Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
e9bebf3c by Salvatore Bonaccorso at 2020-10-03T00:04:03+02:00
Update information on CVE-2020-8252
- - - - -
234ee99a by Salvatore Bonaccorso at 2020-10-03T00:04:26+02:00
Remove libuv1 from dsa-needed list
- - - - -
2 changed files:
- data/CVE/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -43065,7 +43065,7 @@ CVE-2020-8254
CVE-2020-8253 (Improper authentication in Citrix XenMobile Server 10.12 before
RP2, C ...)
NOT-FOR-US: Citrix
CVE-2020-8252 (The implementation of realpath in libuv < 10.22.1, <
12.18.4, an ...)
- - libuv1 1.39.0-1
+ - libuv1 1.39.0-1 (unimportant)
[stretch] - libuv1 <not-affected> (Vulnerable code introduced later)
NOTE: https://hackerone.com/reports/965914
NOTE:
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/#fs-realpath-native-on-may-cause-buffer-overflow-medium-cve-2020-8252
@@ -43074,6 +43074,8 @@ CVE-2020-8252 (The implementation of realpath in libuv
< 10.22.1, < 12.18.
NOTE: https://github.com/libuv/libuv/issues/2965
NOTE: Introduced by:
https://github.com/libuv/libuv/commit/b56d279b172fbe78dee2fb1d29cae9c9c5c6d1c4
(v1.24.0)
NOTE: Fixed by:
https://github.com/libuv/libuv/commit/0e6e8620496dff0eb285589ef1e37a7f407f3ddd
(v1.39.0)
+ NOTE: Broken path in uv__fs_realpath() only taken when libuv1 build in
+ NOTE: pre-POSIX.2008 mode (defined(_POSIX_VERSION) && _POSIX_VERSION <
200809L).
CVE-2020-8251 (Node.js < 14.11.0 is vulnerable to HTTP denial of service
(DoS) att ...)
- nodejs <not-affected> (Only affects 14.x series)
NOTE:
https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/#denial-of-service-by-resource-exhaustion-cwe-400-due-to-unfinished-http-1-1-requests-critical-cve-2020-8251
=====================================
data/dsa-needed.txt
=====================================
@@ -21,8 +21,6 @@ curl (ghedo)
knot-resolver
Santiago Ruano Rincón proposed a debdiff for review
--
-libuv1
---
linux (carnil)
Wait until more issues have piled up
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ca132793af0eafa7dc15ce9c5ec8f6f90d35a26a...234ee99a5fca0afa8bf6c8c723b416f8557fed4d
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/ca132793af0eafa7dc15ce9c5ec8f6f90d35a26a...234ee99a5fca0afa8bf6c8c723b416f8557fed4d
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
