Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
c22898dd by Salvatore Bonaccorso at 2024-04-28T20:49:02+02:00
Add note fore CVE-2023-29827 on fix
Actually upstream said that the issue is disputed and the issue not
directly fixed. Later v3.1.10 still added the referenced commit.
Might be disputed for us as well and revert the fixed version tracking
which does not matter much as we consider the issue unimportant, with a
clear enough note.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -69416,6 +69416,8 @@ CVE-2023-29827 (ejs v3.1.9 is vulnerable to server-side
template injection. If t
NOTE: https://github.com/mde/ejs/issues/720
NOTE: Not considered a security issue by upstream, requires to never
give unfiltered
NOTE: input to the EJS's render function.
+ NOTE: v3.1.10 implements a basic pollution protection, tracking this as
fix:
+ NOTE:
https://github.com/mde/ejs/commit/e469741dca7df2eb400199e1cdb74621e3f89aa5
(v3.1.10)
CVE-2023-29826
RESERVED
CVE-2023-29825
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c22898dd789f4d39c11a004fcdc0547e1b78589f
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c22898dd789f4d39c11a004fcdc0547e1b78589f
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
