Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: c9d96e49 by Moritz Muehlenhoff at 2019-04-08T19:19:58Z update fixed status for a number of older nodejs and node-foo packages - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -47982,17 +47982,17 @@ CVE-2018-12125 CVE-2018-12124 RESERVED CVE-2018-12123 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...) - - nodejs <unfixed> (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: Patch (v8): https://github.com/nodejs/node/commit/53a6e4eb2002efc66eb9aefe24529fb63715094e CVE-2018-12122 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...) - - nodejs <unfixed> (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: Patch (v8): https://github.com/nodejs/node/commit/696f063c5e9157fd10859515da00fd8bd190d76d CVE-2018-12121 (Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11. ...) - - nodejs <unfixed> (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: Patch (v8): https://github.com/nodejs/node/commit/93dba83fb0fb46ee2ea87163f435392490b4d59b @@ -48009,12 +48009,13 @@ CVE-2018-12118 CVE-2018-12117 RESERVED CVE-2018-12116 (Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request ...) - - nodejs <unfixed> (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: Patch (v8): https://github.com/nodejs/node/commit/513e9747a22386bc9c93a12f9698561827a1e631 + NOTE: Only affects 6.x and 8.x, marking first 10.x release as fixed CVE-2018-12115 (In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when use ...) - - nodejs <unfixed> (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ NOTE: Nodejs not covered by security support NOTE: https://github.com/nodejs/node/commit/fc14d812b7 @@ -61711,17 +61712,17 @@ CVE-2018-7169 (An issue was discovered in shadow 4.5. newgidmap (in shadow-utils CVE-2018-7168 RESERVED CVE-2018-7167 (Calling Buffer.fill() or Buffer.alloc() with some parameters can lead ...) - - nodejs <unfixed> (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#calls-to-buffer-fill-and-or-buffer-alloc-may-hang-cve-2018-7167 + NOTE: Doesn't affect 10.x, marking first 10.x upload to sid as fixed CVE-2018-7166 (In all versions of Node.js 10 prior to 10.9.0, an argument processing ...) - [experimental] - nodejs <unfixed> - nodejs <not-affected> (Only affects 10.x and later) NOTE: https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/ NOTE: https://github.com/nodejs/node/commit/40a7beeddac9b9ec9ef5b49157daaf8470648b08 CVE-2018-7165 RESERVED CVE-2018-7164 (Node.js versions 9.7.0 and later and 10.x are vulnerable and the sever ...) - - nodejs <unfixed> (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) [stretch] - nodejs <not-affected> (Only affects >= 9.x) [jessie] - nodejs <not-affected> (Only affects >= 9.x) NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#memory-exhaustion-dos-on-v9-x-cve-2018-7164 @@ -61729,24 +61730,24 @@ CVE-2018-7164 (Node.js versions 9.7.0 and later and 10.x are vulnerable and the CVE-2018-7163 RESERVED CVE-2018-7162 (All versions of Node.js 9.x and 10.x are vulnerable and the severity i ...) - - nodejs <unfixed> (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) [stretch] - nodejs <not-affected> (Only affects >= 8.x) [jessie] - nodejs <not-affected> (Only affects >= 8.x) NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#denial-of-service-vulnerability-in-tls-cve-2018-7162 NOTE: https://github.com/nodejs/node/commit/0cb3325f1 CVE-2018-7161 (All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the seve ...) - - nodejs <unfixed> (unimportant) + - nodejs 10.15.0~dfsg-6 (unimportant) [stretch] - nodejs <not-affected> (Only affects >= 8.x) [jessie] - nodejs <not-affected> (Only affects >= 8.x) NOTE: https://nodejs.org/en/blog/vulnerability/june-2018-security-releases/#denial-of-service-vulnerability-in-http-2-cve-2018-7161 NOTE: https://github.com/nodejs/node/commit/8bf213dbdc7e CVE-2018-7160 (The Node.js inspector, in 6.x and later is vulnerable to a DNS rebindi ...) - - nodejs <unfixed> (unimportant) + - nodejs 8.11.1~dfsg-2 (unimportant) [stretch] - nodejs <not-affected> (Vulnerable code not present) [jessie] - nodejs <not-affected> (Vulnerable code not present) [wheezy] - nodejs <not-affected> (Vulnerable code not present) CVE-2018-7159 (The HTTP parser in all current versions of Node.js ignores spaces in t ...) - - nodejs <unfixed> (unimportant) + - nodejs 8.11.1~dfsg-2 (unimportant) CVE-2018-7158 (The `'path'` module in the Node.js 4.x release line contains a potenti ...) - nodejs 6.0.0~dfsg-1 (unimportant) CVE-2018-7157 @@ -85886,7 +85887,7 @@ CVE-2017-16084 (list-n-stream is a server for static files to list and stream lo CVE-2017-16083 (node-simple-router is a minimalistic router for Node. node-simple-rout ...) NOT-FOR-US: node-simple-router CVE-2017-16082 (A remote code execution vulnerability was found within the pg module w ...) - - node-postgres <unfixed> (unimportant) + - node-postgres 7.7.1-1 (unimportant) NOTE: https://nodesecurity.io/advisories/521 NOTE: nodejs not covered by security support CVE-2017-16081 (cross-env.js was a malicious module published with the intent to hijac ...) @@ -86410,7 +86411,7 @@ CVE-2016-10541 (The npm module "shell-quote" 1.6.0 and earlier cannot correctly NOTE: https://nodesecurity.io/advisories/117 NOTE: nodejs not covered by security support CVE-2016-10540 (Minimatch is a minimal matching utility that works by converting glob ...) - - node-minimatch <unfixed> (unimportant) + - node-minimatch 3.0.3-1 (unimportant) NOTE: https://nodesecurity.io/advisories/118 NOTE: https://github.com/isaacs/minimatch/commit/6944abf9e0694bd22fd9dad293faa40c2bc8a955 NOTE: libv8 is not covered by security support @@ -89795,7 +89796,7 @@ CVE-2017-14921 (Stored XSS vulnerability via IMG element at "Filename" of Filema CVE-2017-14920 (Stored XSS vulnerability in eGroupware Community Edition before 16.1.2 ...) NOT-FOR-US: eGroupware CVE-2017-14919 (Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows r ...) - - nodejs <unfixed> (unimportant) + - nodejs <not-affected> (Debian didn't use an affected zlib version) NOTE: Debian doesn't use zlib 1.2.9 yet NOTE: https://nodejs.org/en/blog/vulnerability/oct-2017-dos/ CVE-2017-14918 (In Android for MSM, Firefox OS for MSM, QRD Android, with all Android ...) @@ -144617,7 +144618,7 @@ CVE-2016-1000024 RESERVED CVE-2016-1000022 RESERVED - - node-negotiator <unfixed> (unimportant) + - node-negotiator 0.6.1-1 (unimportant) NOTE: https://nodesecurity.io/advisories/106 NOTE: https://github.com/distributedweaknessfiling/DWF-Database/commit/5e607a0cad2769db2be5aafc4d9b1ec49bd7bbbc NOTE: nodejs not covered by security support @@ -151712,14 +151713,14 @@ CVE-2015-8861 (The handlebars package before 4.0.0 for Node.js allows remote att NOTE: node-handlebars only in experimental for now, fixed in 4.0.0 NOTE: libv8 is not covered by security support CVE-2015-8860 (The tar package before 2.0.0 for Node.js allows remote attackers to wr ...) - - node-tar <unfixed> (unimportant) + - node-tar 2.2.1-1 (unimportant) NOTE: libv8 is not covered by security support CVE-2015-8859 (The send package before 0.11.1 for Node.js allows attackers to obtain ...) - - node-send <unfixed> (unimportant) + - node-send 0.16.2-1 (unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodesecurity.io/advisories/56 CVE-2015-8858 (The uglify-js package before 2.6.0 for Node.js allows attackers to cau ...) - - uglifyjs <unfixed> (unimportant) + - uglifyjs 2.7.4-1 (unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodesecurity.io/advisories/48 CVE-2015-8854 (The marked package before 0.3.4 for Node.js allows attackers to cause ...) @@ -151943,7 +151944,7 @@ CVE-2016-4020 (The patch_instruction function in hw/i386/kvmvapic.c in QEMU does NOTE: http://www.openwall.com/lists/oss-security/2016/04/13/6 CVE-2015-8851 RESERVED - - node-uuid <unfixed> (unimportant) + - node-uuid 1.4.7-1 (unimportant) NOTE: https://github.com/broofa/node-uuid/issues/108 NOTE: https://github.com/broofa/node-uuid/issues/118 NOTE: https://github.com/broofa/node-uuid/issues/122 @@ -156682,7 +156683,7 @@ CVE-2015-8857 (The uglify-js package before 2.4.24 for Node.js does not properly NOTE: https://nodesecurity.io/advisories/39 NOTE: nodejs not covered by security support CVE-2015-XXXX [root path disclosure] - - node-send <unfixed> (unimportant) + - node-send 0.16.2-1 (unimportant) NOTE: fixed in 0.11.1 NOTE: https://github.com/pillarjs/send/pull/70 NOTE: https://github.com/expressjs/serve-static/blob/master/HISTORY.md#181--2015-01-20 @@ -182961,7 +182962,7 @@ CVE-2015-2311 (Integer underflow in Sandstorm Cap'n Proto before 0.4.1.1 and 0.5 CVE-2015-2310 (Integer overflow in layout.c++ in Sandstorm Cap'n Proto before 0.4.1.1 ...) - capnproto 0.4.1-3 (bug #780565) CVE-2015-8856 (Cross-site scripting (XSS) vulnerability in the serve-index package be ...) - - node-serve-index <unfixed> (unimportant) + - node-serve-index 1.9.1-1 (unimportant) NOTE: libv8 is not covered by security support NOTE: https://nodesecurity.io/advisories/serve-static-xss NOTE: https://github.com/expressjs/serve-index/issues/28 @@ -198607,7 +198608,7 @@ CVE-2014-6394 (visionmedia send before 0.8.4 for Node.js uses a partial comparis - node-send 0.9.4-1 NOTE: https://nodesecurity.io/advisories/send-directory-traversal CVE-2014-6393 (The Express web framework before 3.11 and 4.x before 4.5 for Node.js d ...) - - node-express <unfixed> (unimportant) + - node-express 4.16.4-1 (unimportant) NOTE: libv8 is not covered by security support CVE-2014-6392 (** DISPUTED ** Cross-site scripting (XSS) vulnerability in the Faceboo ...) NOT-FOR-US: Facebook app and Facebook Messenger app for iOS @@ -200672,8 +200673,7 @@ CVE-2014-6269 (Multiple integer overflows in the http_request_forward_body funct NOTE: http://article.gmane.org/gmane.comp.web.haproxy/18097 NOTE: http://git.haproxy.org/?p=haproxy-1.5.git;a=commitdiff;h=b4d05093bc89f71377230228007e69a1434c1a0c CVE-2014-5256 (Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider th ...) - - nodejs <unfixed> (unimportant; bug #760385) - NOTE: libv8 is not covered by security support + - nodejs 0.10.38~dfsg-1 (unimportant; bug #760385) CVE-2014-7402 (The SK encar (aka com.encardirect.app) application @7F050000 for Andro ...) NOT-FOR-US: SK encar (aka com.encardirect.app) application for Android CVE-2013-7402 (Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allo ...) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c9d96e49ef1ce16a831069e716456b249a2db0f7 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/c9d96e49ef1ce16a831069e716456b249a2db0f7 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits