[Git][security-tracker-team/security-tracker][master] 2 commits: Take nodejs

Sun Feb 23 22:57:41 GMT 2025


Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
5b5ecaec by Bastien Roucariès at 2025-02-23T22:10:13+00:00
Take nodejs

- - - - -
6456b63c by Bastien Roucariès at 2025-02-23T22:56:59+00:00
CVE-2025-23083/bullseye

Vulnerable code is not present

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -8443,8 +8443,11 @@ CVE-2025-23084 (A vulnerability has been identified in Node.js, specifically aff
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/0afc6f960017708df3870ff1d61249443873637b (v23.6.1)
 CVE-2025-23083 (With the aid of the diagnostics_channel utility, an event can be hooke ...)
 	- nodejs 20.18.2+dfsg-1 (bug #1094134)
+	[bullseye] - nodejs <not-affected> (vulnerable code introduced later)
 	NOTE: https://nodejs.org/en/blog/vulnerability/january-2025-security-releases#worker-permission-bypass-via-internalworker-leak-in-diagnostics-cve-2025-23083---high
 	NOTE: Fixed by: https://github.com/nodejs/node/commit/51938f023aac90dc1dc0bc1f743501788613210e (v23.6.1)
+	NOTE: Introduced by: https://github.com/nodejs/node/pull/44710
+	NOTE: This feature was backported to 20.x but not for older version
 CVE-2025-23195 (An XML External Entity (XXE) vulnerability exists in the Ambari/Oozie  ...)
 	NOT-FOR-US: Apache Ambari
 CVE-2025-23196 (A code injection vulnerability exists in the Ambari Alert Definition   ...)


=====================================
data/dla-needed.txt
=====================================
@@ -177,7 +177,7 @@ nagvis
 nginx (andrewsh)
   NOTE: 20250207: Added by Front-Desk (apo)
 --
-nodejs
+nodejs (rouca)
   NOTE: 20250122: Added by Front-Desk (lamby)
   NOTE: 20250217: Upcoming DSA, coordinate with security team (Beuc/front-desk)
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fd95e92eac91baeac6aba3d8282c0e06e00ee1f4...6456b63ce9bf39988451b23773a7328605bba300

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/fd95e92eac91baeac6aba3d8282c0e06e00ee1f4...6456b63ce9bf39988451b23773a7328605bba300
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250223/2086d553/attachment.htm>
