[Git][security-tracker-team/security-tracker][master] New node-url-parse issue

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
aee95687 by Moritz Muehlenhoff at 2018-08-13T16:13:37Z
New node-url-parse issue

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -18349,7 +18349,6 @@ CVE-2018-8011 (By specially crafting HTTP requests, the 
mod_md challenge handler
        [jessie] - apache2 <not-affected> (Vulnerable code not present; mod_md 
module)
        NOTE: http://www.openwall.com/lists/oss-security/2018/07/18/2
        NOTE: 
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-8011
-       TODO: check, should affect only the specific 2.4.33 version (unless 
issue backported)
 CVE-2018-8010 (This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 
7.3.0 ...)
        - lucene-solr <not-affected> (Do not allow to upload configsets via the 
API)
        NOTE: Versions 5.x and earlier are not affected by the vulnerability, 
since
@@ -30942,7 +30941,7 @@ CVE-2018-3781
 CVE-2018-3780
        RESERVED
 CVE-2018-3779 (active-support ruby gem 5.2.0 could allow a remote attacker to 
execute ...)
-       TODO: check
+       NOT-FOR-US: Trojaned gem release
 CVE-2018-3778 (Improper authorization in aedes version &lt;0.35.0 will publish 
a LWT in ...)
        NOT-FOR-US: aedes
 CVE-2018-3777 (Insufficient URI encoding in restforce before 3.0.0 allows 
attacker to ...)
@@ -30952,7 +30951,11 @@ CVE-2018-3776 (Improper input validator in Nextcloud 
Server prior to 12.0.3 and 
 CVE-2018-3775 (Improper Authentication in Nextcloud Server prior to version 
12.0.3 ...)
        - nextcloud <itp> (bug #835086)
 CVE-2018-3774 (Incorrect parsing in url-parse &lt;1.4.3 returns wrong hostname 
which ...)
-       TODO: check
+       - node-url-parse <unfixed> (unimportant)
+       NOTE: https://hackerone.com/reports/384029
+       NOTE: 
https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a
+       NOTE: 
https://github.com/unshiftio/url-parse/commit/d7b582ec1243e8024e60ac0b62d2569c939ef5de
+       NOTE: nodejs not covered by security support
 CVE-2018-3773 (There is a stored Cross-Site Scripting vulnerability in Open 
Graph ...)
        NOT-FOR-US: metascrape nodejs module
 CVE-2018-3772 (Concatenating unsanitized user input in the `whereis` npm 
module &lt; ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/aee9568771b46625e2903c3580ab5a9522749160

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/commit/aee9568771b46625e2903c3580ab5a9522749160
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits