[Git][security-tracker-team/security-tracker][master] Update status for CVE-2024-45801

Salvatore Bonaccorso (@carnil) carnil at debian.org
Mon Sep 23 20:42:22 BST 2024 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
413d8a2b by Salvatore Bonaccorso at 2024-09-23T21:39:35+02:00
Update status for CVE-2024-45801

The assigned CVE is specifically for the "can bypass the depth checking
added to DOMPurify in recent releases".

One might argue before that check adding there is another denial of
service issue, but that likely should get a own CVE.

The depth checking was in no Debian released version up to one actually
as well including the fix.

Thus update the tracking to mark CVE-2024-45801 as not-affected per se
of CVE-2024-45801.

Note: cacti embeddes node-dompurify as well in some releases, and for
Debian switched to the system provided package. The versions in upstream
released version seem to be as well prior to the introduction of the
feature.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1373,10 +1373,13 @@ CVE-2024-46419 (TOTOLINK AC1200 T8 v4.1.5cu.861_B20230220 has a buffer overflow
 CVE-2024-45835 (Mattermost Desktop App versions <=5.8.0 fail to sufficiently configure ...)
 	- mattermost-desktop <itp> (bug #831861)
 CVE-2024-45801 (DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for H ...)
-	- node-dompurify 3.1.6+dfsg+~3.0.5-1
+	- node-dompurify <not-affected> (Vulnerable code not present in a Debian released version)
 	NOTE: https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
+	NOTE: Depth cecking added in (with followups): https://github.com/cure53/DOMPurify/commit/c5369f2995819e1c338d9ffe136f2da25f12a81e (3.1.1)
 	NOTE: Fixed by: https://github.com/cure53/DOMPurify/commit/1e520262bf4c66b5efda49e2316d6d1246ca7b21 (3.1.3)
+	NOTE: Depth cecking added in: https://github.com/cure53/DOMPurify/commit/0ef5e537a514f904b6aa1d7ad9e749e365d7185f (2.5.1)
 	NOTE: Fixed by: https://github.com/cure53/DOMPurify/commit/26e1d69ca7f769f5c558619d644d90dd8bf26ebc (2.5.3)
+	NOTE: CVE assigned for the bypass of the depth checking added to DOMPurify.
 CVE-2024-45800 (Snappymail is an open source web-based email client. SnappyMail uses t ...)
 	- snappymail <itp> (bug #1017641)
 CVE-2024-45799 (FluxCP is a web-based Control Panel for rAthena servers written in PHP ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/413d8a2b27dfa424df76cdd8ccd5067c5a2a3483

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/413d8a2b27dfa424df76cdd8ccd5067c5a2a3483
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240923/1480b86d/attachment.htm>

More information about the debian-security-tracker-commits mailing list