[Pkg-javascript-devel] Bug#1063535: marked as done (node-ip: CVE-2023-42282)

[Debian Bug Tracking System]

Your message dated Sun, 28 Apr 2024 20:57:07 +0200
with message-id <zi6ca9z-jtbm6...@eldamar.lan>
and subject line Re: Accepted node-ip 2.0.1+~1.1.3-1 (source) into unstable
has caused the Debian Bug report #1063535,
regarding node-ip: CVE-2023-42282
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1063535: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1063535
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: node-ip
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for node-ip.

CVE-2023-42282[0]:
| An issue in NPM IP Package v.1.1.8 and before allows an attacker to
| execute arbitrary code and obtain sensitive information via the
| isPublic() function.

It seems upstream has been unresponsive to the reports:
https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/
https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-42282
    https://www.cve.org/CVERecord?id=CVE-2023-42282

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

Source: node-ip
Source-Version: 2.0.1+~1.1.3-1

On Sun, Apr 28, 2024 at 02:40:08PM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> Format: 1.8
> Date: Sun, 28 Apr 2024 17:44:01 +0400
> Source: node-ip
> Architecture: source
> Version: 2.0.1+~1.1.3-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Javascript Maintainers 
> <pkg-javascript-de...@lists.alioth.debian.org>
> Changed-By: Yadd <y...@debian.org>
> Changes:
>  node-ip (2.0.1+~1.1.3-1) unstable; urgency=medium
>  .
>    * Team upload
>    * Declare compliance with policy 4.7.0
>    * New upstream version (Closes: CVE-2023-42282)
>    * Unfuzz patches
> Checksums-Sha1: 
>  c951a3237457516c4932de97e6b040eb590e1945 2302 node-ip_2.0.1+~1.1.3-1.dsc
>  5d8634b3514a51768adda5e17c91a11cdb2e5247 2392 
> node-ip_2.0.1+~1.1.3.orig-types-ip.tar.gz
>  497fb529449bf1db7734ffb9f26ec18db0553267 35824 
> node-ip_2.0.1+~1.1.3.orig.tar.gz
>  18ada04f9e27e8b73408cc5857b9105c72752094 3536 
> node-ip_2.0.1+~1.1.3-1.debian.tar.xz
> Checksums-Sha256: 
>  155a2eff41959eb5ac609794197da71c85fa2563cc2d2cc8a2441f8b33a056d7 2302 
> node-ip_2.0.1+~1.1.3-1.dsc
>  5dae9ca606ec5b95e21c78609c8c9ceef7808b36592258766a40a9aeade753b5 2392 
> node-ip_2.0.1+~1.1.3.orig-types-ip.tar.gz
>  ee8b0634c671b58d135a07fcfb70b41d7d9c9e457db6ade06982f7c38df526d3 35824 
> node-ip_2.0.1+~1.1.3.orig.tar.gz
>  d54aea7b8f3bf090547c1792e659eec9568b9eae4d18a4c7a42f83e5275d2540 3536 
> node-ip_2.0.1+~1.1.3-1.debian.tar.xz
> Files: 
>  9fc45e1089a79918b594c09a71f33198 2302 javascript optional 
> node-ip_2.0.1+~1.1.3-1.dsc
>  d937a8472e46d87f5a6928bc92599ff9 2392 javascript optional 
> node-ip_2.0.1+~1.1.3.orig-types-ip.tar.gz
>  f4f085a822f61608dac1de6bdf1377fb 35824 javascript optional 
> node-ip_2.0.1+~1.1.3.orig.tar.gz
>  a9a1508cc10542a3d1751143ed098ec2 3536 javascript optional 
> node-ip_2.0.1+~1.1.3-1.debian.tar.xz
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmYuUssACgkQ9tdMp8mZ
> 7ukK1RAAnntmtKJD/wR6EU/ELjRRQEbQOYf+WQ0Uek09Sv5fKlC/tpbQT8uHFJAc
> ibBb85CIo0gzCd4+k1BZzXQwCt1eoaqTfNITjHIjyFIEu+KKQP4HVCkxxqRz1MNE
> 9WHWHEyH+Qfy60zVVwPgaDz7L16J4Pf//KwdROJMLLPDT4sa9VZjyp/nDsGTtZTp
> 6oBpWrvpVmfEVKl4ovx6jSPzGSd7s/MTcP9HqIy+v39fyMxCdyMHigf4T+hZNgi1
> 0sa6kaXjMicDEdyCfdz8ZMGagO0hyGadJnxguIm9yz0svz5ykk2JnDGKEWJ76h0H
> smDXP1BW9SSpPfPyERDev2V4jjGdgy2XsJOAQ3H6RzQCvAD4lAK95Ca6shoPU6/y
> ZNmVwbZaueRJfSYZNbOVBSJEup2UenGkb34Wge00gd7IlJFo/Ts6b0TOl1BApGuI
> N2IbB00Q7h7Dg+4YdOyVROi74sXXzn8V0Ehv1vdimr8+qr1X+a+/lbYBBqoPiUSS
> S0xcgzJ8UmJDVp3C6CjSJifANi0SIrdT1IDqSmNxATyXAszQ+7WTbzJDUKclxASa
> g7+Vd/piIaO4nd3pv2SsyFdoW/pe+o9Wkqb9HAnQ9UIpaJrJVbGLcGiRN1xt1Dtj
> naAhta0leuGeHvgJqr9NtFQEypSuPlMZD7Agm50dS0k3Jag9mmI=
> =Bygl
> -----END PGP SIGNATURE-----
> 

--- End Message ---

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel