Your message dated Sun, 18 Feb 2024 18:07:32 +0000 with message-id <e1rblzc-008fdl...@fasolo.debian.org> and subject line Bug#1064055: fixed in nodejs 18.19.1+dfsg-1 has caused the Debian Bug report #1064055, regarding nodejs: CVE-2023-46809 CVE-2024-22019 CVE-2024-21892 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1064055: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064055 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: nodejs X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerabilities were published for nodejs. CVE-2023-46809[0]: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#nodejs-is-vulnerable-to-the-marvin-attack-timing-variant-of-the-bleichenbacher-attack-against-pkcs1-v15-padding-cve-2023-46809---medium CVE-2024-22019[1]: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high CVE-2024-21892[2]: https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#code-injection-and-privilege-escalation-through-linux-capabilities-cve-2024-21892---high There are some other issues, but they only affect the version in expeirimental. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46809 https://www.cve.org/CVERecord?id=CVE-2023-46809 [1] https://security-tracker.debian.org/tracker/CVE-2024-22019 https://www.cve.org/CVERecord?id=CVE-2024-22019 [2] https://security-tracker.debian.org/tracker/CVE-2024-21892 https://www.cve.org/CVERecord?id=CVE-2024-21892 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: nodejs Source-Version: 18.19.1+dfsg-1 Done: Jérémy Lal <kapo...@melix.org> We believe that the bug you reported is fixed in the latest version of nodejs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1064...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jérémy Lal <kapo...@melix.org> (supplier of updated nodejs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sun, 18 Feb 2024 18:12:23 +0100 Source: nodejs Architecture: source Version: 18.19.1+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@alioth-lists.debian.net> Changed-By: Jérémy Lal <kapo...@melix.org> Closes: 1059168 1064055 Changes: nodejs (18.19.1+dfsg-1) unstable; urgency=medium . * New upstream version 18.19.1. Closes: 1064055. + CVE-2024-21892 (High) Code injection and privilege escalation through Linux capabilities + CVE-2024-22019 (High) Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks + CVE-2023-46809 (Medium) Marvin Attack vulnerability against PKCS#1 v1.5 padding * new architecture: loong64, thanks to Shi Pujin * patch: + let loong64 have some failing tests + more doc for localhost-no-addrconfig + allow test-debugger-heap-profiler to fail. Closes: #1059168 + disable zlib embedding in v8, disable snapshot compression * override lintian source warning for zlib brotli test string * fix boostrapping of nodejs package: + update README.source + nodoc: disable bash completion output + patch: disable shared builtins when flag node-builtin-modules-path is used * include permission headers in libnode-dev * B-D pkg-config becomes pkgconf Checksums-Sha1: 0d0de63a10ea082a473f677af1b9a6be2b066337 4356 nodejs_18.19.1+dfsg-1.dsc 2540b9b84f230689afcbf507a307d46d4ef2a411 269724 nodejs_18.19.1+dfsg.orig-ada.tar.xz 4cad22f4545483163b468271d06f425b15f1dcf0 267236 nodejs_18.19.1+dfsg.orig-types-node.tar.xz c2d954a215b417e858e4750e687ef180333790a9 28802788 nodejs_18.19.1+dfsg.orig.tar.xz 2f4699c23c652a71ae581b2b187756cb5c1fbd8b 163300 nodejs_18.19.1+dfsg-1.debian.tar.xz 3451db4d91e2c65cf28d19c0f87495368ea19621 10959 nodejs_18.19.1+dfsg-1_source.buildinfo Checksums-Sha256: 7c5c6b0b6916f1be0abd263ba06fbfa5328dd4d5a4760bd20e1c6ba9b9daf481 4356 nodejs_18.19.1+dfsg-1.dsc 0c3caa8771a2bc6ac5d32912d07383dcae8a0cf145ed6f7017cbf6b41478acd2 269724 nodejs_18.19.1+dfsg.orig-ada.tar.xz 5bd8293f0adfb7bc744e3071bdbd184fd02f973931396ba816ff61514ecd62a9 267236 nodejs_18.19.1+dfsg.orig-types-node.tar.xz 85e2a8604269306984d0c7cc3cdc028dc654d9a60c42a0e059e0104430732c61 28802788 nodejs_18.19.1+dfsg.orig.tar.xz fefe4bf79bb4b41e12907e2714d868a660df900a56453f48f60927ee189c6b13 163300 nodejs_18.19.1+dfsg-1.debian.tar.xz 0720d16be5186b44d49515226ed9bfc92471bfeb0d48b5bc525d2aaf6d0cd197 10959 nodejs_18.19.1+dfsg-1_source.buildinfo Files: 37afa2914e24e18a5282cb08d8b6ebe9 4356 javascript optional nodejs_18.19.1+dfsg-1.dsc 327a080764e93ab10a593efba5b84fd3 269724 javascript optional nodejs_18.19.1+dfsg.orig-ada.tar.xz 8cabd2aa436c05f698a17368826a8645 267236 javascript optional nodejs_18.19.1+dfsg.orig-types-node.tar.xz 275b47ffe6863d3d98cda579aacea9ca 28802788 javascript optional nodejs_18.19.1+dfsg.orig.tar.xz 9da9e0d945e8f74fad9bd4c29a9268a3 163300 javascript optional nodejs_18.19.1+dfsg-1.debian.tar.xz 0c1e17b2f5b5d3df67a160bacd739fea 10959 javascript optional nodejs_18.19.1+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmXSQmsSHGthcG91ZXJA bWVsaXgub3JnAAoJEGYRwF7dOfN08GAP/0PFaphVoQJE3bnGvgKxBHk3T7ldx8Ta 1jlMZ4E8HGeDkgFpl0nu3NmnFTSkt7NGWypUbq23KbYCGjNvr+n2I+O4ntnsAAPH co/FhcYw+SvAIUt6nMldr8N6e8U7N9i64lEdDwUN+Ry/rrdYJqpX9xDOu0N2VNZ3 m9X/Q5JE/NMgv5wRTRdnMfdUVN7QCqvx7rs4N2W9VXsPWTqHNMtbwV2wqVxPmYBH YQlL/LRfQkEscZBfQopOTHMJyWLFRHko8+AR+/Gh8J4VnPqH2Ej9rLgqgjFWFt5m mNHfmstZk2QVhIRkXvg0fsdkPIFBKTwyfVTbAc6lR/viJPG7KyfqS36qBm0BLiBt rP2UHy/I21hV9bgkebB+kXYkWT8GhtQ6VthhcLhP3lXkyj7ElyQxOG1CcQFbFXEK yWp4JFhGRdHHuoSAlvOd3MeaMaZo59PdOGE3JQ1ogTmBn/F6iPWiqkyyQ6ovd/yz olp0CaQq17X8BRs2R3PxLPQLa9BkgBPASVH/4VZZGALqBYBN3T8R5uf36/Ps43X0 cpBZONFM64oXv+/I8sGqvrrJxZzDWtGokUuttEoOawYOKtlMbAIzpomaP0PV1HY3 uaSxijm+4JxVO/E1wudoRLSc8JRKTk845+iYCo/x2VSNgwKYFduy6fFgKcX4exBC q5ZjeQbicfqY =ETPI -----END PGP SIGNATURE-----pgpCm5mP66U2i.pgp
Description: PGP signature
--- End Message ---