Your message dated Wed, 22 Nov 2023 19:06:39 +0000 with message-id <e1r5syz-002wpn...@fasolo.debian.org> and subject line Bug#1039990: fixed in nodejs 18.13.0+dfsg1-1.1 has caused the Debian Bug report #1039990, regarding nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1039990: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039990 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: nodejs Version: 18.13.0+dfsg1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for nodejs. CVE-2023-30581[0], CVE-2023-30588[1], CVE-2023-30589[2] and CVE-2023-30590[3]. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-30581 https://www.cve.org/CVERecord?id=CVE-2023-30581 [1] https://security-tracker.debian.org/tracker/CVE-2023-30588 https://www.cve.org/CVERecord?id=CVE-2023-30588 [2] https://security-tracker.debian.org/tracker/CVE-2023-30589 https://www.cve.org/CVERecord?id=CVE-2023-30589 [3] https://security-tracker.debian.org/tracker/CVE-2023-30590 https://www.cve.org/CVERecord?id=CVE-2023-30590 [4] https://nodejs.org/en/blog/vulnerability/june-2023-security-releases Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.3.0-1-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---Source: nodejs Source-Version: 18.13.0+dfsg1-1.1 Done: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> We believe that the bug you reported is fixed in the latest version of nodejs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1039...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sebastian Andrzej Siewior <sebast...@breakpoint.cc> (supplier of updated nodejs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 22 Nov 2023 18:15:44 +0100 Source: nodejs Architecture: source Version: 18.13.0+dfsg1-1.1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net> Changed-By: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Closes: 1031834 1039990 1050739 1052470 1054892 1055416 Changes: nodejs (18.13.0+dfsg1-1.1) unstable; urgency=medium . * Non-maintainer upload. * Adapt testsuite failures in test-crypto-dh since OpenSSL 3.0.12/3.1.4 (Closes: #1055416). * Adapt testsuite failures due TLSv < 1.1 available only at seclevel 0 (Closes: #1052470). * CVE-2023-23919 (Node.js OpenSSL error handling issues in nodejs crypto library). (Closes: #1031834). * CVE-2023-23920 (Node.js insecure loading of ICU data through ICU_DATA environment variable) (Closes: #1031834). * CVE-2023-30590 (DiffieHellman do not generate keys after setting a private key) (Closes: #1039990). * CVE-2023-30589 (HTTP Request Smuggling via Empty headers separated by CR) (Closes: #1039990). * CVE-2023-30588 (Process interuption due to invalid Public Key information in x509 certificates) (Closes: #1039990). * CVE-2023-32559 (Permissions policies can be bypassed via process.binding) (Closes: #1050739). * CVE-2023-30581 (mainModule.proto bypass experimental policy mechanism) (Closes: #1039990). * CVE-2023-32002 (Permissions policies can be bypassed via Module._load) (Closes: #1050739). * CVE-2023-32006 (Permissions policies can impersonate other modules in using module.constructor.createRequire()) (Closes: #1050739). * CVE-2023-38552 (Integrity checks according to policies can be circumvented) (Closes: #1054892). * CVE-2023-39333 (Code injection via WebAssembly export names) (Closes: #1054892). Checksums-Sha1: dcaebed33f6dcc4676e2de5744eedd113a8b896f 3893 nodejs_18.13.0+dfsg1-1.1.dsc 40afec3b105abf5f5103060af70a3b92c4fe3133 193396 nodejs_18.13.0+dfsg1-1.1.debian.tar.xz Checksums-Sha256: 28f1b461b19098a6c8a7918fa1e233350160c429dcfd5d5859d9e510948048c2 3893 nodejs_18.13.0+dfsg1-1.1.dsc 3bef0de67aa1831dc43fdda99f314cdb7b13361d3d3b34a88dd5df8b6e3cf23d 193396 nodejs_18.13.0+dfsg1-1.1.debian.tar.xz Files: 7e942e84e0e8b3acebaa5ea6ca48aa49 3893 javascript optional nodejs_18.13.0+dfsg1-1.1.dsc 2a6f98d11292e933c2d0f2fc486ce3b1 193396 javascript optional nodejs_18.13.0+dfsg1-1.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEV4kucFIzBRM39v3RBWQfF1cS+lsFAmVeThAACgkQBWQfF1cS +luFTAv/X+K/+6VVXsEJfu17fR8JCt2wwc55rQ/Za6rCIDpgWgIvwrxeMHdNTr0f TmK5eEIhjZ2kL4y2CNhuBt2Hdmpa526RGdTmfgDxVop7VGFTamr9o3NQvrx6EaO3 AJhVRG6VGvVpPXBeVAdraXQWaTj+oda1idZf7Aw5/VdT3h+n4/do7XQtQJBlJFvG TQSUq7PtGi3qJ9Pje1P0JQcIPPONsgqG18JHXlBPvWkoyah91YdGcsTyxTX1k241 l1Vb83HLSUU24xxk58oGJ7NAX82BDHGGxhgpDSm17sjlqjNtRdjPaUqAi+lyVohg l1GppruqQYk80iG6Fgo1x5ew/XsTe+ger2kypJhcTIGwB6PlhTif/6J/ukwvln0p F+I8Gd3ftj+U9CrfUDQfvh65k1wIJYVlb/97RQDZZNHZWQRlTc8QL++68aWImc7g nSJ5DSSlLQHWb7z0+oQN4B4iQukAGo2iRoMlTbZYwedAEihClslofbAU2CGZCd44 eNLNnOX/ =7nMl -----END PGP SIGNATURE-----
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
