE: 20230302: Re-add, request by maintainer (Beuc)
   NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b1be3cf13b96129f666230b211fbca4b0fe908ed...57c987168cb504199f0b148f9adf8919211d5fbb

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b1be3cf13b96129f666230b211fbca4b0fe908ed...57c987168cb504199f0b148f9adf8919211d5fbb
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240326/4cf4852f/attachment-0001.htm>
