[Git][security-tracker-team/security-tracker][master] Update status for llhttp issue, entered the archive

Salvatore Bonaccorso (@carnil) carnil at debian.org
Thu Aug 28 05:21:01 BST 2025 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
1471f185 by Salvatore Bonaccorso at 2025-08-28T06:20:34+02:00
Update status for llhttp issue, entered the archive

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -31304,8 +31304,10 @@ CVE-2025-23167 (A flaw in Node.js 20's HTTP parser allows improper termination o
 	- node-undici <unfixed> (bug #1105919)
 	[trixie] - node-undici <no-dsa> (Minor issue)
 	[bookworm] - node-undici <no-dsa> (Minor issue)
-	- llhttp <itp> (bug #977716)
+	- llhttp <not-affected> (Fixed before initial upload to Debian)
 	NOTE: https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium
+	NOTE: https://github.com/nodejs/llhttp/pull/239
+	NOTE: Fixed by: https://github.com/nodejs/llhttp/commit/72f53095152740e176438cf7fe68742fe1cb7be8 (v9.0.1)
 CVE-2025-23166 (The C++ method SignTraits::DeriveBits() may incorrectly call ThrowExce ...)
 	- nodejs 20.19.2+dfsg-1 (bug #1105832)
 	[bullseye] - nodejs <not-affected> (The vulnerable code was introduced later)
@@ -215374,11 +215376,13 @@ CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not st
 	{DSA-5589-1 DLA-3886-1}
 	- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
 	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
-	- llhttp <itp> (bug #977716)
+	- llhttp <not-affected> (Fixed before initial upload to Debian)
 	NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589
 	NOTE: https://hackerone.com/reports/2001873
 	NOTE: https://github.com/advisories/GHSA-cggh-pq45-6h9x
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/e42ff4b0180f4e0f5712364dd6ea015559640152 (v16.x)
+	NOTE: https://github.com/nodejs/llhttp/pull/239
+	NOTE: Fixed by: https://github.com/nodejs/llhttp/commit/72f53095152740e176438cf7fe68742fe1cb7be8 (v9.0.1)
 CVE-2023-30588 (When an invalid public key is used to create an x509 certificate using ...)
 	{DSA-5589-1}
 	- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
@@ -282283,7 +282287,7 @@ CVE-2022-35256 (The llhttp parser in the http module in Node v18.7.0 does not co
 	{DSA-5326-1}
 	- nodejs 18.10.0+dfsg-1
 	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
-	- llhttp <itp> (bug #977716)
+	- llhttp <not-affected> (Fixed before initial upload to Debian)
 	NOTE: https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256
 	NOTE: https://hackerone.com/reports/1888760
 	NOTE: https://github.com/nodejs/node/commit/2e92e5b71d071cb989d8d109d278427041a47e44 (main)
@@ -290661,7 +290665,7 @@ CVE-2022-32215 (The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http
 	{DSA-5326-1}
 	- nodejs 18.6.0+dfsg-3
 	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
-	- llhttp <itp> (bug #977716)
+	- llhttp <not-affected> (Fixed before initial upload to Debian)
 	NOTE: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-incorrect-parsing-of-multi-line-transfer-encoding-medium-cve-2022-32215
 	NOTE: https://hackerone.com/reports/1630667
 	NOTE: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd (v14.x)
@@ -290671,7 +290675,7 @@ CVE-2022-32214 (The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http
 	{DSA-5326-1}
 	- nodejs 18.6.0+dfsg-3
 	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
-	- llhttp <itp> (bug #977716)
+	- llhttp <not-affected> (Fixed before initial upload to Debian)
 	NOTE: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-improper-delimiting-of-header-fields-medium-cve-2022-32214
 	NOTE: https://hackerone.com/reports/1630669
 	NOTE: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd (v14.x)
@@ -290680,7 +290684,7 @@ CVE-2022-32213 (The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http
 	{DSA-5326-1}
 	- nodejs 18.6.0+dfsg-3
 	[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
-	- llhttp <itp> (bug #977716)
+	- llhttp <not-affected> (Fixed before initial upload to Debian)
 	NOTE: https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-flawed-parsing-of-transfer-encoding-medium-cve-2022-32213
 	NOTE: https://hackerone.com/reports/1630668
 	NOTE: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd (v14.x)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1471f18552e965818f2f6ce0c4e93b6316428423

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1471f18552e965818f2f6ce0c4e93b6316428423
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250828/22da26b6/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list