[Git][security-tracker-team/security-tracker][master] Reserve DLA-3291-1 for node-object-path

Sun, 29 Jan 2023 08:06:54 -0800 


Guilhem Moulin pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
86672ee3 by Guilhem Moulin at 2023-01-29T17:05:53+01:00
Reserve DLA-3291-1 for node-object-path

- - - - -


3 changed files:

- data/CVE/list
- data/DLA/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -104131,7 +104131,6 @@ CVE-2021-3806 (A path traversal vulnerability on 
Pardus Software Center's "extra
 CVE-2021-3805 (object-path is vulnerable to Improperly Controlled Modification 
of Obj ...)
        - node-object-path 0.11.8-1
        [bullseye] - node-object-path 0.11.5-3+deb11u1
-       [buster] - node-object-path <no-dsa> (Minor issue)
        [stretch] - node-object-path <end-of-life> (Nodejs in stretch not 
covered by security support)
        NOTE: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053
        NOTE: 
https://github.com/mariocasciaro/object-path/commit/4f0903fd7c832d12ccbe0d9c3d7e25d985e9e884
 (v0.11.8)
@@ -149287,7 +149286,6 @@ CVE-2021-23435 (This affects the package clearance 
before 2.5.0. The vulnerabili
 CVE-2021-23434 (This affects the package object-path before 0.11.6. A type 
confusion v ...)
        - node-object-path 0.11.7-1
        [bullseye] - node-object-path 0.11.5-3+deb11u1
-       [buster] - node-object-path <no-dsa> (Minor issue)
        [stretch] - node-object-path <end-of-life> (Nodejs in stretch not 
covered by security support)
        NOTE: https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453
        NOTE: 
https://github.com/mariocasciaro/object-path/commit/7bdf4abefd102d16c163d633e8994ef154cab9eb


=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[29 Jan 2023] DLA-3291-1 node-object-path - security update
+       {CVE-2021-3805 CVE-2021-23434}
+       [buster] - node-object-path 0.11.4-2+deb10u2
 [29 Jan 2023] DLA-3290-1 libzen - security update
        {CVE-2020-36646}
        [buster] - libzen 0.4.37-1+deb10u1


=====================================
data/dla-needed.txt
=====================================
@@ -177,11 +177,6 @@ node-nth-check
   NOTE: 20221111: Follow fixes from bullseye 11.3 (Beuc/front-desk)
   NOTE: 20221223: Module has been rewritten in Typescript since Buster 
released (lamby).
 --
-node-object-path (guilhem)
-  NOTE: 20221111: Programming language: JavaScript.
-  NOTE: 20221111: Follow fixes from bullseye 11.1 (Beuc/front-desk)
-  NOTE: 20221223: Functional part of CVE-2021-3805 might be 
https://gist.github.com/lamby/ebf0633837f16d174138bbf36bef38f3/raw (lamby)
---
 node-qs
   NOTE: 20230105: Programming language: JavaScript.
   NOTE: 20230105: Follow fixes from bullseye 11.6 (Beuc/front-desk)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86672ee355229f340c3fa92a00d7ba7903893d1d

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/86672ee355229f340c3fa92a00d7ba7903893d1d
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to