[Git][security-tracker-team/security-tracker][master] Reserve DLA-3886-1 for nodejs

Sat Sep 14 20:00:31 BST 2024


Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
28693269 by Bastien Roucariès at 2024-09-14T19:00:15+00:00
Reserve DLA-3886-1 for nodejs

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -94277,7 +94277,6 @@ CVE-2023-33241 (Crypto wallets implementing the GG18 or GG20 TSS protocol might
 CVE-2023-32559 (A privilege escalation vulnerability exists in the experimental policy ...)
 	{DSA-5589-1}
 	- nodejs 18.13.0+dfsg1-1.1 (bug #1050739)
-	[bullseye] - nodejs <ignored> (Only affects experimental policy manifests)
 	[buster] - nodejs <not-affected> (v10.x doesn't support policy manifests)
 	NOTE: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-processbinding-mediumcve-2023-32559
 	NOTE: https://github.com/nodejs/node/commit/d4570fae358693b8f7fec05294b9bb92a966226d (v18.x)
@@ -108003,13 +108002,11 @@ CVE-2023-30591 (Denial-of-service in NodeBB <= v2.8.10 allows unauthenticated at
 CVE-2023-30590 (The generateKeys() API function returned from crypto.createDiffieHellm ...)
 	{DSA-5589-1 DLA-3776-1}
 	- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
-	[bullseye] - nodejs <ignored> (Minor issue, only updates documentation to clarify an API)
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 (v16.x)
 CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not strictly ...)
 	{DSA-5589-1}
 	- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
-	[bullseye] - nodejs <no-dsa> (Minor issue, too intrusive to backport)
 	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
 	- llhttp <itp> (bug #977716)
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[14 Sep 2024] DLA-3886-1 nodejs - security update
+	{CVE-2023-30589 CVE-2023-30590 CVE-2023-32559 CVE-2023-46809 CVE-2024-22019 CVE-2024-22025 CVE-2024-27982 CVE-2024-27983}
+	[bullseye] - nodejs 12.22.12~dfsg-1~deb11u5
 [10 Sep 2024] DLA-3885-1 redis - security update
 	{CVE-2022-24834 CVE-2022-36021 CVE-2023-25155 CVE-2023-28856 CVE-2023-45145}
 	[bullseye] - redis 5:6.0.16-1+deb11u3


=====================================
data/dla-needed.txt
=====================================
@@ -105,13 +105,6 @@ netatalk
   NOTE: 20240815: pu in progress but looking stuck https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1060774
   NOTE: 20240815: coordinate bullseye DLA with uploader (Beuc/front-desk)
 --
-nodejs (rouca)
-  NOTE: 20240215: Added by oldstable Security Team (jmm)
-  NOTE: 20240521: claim nodejs in dsa-needed.txt (aron)
-  NOTE: 20240815: A bookworm DSA is planned
-  NOTE: 20240815: coordinate bullseye DLA with aron (Beuc/front-desk)
-  NOTE: 20240913: wait for kapouer review (rouca)
---
 nss (arturo)
   NOTE: 20240825: Added by Front-Desk (ta)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/286932696f99b5ec3fc033158925d5b31ce25e54

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/286932696f99b5ec3fc033158925d5b31ce25e54
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240914/d14f7452/attachment-0001.htm>
