On Sun, Dec 21, 2014 at 5:31 AM, Jérémy Lal wrote:
> Le samedi 20 décembre 2014 à 22:07 -0500, Michael Gilbert a écrit :
>> package: src:nodejs
>> CVE-2014-7192[0],[1]:
>> | Eval injection vulnerability in index.js in the syntax-error package
>> | before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application
>> | Developer and other products, allows remote attackers to execute
>> | arbitrary code via a crafted file.
> This doesn't affect nodejs, but the "syntax-error" module, a dependency
> of browserify - both not packaged in debian.
> Cannot reassign, then. Maybe close ?

The advisories seem to indicate that the origin of the flaw lies
within nodejs, not the libraries using it.  That may be right or
wrong, but it should be checked.

Best wishes,

Pkg-javascript-devel mailing list

Reply via email to