Salvatore Bonaccorso pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
1471f185 by Salvatore Bonaccorso at 2025-08-28T06:20:34+02:00
Update status for llhttp issue, entered the archive
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -31304,8 +31304,10 @@ CVE-2025-23167 (A flaw in Node.js 20's HTTP parser
allows improper termination o
- node-undici <unfixed> (bug #1105919)
[trixie] - node-undici <no-dsa> (Minor issue)
[bookworm] - node-undici <no-dsa> (Minor issue)
- - llhttp <itp> (bug #977716)
+ - llhttp <not-affected> (Fixed before initial upload to Debian)
NOTE:
https://nodejs.org/en/blog/vulnerability/may-2025-security-releases#improper-http-header-block-termination-in-llhttp-cve-2025-23167---medium
+ NOTE: https://github.com/nodejs/llhttp/pull/239
+ NOTE: Fixed by:
https://github.com/nodejs/llhttp/commit/72f53095152740e176438cf7fe68742fe1cb7be8
(v9.0.1)
CVE-2025-23166 (The C++ method SignTraits::DeriveBits() may incorrectly call
ThrowExce ...)
- nodejs 20.19.2+dfsg-1 (bug #1105832)
[bullseye] - nodejs <not-affected> (The vulnerable code was introduced
later)
@@ -215374,11 +215376,13 @@ CVE-2023-30589 (The llhttp parser in the http
module in Node v20.2.0 does not st
{DSA-5589-1 DLA-3886-1}
- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
[buster] - nodejs <not-affected> (llhttp dependency/embedding
introduced in 12.x)
- - llhttp <itp> (bug #977716)
+ - llhttp <not-affected> (Fixed before initial upload to Debian)
NOTE:
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#http-request-smuggling-via-empty-headers-separated-by-cr-medium-cve-2023-30589
NOTE: https://hackerone.com/reports/2001873
NOTE: https://github.com/advisories/GHSA-cggh-pq45-6h9x
NOTE: Fixed by:
https://github.com/nodejs/node/commit/e42ff4b0180f4e0f5712364dd6ea015559640152
(v16.x)
+ NOTE: https://github.com/nodejs/llhttp/pull/239
+ NOTE: Fixed by:
https://github.com/nodejs/llhttp/commit/72f53095152740e176438cf7fe68742fe1cb7be8
(v9.0.1)
CVE-2023-30588 (When an invalid public key is used to create an x509
certificate using ...)
{DSA-5589-1}
- nodejs 18.13.0+dfsg1-1.1 (bug #1039990)
@@ -282283,7 +282287,7 @@ CVE-2022-35256 (The llhttp parser in the http module
in Node v18.7.0 does not co
{DSA-5326-1}
- nodejs 18.10.0+dfsg-1
[buster] - nodejs <not-affected> (llhttp dependency/embedding
introduced in 12.x)
- - llhttp <itp> (bug #977716)
+ - llhttp <not-affected> (Fixed before initial upload to Debian)
NOTE:
https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#http-request-smuggling-due-to-incorrect-parsing-of-header-fields-medium-cve-2022-35256
NOTE: https://hackerone.com/reports/1888760
NOTE:
https://github.com/nodejs/node/commit/2e92e5b71d071cb989d8d109d278427041a47e44
(main)
@@ -290661,7 +290665,7 @@ CVE-2022-32215 (The llhttp parser <v14.20.1,
<v16.17.1 and <v18.9.1 in the http
{DSA-5326-1}
- nodejs 18.6.0+dfsg-3
[buster] - nodejs <not-affected> (llhttp dependency/embedding
introduced in 12.x)
- - llhttp <itp> (bug #977716)
+ - llhttp <not-affected> (Fixed before initial upload to Debian)
NOTE:
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-incorrect-parsing-of-multi-line-transfer-encoding-medium-cve-2022-32215
NOTE: https://hackerone.com/reports/1630667
NOTE:
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd
(v14.x)
@@ -290671,7 +290675,7 @@ CVE-2022-32214 (The llhttp parser <v14.20.1,
<v16.17.1 and <v18.9.1 in the http
{DSA-5326-1}
- nodejs 18.6.0+dfsg-3
[buster] - nodejs <not-affected> (llhttp dependency/embedding
introduced in 12.x)
- - llhttp <itp> (bug #977716)
+ - llhttp <not-affected> (Fixed before initial upload to Debian)
NOTE:
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-improper-delimiting-of-header-fields-medium-cve-2022-32214
NOTE: https://hackerone.com/reports/1630669
NOTE:
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd
(v14.x)
@@ -290680,7 +290684,7 @@ CVE-2022-32213 (The llhttp parser <v14.20.1,
<v16.17.1 and <v18.9.1 in the http
{DSA-5326-1}
- nodejs 18.6.0+dfsg-3
[buster] - nodejs <not-affected> (llhttp dependency/embedding
introduced in 12.x)
- - llhttp <itp> (bug #977716)
+ - llhttp <not-affected> (Fixed before initial upload to Debian)
NOTE:
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/#http-request-smuggling-flawed-parsing-of-transfer-encoding-medium-cve-2022-32213
NOTE: https://hackerone.com/reports/1630668
NOTE:
https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd
(v14.x)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1471f18552e965818f2f6ce0c4e93b6316428423
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/1471f18552e965818f2f6ce0c4e93b6316428423
You're receiving this email because of your account on salsa.debian.org.
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
