Your message dated Sat, 15 Sep 2018 18:19:29 +0530
with message-id <[email protected]>
and subject line Re: npm: CVE-2016-3956
has caused the Debian Bug report #850322,
regarding npm: CVE-2016-3956
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
850322: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=850322
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: npm
Version: 1.4.21+ds-2
Severity: important
Tags: upstream security fixed-upstream
Forwarded: https://github.com/npm/npm/issues/8380
Hi,
the following vulnerability was published for npm.
CVE-2016-3956[0]:
| The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js
| 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before
| 5.10.0, includes bearer tokens with arbitrary requests, which allows
| remote HTTP servers to obtain sensitive information by reading
| Authorization headers.
No fix has been made for 1.x versions.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-3956
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3956
[1] https://github.com/npm/npm/issues/8380
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Control: fixed -1 5.8.0+ds-1
On Thu, 05 Jan 2017 22:16:38 +0100 Salvatore Bonaccorso
<[email protected]> wrote:
> the following vulnerability was published for npm.
>
> CVE-2016-3956[0]:
> | The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js
> | 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before
> | 5.10.0, includes bearer tokens with arbitrary requests, which allows
> | remote HTTP servers to obtain sensitive information by reading
> | Authorization headers.
>
> No fix has been made for 1.x versions.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
This bug was not noticed while uploading 5.8, so security tracker will
need a manual update.
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
