Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker
Commits: 62859eb0 by Guilhem Moulin at 2023-08-08T23:00:29+02:00 Triage CVE-2023-30590/nodejs for buster. This alone doesn't warrant a DLA: “These design issues in this old API have been around for many years, and we are not currently aware of any misuse in the ecosystem that falls into the above scenario. Changing the behavior of the API would be a significant breaking change and is thus not appropriate for a security release (nor is it a goal.) The reported issue is treated as CWE-1068 (after a vast amount of uncertainty whether to treat it as a vulnerability at all), therefore, this change only updates the documentation to match the actual behavior. Tests are also added that demonstrate this particular oddity.” — https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -13185,7 +13185,9 @@ CVE-2023-30591 CVE-2023-30590 RESERVED - nodejs <unfixed> (bug #1039990) + [buster] - nodejs <postponed> (minor issue - Inconsistency Between Implementation and Documented Design) NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590 + NOTE: Fixed by: https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 (v16.x) CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not strictly ...) - nodejs <unfixed> (bug #1039990) [buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x) View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62859eb0ab1618d0f9d8362202df6cd1bb826138 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62859eb0ab1618d0f9d8362202df6cd1bb826138 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits