[Pkg-javascript-devel] Bug#850322: npm: CVE-2016-3956
Pirate Praveen
praveen at onenetbeyond.org
Sat Sep 15 13:49:29 BST 2018
Control: fixed -1 5.8.0+ds-1
On Thu, 05 Jan 2017 22:16:38 +0100 Salvatore Bonaccorso
<carnil at debian.org> wrote:
> the following vulnerability was published for npm.
>
> CVE-2016-3956[0]:
> | The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js
> | 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before
> | 5.10.0, includes bearer tokens with arbitrary requests, which allows
> | remote HTTP servers to obtain sensitive information by reading
> | Authorization headers.
>
> No fix has been made for 1.x versions.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
This bug was not noticed while uploading 5.8, so security tracker will
need a manual update.
More information about the Pkg-javascript-devel
mailing list