Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker
Commits: 20b67dce by Moritz Muehlenhoff at 2019-08-16T07:59:57Z NFU drop nodejs entry for some of the HTTP issues, not affected by all - - - - - 1 changed file: - data/CVE/list Changes: ===================================== data/CVE/list ===================================== @@ -14025,6 +14025,7 @@ CVE-2019-10224 RESERVED CVE-2019-10223 RESERVED + NOT-FOR-US: kube-state-metrics CVE-2019-10222 RESERVED CVE-2019-10221 @@ -16993,31 +16994,16 @@ CVE-2019-9520 CVE-2019-9519 RESERVED CVE-2019-9518 (Some HTTP/2 implementations are vulnerable to a flood of empty frames, ...) - - nodejs <unfixed> - [stretch] - nodejs <not-affected> (No HTTP2 support yet) - [jessie] - nodejs <not-affected> (No HTTP2 support yet) NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md - NOTE: https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ CVE-2019-9517 (Some HTTP/2 implementations are vulnerable to unconstrained interal da ...) - apache2 2.4.41-1 - - nodejs <unfixed> - [stretch] - nodejs <not-affected> (No HTTP2 support yet) - [jessie] - nodejs <not-affected> (No HTTP2 support yet) NOTE: Affects upstream versions 2.4.20 to 2.4.39 NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md - NOTE: https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ CVE-2019-9516 (Some HTTP/2 implementations are vulnerable to a header leak, potential ...) - - nodejs <unfixed> - [stretch] - nodejs <not-affected> (No HTTP2 support yet) - [jessie] - nodejs <not-affected> (No HTTP2 support yet) - nginx <unfixed> NOTE: https://www.nginx.com/blog/nginx-updates-mitigate-august-2019-http-2-vulnerabilities/ NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md - NOTE: https://nodejs.org/en/blog/vulnerability/aug-2019-security-releases/ CVE-2019-9515 (Some HTTP/2 implementations are vulnerable to a settings flood, potent ...) - - nodejs <unfixed> - [stretch] - nodejs <not-affected> (No HTTP2 support yet) - [jessie] - nodejs <not-affected> (No HTTP2 support yet) - trafficserver <unfixed> - h2o <unfixed> NOTE: https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md @@ -17060,9 +17046,6 @@ CVE-2019-9512 (Some HTTP/2 implementations are vulnerable to ping floods, potent - golang-1.7 <removed> - golang <removed> - golang-golang-x-net-dev <unfixed> - - nodejs <unfixed> - [stretch] - nodejs <not-affected> (No HTTP2 support yet) - [jessie] - nodejs <not-affected> (No HTTP2 support yet) - trafficserver <unfixed> - h2o <unfixed> NOTE: Issue: https://github.com/golang/go/issues/33606 View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20b67dced82bf312629bf871b5c91262fa055bc6 -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/commit/20b67dced82bf312629bf871b5c91262fa055bc6 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits