[Git][security-tracker-team/security-tracker][master] 2 commits: Triage CVE-2024-22019/nodejs for buster.

Tue, 26 Mar 2024 15:59:06 -0700 


Guilhem Moulin pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
62b82fc8 by Guilhem Moulin at 2024-03-26T23:57:10+01:00
Triage CVE-2024-22019/nodejs for buster.

nodejs v10.x uses http_parser and ignores chunk extensions.

- - - - -
57c98716 by Guilhem Moulin at 2024-03-26T23:57:43+01:00
Reserve DLA-3776-1 for nodejs

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -10094,6 +10094,7 @@ CVE-2024-21896 (The permission model protects itself 
against path traversal atta
        NOTE: 
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#path-traversal-by-monkey-patching-buffer-internals-cve-2024-21896---high
 CVE-2024-22019 (A vulnerability in Node.js HTTP servers allows an attacker to 
send a s ...)
        - nodejs 18.19.1+dfsg-1 (bug #1064055)
+       [buster] - nodejs <not-affected> (Vulnerable code not present)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high
        NOTE: 
https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171 
(v18.x)
        NOTE: 
https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171 
(main)
@@ -56734,7 +56735,6 @@ CVE-2023-30590 (The generateKeys() API function 
returned from crypto.createDiffi
        {DSA-5589-1}
        - nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
        [bullseye] - nodejs <ignored> (Minor issue, only updates documentation 
to clarify an API)
-       [buster] - nodejs <postponed> (minor issue - Inconsistency Between 
Implementation and Documented Design)
        NOTE: 
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590
        NOTE: Fixed by: 
https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 
(v16.x)
 CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not 
strictly ...)


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[26 Mar 2024] DLA-3776-1 nodejs - security update
+       {CVE-2023-30590 CVE-2023-46809 CVE-2024-22025}
+       [buster] - nodejs 10.24.0~dfsg-1~deb10u4
 [25 Mar 2024] DLA-3775-1 firefox-esr - security update
        {CVE-2023-5388 CVE-2024-0743 CVE-2024-2607 CVE-2024-2608 CVE-2024-2610 
CVE-2024-2611 CVE-2024-2612 CVE-2024-2614 CVE-2024-2616 CVE-2024-29944}
        [buster] - firefox-esr 115.9.1esr-1~deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -167,10 +167,6 @@ linux-5.10
 lucene-solr
   NOTE: 20240213: Added by Front-Desk (lamby)
 --
-nodejs (guilhem)
-  NOTE: 20240218: Added by Front-Desk (lamby)
-  NOTE: 20240325: Final tests before upload (guilhem)
---
 nova
   NOTE: 20230302: Re-add, request by maintainer (Beuc)
   NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific 
CVE-2022-47951 backport that introduces regression



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b1be3cf13b96129f666230b211fbca4b0fe908ed...57c987168cb504199f0b148f9adf8919211d5fbb

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/b1be3cf13b96129f666230b211fbca4b0fe908ed...57c987168cb504199f0b148f9adf8919211d5fbb
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to