Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
508bd7b0 by Salvatore Bonaccorso at 2023-08-28T21:49:52+02:00
Add Debian bug reference for nodejs issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -2028,7 +2028,7 @@ CVE-2023-33242 (Crypto wallets implementing the Lindell17
TSS protocol might all
CVE-2023-33241 (Crypto wallets implementing the GG18 or GG20 TSS protocol
might allow ...)
NOT-FOR-US: Crypto wallets implementing the GG18 or GG20 TSS protocol
CVE-2023-32559 (A privilege escalation vulnerability exists in the
experimental policy ...)
- - nodejs <unfixed>
+ - nodejs <unfixed> (bug #1050739)
[buster] - nodejs <not-affected> (v10.x doesn't support policy
manifests)
NOTE:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-processbinding-mediumcve-2023-32559
NOTE:
https://github.com/nodejs/node/commit/d4570fae358693b8f7fec05294b9bb92a966226d
(v18.x)
@@ -2037,7 +2037,7 @@ CVE-2023-32558
- nodejs <not-affected> (Only affects 20.x and later)
NOTE:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#processbinding-can-bypass-the-permission-model-through-path-traversal-highcve-2023-32558
CVE-2023-32006 (The use of `module.constructor.createRequire()` can bypass the
policy ...)
- - nodejs <unfixed>
+ - nodejs <unfixed> (bug #1050739)
[buster] - nodejs <not-affected> (v10.x doesn't support policy
manifests)
NOTE:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-impersonate-other-modules-in-using-moduleconstructorcreaterequire-mediumcve-2023-32006
NOTE:
https://github.com/nodejs/node/commit/15bced0bde93f24115b779a309d517845c87e17a
(v18.x)
@@ -2052,7 +2052,7 @@ CVE-2023-32003 (`fs.mkdtemp()` and `fs.mkdtempSync()` can
be used to bypass the
- nodejs <not-affected> (Only affects 20.x and later)
NOTE:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#fsmkdtemp-and-fsmkdtempsync-are-missing-getvalidatedpath-checks-lowcve-2023-32003
CVE-2023-32002 (The use of `Module._load()` can bypass the policy mechanism
and requir ...)
- - nodejs <unfixed>
+ - nodejs <unfixed> (bug #1050739)
[buster] - nodejs <not-affected> (v10.x doesn't support policy
manifests)
NOTE:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-module_load-highcve-2023-32002
NOTE:
https://github.com/nodejs/node/commit/15bced0bde93f24115b779a309d517845c87e17a
(v18.x)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/508bd7b046deb67aece63bdb56833b20cf92f21c
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/508bd7b046deb67aece63bdb56833b20cf92f21c
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
