[Pkg-javascript-devel] Bug#1064055: marked as done (nodejs: CVE-2023-46809 CVE-2024-22019 CVE-2024-21892)

[Debian Bug Tracking System]

Your message dated Sun, 18 Feb 2024 18:07:32 +0000
with message-id <e1rblzc-008fdl...@fasolo.debian.org>
and subject line Bug#1064055: fixed in nodejs 18.19.1+dfsg-1
has caused the Debian Bug report #1064055,
regarding nodejs: CVE-2023-46809 CVE-2024-22019 CVE-2024-21892
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1064055: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064055
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: nodejs
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerabilities were published for nodejs.

CVE-2023-46809[0]:
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#nodejs-is-vulnerable-to-the-marvin-attack-timing-variant-of-the-bleichenbacher-attack-against-pkcs1-v15-padding-cve-2023-46809---medium

CVE-2024-22019[1]:
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#reading-unprocessed-http-request-with-unbounded-chunk-extension-allows-dos-attacks-cve-2024-22019---high

CVE-2024-21892[2]:
https://nodejs.org/en/blog/vulnerability/february-2024-security-releases/#code-injection-and-privilege-escalation-through-linux-capabilities-cve-2024-21892---high

There are some other issues, but they only affect the version in expeirimental.

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-46809
    https://www.cve.org/CVERecord?id=CVE-2023-46809
[1] https://security-tracker.debian.org/tracker/CVE-2024-22019
    https://www.cve.org/CVERecord?id=CVE-2024-22019
[2] https://security-tracker.debian.org/tracker/CVE-2024-21892
    https://www.cve.org/CVERecord?id=CVE-2024-21892

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: nodejs
Source-Version: 18.19.1+dfsg-1
Done: Jérémy Lal <kapo...@melix.org>

We believe that the bug you reported is fixed in the latest version of
nodejs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1064...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jérémy Lal <kapo...@melix.org> (supplier of updated nodejs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 18 Feb 2024 18:12:23 +0100
Source: nodejs
Architecture: source
Version: 18.19.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<pkg-javascript-devel@alioth-lists.debian.net>
Changed-By: Jérémy Lal <kapo...@melix.org>
Closes: 1059168 1064055
Changes:
 nodejs (18.19.1+dfsg-1) unstable; urgency=medium
 .
   * New upstream version 18.19.1. Closes: 1064055.
     + CVE-2024-21892 (High)
       Code injection and privilege escalation through Linux capabilities
     + CVE-2024-22019 (High)
       Reading unprocessed HTTP request with unbounded chunk
       extension allows DoS attacks
     + CVE-2023-46809 (Medium)
       Marvin Attack vulnerability against PKCS#1 v1.5 padding
   * new architecture: loong64, thanks to Shi Pujin
   * patch:
     + let loong64 have some failing tests
     + more doc for localhost-no-addrconfig
     + allow test-debugger-heap-profiler to fail. Closes: #1059168
     + disable zlib embedding in v8, disable snapshot compression
   * override lintian source warning for zlib brotli test string
   * fix boostrapping of nodejs package:
     + update README.source
     + nodoc: disable bash completion output
     + patch: disable shared builtins when flag
       node-builtin-modules-path is used
   * include permission headers in libnode-dev
   * B-D pkg-config becomes pkgconf
Checksums-Sha1:
 0d0de63a10ea082a473f677af1b9a6be2b066337 4356 nodejs_18.19.1+dfsg-1.dsc
 2540b9b84f230689afcbf507a307d46d4ef2a411 269724 
nodejs_18.19.1+dfsg.orig-ada.tar.xz
 4cad22f4545483163b468271d06f425b15f1dcf0 267236 
nodejs_18.19.1+dfsg.orig-types-node.tar.xz
 c2d954a215b417e858e4750e687ef180333790a9 28802788 
nodejs_18.19.1+dfsg.orig.tar.xz
 2f4699c23c652a71ae581b2b187756cb5c1fbd8b 163300 
nodejs_18.19.1+dfsg-1.debian.tar.xz
 3451db4d91e2c65cf28d19c0f87495368ea19621 10959 
nodejs_18.19.1+dfsg-1_source.buildinfo
Checksums-Sha256:
 7c5c6b0b6916f1be0abd263ba06fbfa5328dd4d5a4760bd20e1c6ba9b9daf481 4356 
nodejs_18.19.1+dfsg-1.dsc
 0c3caa8771a2bc6ac5d32912d07383dcae8a0cf145ed6f7017cbf6b41478acd2 269724 
nodejs_18.19.1+dfsg.orig-ada.tar.xz
 5bd8293f0adfb7bc744e3071bdbd184fd02f973931396ba816ff61514ecd62a9 267236 
nodejs_18.19.1+dfsg.orig-types-node.tar.xz
 85e2a8604269306984d0c7cc3cdc028dc654d9a60c42a0e059e0104430732c61 28802788 
nodejs_18.19.1+dfsg.orig.tar.xz
 fefe4bf79bb4b41e12907e2714d868a660df900a56453f48f60927ee189c6b13 163300 
nodejs_18.19.1+dfsg-1.debian.tar.xz
 0720d16be5186b44d49515226ed9bfc92471bfeb0d48b5bc525d2aaf6d0cd197 10959 
nodejs_18.19.1+dfsg-1_source.buildinfo
Files:
 37afa2914e24e18a5282cb08d8b6ebe9 4356 javascript optional 
nodejs_18.19.1+dfsg-1.dsc
 327a080764e93ab10a593efba5b84fd3 269724 javascript optional 
nodejs_18.19.1+dfsg.orig-ada.tar.xz
 8cabd2aa436c05f698a17368826a8645 267236 javascript optional 
nodejs_18.19.1+dfsg.orig-types-node.tar.xz
 275b47ffe6863d3d98cda579aacea9ca 28802788 javascript optional 
nodejs_18.19.1+dfsg.orig.tar.xz
 9da9e0d945e8f74fad9bd4c29a9268a3 163300 javascript optional 
nodejs_18.19.1+dfsg-1.debian.tar.xz
 0c1e17b2f5b5d3df67a160bacd739fea 10959 javascript optional 
nodejs_18.19.1+dfsg-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmXSQmsSHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN08GAP/0PFaphVoQJE3bnGvgKxBHk3T7ldx8Ta
1jlMZ4E8HGeDkgFpl0nu3NmnFTSkt7NGWypUbq23KbYCGjNvr+n2I+O4ntnsAAPH
co/FhcYw+SvAIUt6nMldr8N6e8U7N9i64lEdDwUN+Ry/rrdYJqpX9xDOu0N2VNZ3
m9X/Q5JE/NMgv5wRTRdnMfdUVN7QCqvx7rs4N2W9VXsPWTqHNMtbwV2wqVxPmYBH
YQlL/LRfQkEscZBfQopOTHMJyWLFRHko8+AR+/Gh8J4VnPqH2Ej9rLgqgjFWFt5m
mNHfmstZk2QVhIRkXvg0fsdkPIFBKTwyfVTbAc6lR/viJPG7KyfqS36qBm0BLiBt
rP2UHy/I21hV9bgkebB+kXYkWT8GhtQ6VthhcLhP3lXkyj7ElyQxOG1CcQFbFXEK
yWp4JFhGRdHHuoSAlvOd3MeaMaZo59PdOGE3JQ1ogTmBn/F6iPWiqkyyQ6ovd/yz
olp0CaQq17X8BRs2R3PxLPQLa9BkgBPASVH/4VZZGALqBYBN3T8R5uf36/Ps43X0
cpBZONFM64oXv+/I8sGqvrrJxZzDWtGokUuttEoOawYOKtlMbAIzpomaP0PV1HY3
uaSxijm+4JxVO/E1wudoRLSc8JRKTk845+iYCo/x2VSNgwKYFduy6fFgKcX4exBC
q5ZjeQbicfqY
=ETPI
-----END PGP SIGNATURE-----

pgpHeEMHVHRlx.pgp
Description: PGP signature

--- End Message ---

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel