[Git][security-tracker-team/security-tracker][master] Triage CVE-2023-30590/nodejs for buster.

Tue, 08 Aug 2023 14:03:08 -0700 


Guilhem Moulin pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
62859eb0 by Guilhem Moulin at 2023-08-08T23:00:29+02:00
Triage CVE-2023-30590/nodejs for buster.

This alone doesn't warrant a DLA:

   “These design issues in this old API have been around for many years, and
    we are not currently aware of any misuse in the ecosystem that falls
    into the above scenario. Changing the behavior of the API would be a
    significant breaking change and is thus not appropriate for a security
    release (nor is it a goal.) The reported issue is treated as CWE-1068
    (after a vast amount of uncertainty whether to treat it as a
    vulnerability at all), therefore, this change only updates the
    documentation to match the actual behavior. Tests are also added that
    demonstrate this particular oddity.”
    — 
https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -13185,7 +13185,9 @@ CVE-2023-30591
 CVE-2023-30590
        RESERVED
        - nodejs <unfixed> (bug #1039990)
+       [buster] - nodejs <postponed> (minor issue - Inconsistency Between 
Implementation and Documented Design)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590
+       NOTE: Fixed by: 
https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 
(v16.x)
 CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not 
strictly ...)
        - nodejs <unfixed> (bug #1039990)
        [buster] - nodejs <not-affected> (llhttp dependency/embedding 
introduced in 12.x)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62859eb0ab1618d0f9d8362202df6cd1bb826138

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62859eb0ab1618d0f9d8362202df6cd1bb826138
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to