[Git][security-tracker-team/security-tracker][master] Add tracking for CVE-2024-55565 and CVE-2021-23566 for node-mocha

Fri, 27 Dec 2024 05:07:07 -0800 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e8901bfa by Salvatore Bonaccorso at 2024-12-27T14:03:29+01:00
Add tracking for CVE-2024-55565 and CVE-2021-23566 for node-mocha

node-mocha up to 9.1.4+ds1+~cs28.2.8-1 did include an embedded copy of
nanoid, which was affected by the two updated CVEs. The code was not
fixed up to that version, so mark the version which rmeoves the code as
the fixing one for src:mocha.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -4417,9 +4417,11 @@ CVE-2024-55565 (nanoid (aka Nano ID) before 5.0.9 
mishandles non-integer values.
        {DLA-4003-1}
        - node-postcss 8.4.49+~cs9.2.32-1
        [bookworm] - node-postcss <no-dsa> (Minor issue)
+       - node-mocha 9.1.4+ds1+~cs28.2.8-1
        NOTE: node-postcss bundles nanoid
        NOTE: https://github.com/ai/nanoid/pull/510
        NOTE: 
https://github.com/ai/nanoid/commit/d643045f40d6dc8afa000a644d857da1436ed08c 
(3.3.8)
+       NOTE: node-mocha/9.1.4+ds1+~cs28.2.8-1 removes the node-nanoid copy
 CVE-2024-55564 (The POSIX::2008 package before 0.24 for Perl has a potential 
_execve50 ...)
        - libposix-2008-perl 0.24-1
        [bookworm] - libposix-2008-perl <no-dsa> (Minor issue)
@@ -305754,8 +305756,10 @@ CVE-2021-23567 (The package colors after 1.4.0 are 
vulnerable to Denial of Servi
 CVE-2021-23566 (The package nanoid from 3.0.0 and before 3.1.31 are vulnerable 
to Info ...)
        {DLA-4003-1}
        - node-postcss 8.4.5+~cs7.1.51-1
+       - node-mocha 9.1.4+ds1+~cs28.2.8-1
        NOTE: 
https://github.com/ai/nanoid/commit/2b7bd9332bc49b6330c7ddb08e5c661833db2575 
(3.1.31)
        NOTE: https://github.com/ai/nanoid/pull/328
+       NOTE: node-mocha/9.1.4+ds1+~cs28.2.8-1 removes the node-nanoid copy
 CVE-2021-23565
        RESERVED
 CVE-2021-23564



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8901bfaf235248a4ad924c776245361db674b25

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8901bfaf235248a4ad924c776245361db674b25
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to