[Git][security-tracker-team/security-tracker][master] CVE-2021-22930,CVE-2021-22940/nodejs: reference issues and complete patch

Tue, 06 Sep 2022 10:05:09 -0700 


Sylvain Beucler pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
b59278eb by Sylvain Beucler at 2022-09-06T19:04:45+02:00
CVE-2021-22930,CVE-2021-22940/nodejs: reference issues and complete patch

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -115429,6 +115429,8 @@ CVE-2021-22940 (Node.js before 16.6.1, 14.17.5, and 
12.22.5 is vulnerable to a u
        [bullseye] - nodejs <not-affected> (Incomplete fix for CVE-2021-22930 
not applied)
        [buster] - nodejs <not-affected> (Incomplete fix for CVE-2021-22930 not 
applied)
        [stretch] - nodejs <not-affected> (Incomplete fix for CVE-2021-22930 
not applied)
+       NOTE: https://github.com/nodejs/node/pull/39423
+       NOTE: 
https://github.com/nodejs/node/commit/2008c9722fcf7591e39013691f303934b622df7b 
(v12.22.5)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22940
 CVE-2021-22939 (If the Node.js https API was used incorrectly and "undefined" 
was in p ...)
        - nodejs 12.22.5~dfsg-1
@@ -115456,7 +115458,8 @@ CVE-2021-22930 (Node.js before 16.6.0, 14.17.4, and 
12.22.4 is vulnerable to a u
        - nodejs 12.22.4~dfsg-1
        [bullseye] - nodejs 12.22.5~dfsg-2~11u1
        [stretch] - nodejs <end-of-life> (Nodejs in stretch not covered by 
security support)
-       NOTE: 
https://github.com/nodejs/node/commit/b263f2585ab53f56e0e22b46cf1f8519a8af8a05
+       NOTE: https://github.com/nodejs/node/issues/38964
+       NOTE: 
https://github.com/nodejs/node/commit/b263f2585ab53f56e0e22b46cf1f8519a8af8a05 
(v12.22.4)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases-2/#use-after-free-on-close-http2-on-stream-canceling-high-cve-2021-22930
        NOTE: Possible incomplete fix (at least for v12): 
https://github.com/nodejs/node/issues/38964#issuecomment-889936936
        NOTE: CVE for the incomplete fix tracked as CVE-2021-22940



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b59278eb311b5db0ed165e604e41ec4e70c01c54

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/b59278eb311b5db0ed165e604e41ec4e70c01c54
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to