[Pkg-javascript-devel] Bug#773623: nodejs: CVE-2014-7192
Michael Gilbert
mgilbert at debian.org
Sun Dec 21 03:07:24 UTC 2014
package: src:nodejs
severity: important
tags: security
Hi,
the following vulnerability was published for nodejs.
CVE-2014-7192[0],[1]:
| Eval injection vulnerability in index.js in the syntax-error package
| before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application
| Developer and other products, allows remote attackers to execute
| arbitrary code via a crafted file.
The advisories seem to indicate that this is fixed in the development
version 0.11, but I haven't checked that.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-7192
[1] https://nodesecurity.io/advisories/syntax-error-potential-script-injection
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-javascript-devel
mailing list