-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3128-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta October 01, 2022 https://wiki.debian.org/LTS - -------------------------------------------------------------------------
Package : node-thenify Version : 3.3.0-1+deb10u1 CVE ID : CVE-2020-7677 thenify is a Promisify a callback-based function using any-promise. Affected versions of this package are vulnerable to Arbitrary Code Execution. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization. For Debian 10 buster, this problem has been fixed in version 3.3.0-1+deb10u1. We recommend that you upgrade your node-thenify packages. For the detailed security status of node-thenify please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-thenify Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmM3c5kACgkQgj6WdgbD S5YWGBAAh9lS8RZFRQoQTkfQtJlljYURsJPRoiSrUrtFYu9rq7TeBUxDfk16AmFN 6LV5hPT8780sHso+k9ZXjGPL+mdUDkyXZP9uV32fwzR+7V7M8cbLKHnWY9Kpmxkr pRupCDdwWr3JmBl0+xM+8oodX58PwMjZiQPq2wVt1EgX9FCU4GrlA3yD02zG8c6V ct/BQTSV9LXLboiaR7Rp4di7oAI7X/S64MhRO2nUmtAhJ0KN1DKzDJJ0X+iZbfVO LtOeThXU9JGOrrQwaUhB19Jwxf9sQZYli7irae/2Mu3gkcuLnv412Sh6cw90YusI yt6U/95DpneWBkMyzAC4EIvlbsx7S3F1X9GcamHyqESbZ6XU0txfWrTeL2/moMHW +yn5SA0EP4fQinWU6Pzs8waJ88OQa0CdCVEGjhHGV+2J8OmNpbbTOdZr3Sxtu+20 sYPcgaAEWw+g7Oqj8uKOcxGq0VA1ZoEE3H7uuU9DSmVnxKqtgYOePFYuQDiluItl u9rHHMqHFo1QZXUz6IjcIAA47M1kpxig4uj557ZICPtEMwdPFhSgaJVjFPmfosB5 Zm3kzkUiQvmeGOnomfV/8hXmIr3aMT3A2pL95A/gr4gCgR0SzQImafO1oEN+0dVH dNV0kkH7HmscRFaiZFQu0F/1qQeSICVLg7iQFdA2K+2f77HvbeI= =9l/0 -----END PGP SIGNATURE-----
