[Pkg-javascript-devel] Bug#850322: npm: CVE-2016-3956
Salvatore Bonaccorso
carnil at debian.org
Sat Sep 15 14:22:37 BST 2018
Hi!
On Sat, Sep 15, 2018 at 06:19:29PM +0530, Pirate Praveen wrote:
> Control: fixed -1 5.8.0+ds-1
>
> On Thu, 05 Jan 2017 22:16:38 +0100 Salvatore Bonaccorso
> <carnil at debian.org> wrote:
>
> > the following vulnerability was published for npm.
> >
> > CVE-2016-3956[0]:
> > | The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js
> > | 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before
> > | 5.10.0, includes bearer tokens with arbitrary requests, which allows
> > | remote HTTP servers to obtain sensitive information by reading
> > | Authorization headers.
> >
> > No fix has been made for 1.x versions.
> >
> > If you fix the vulnerability please also make sure to include the
> > CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> This bug was not noticed while uploading 5.8, so security tracker will
> need a manual update.
Thanks, I have updated the security-tracker information!
FTR, we never update automatically a fixed version.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list