Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

passportjs: CVE-2022-25896 - regenerates stale session on user login

Related Vulnerabilities: CVE-2022-25896  

Source

Debian Bug report logs - #1014385
passportjs: CVE-2022-25896 - regenerates stale session on user login

version graph

Package: src:passportjs; Maintainer for src:passportjs is Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>;

Reported by: Neil Williams <codehelp@debian.org>

Date: Tue, 5 Jul 2022 09:00:01 UTC

Severity: important

Tags: security

Found in version passportjs/0.5.2+~1.0.0-1

Fixed in version passportjs/0.6.0+~1.0.0-1

Done: Yadd <yadd@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, codehelp@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#1014385; Package src:passportjs. (Tue, 05 Jul 2022 09:00:04 GMT) (full text, mbox, link).

Acknowledgement sent to Neil Williams <codehelp@debian.org>:
New Bug report received and forwarded. Copy sent to codehelp@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Tue, 05 Jul 2022 09:00:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Neil Williams <codehelp@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: passportjs: CVE-2022-25896 - regenerates stale session on user login
Date: Tue, 05 Jul 2022 09:57:56 +0100
Source: passportjs
Version: 0.5.2+~1.0.0-1
Severity: important
Tags: security
X-Debbugs-Cc: codehelp@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for passportjs.

CVE-2022-25896[0]:
| This affects the package passport before 0.6.0. When a user logs in or
| logs out, the session is regenerated instead of being closed.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2022-25896
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25896

Please adjust the affected versions in the BTS as needed.



-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.17.0-2-amd64 (SMP w/6 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply sent to Yadd <yadd@debian.org>:
You have taken responsibility. (Tue, 05 Jul 2022 12:51:06 GMT) (full text, mbox, link).

Notification sent to Neil Williams <codehelp@debian.org>:
Bug acknowledged by developer. (Tue, 05 Jul 2022 12:51:06 GMT) (full text, mbox, link).

Message #10 received at 1014385-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1014385-close@bugs.debian.org
Subject: Bug#1014385: fixed in passportjs 0.6.0+~1.0.0-1
Date: Tue, 05 Jul 2022 12:49:42 +0000
Source: passportjs
Source-Version: 0.6.0+~1.0.0-1
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
passportjs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1014385@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated passportjs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 05 Jul 2022 11:48:28 +0200
Source: passportjs
Architecture: source
Version: 0.6.0+~1.0.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1014385
Changes:
 passportjs (0.6.0+~1.0.0-1) unstable; urgency=medium
 .
   * Team upload
   * Declare compliance with policy 4.6.1
   * Add dependency to node-utils-merge
   * New upstream version 0.6.0+~1.0.0 (Closes: #1014385, CVE-2022-25896)
Checksums-Sha1: 
 a1ec8af1a24bbd2931554fa8f8bf67f6632ecd70 2523 passportjs_0.6.0+~1.0.0-1.dsc
 e813fb92fddb5bbf1853eec160b4c54c7bafea35 4185 passportjs_0.6.0+~1.0.0.orig-passport-strategy.tar.gz
 ad321135b62a63b59cdf97a661d4682bb432144d 59564 passportjs_0.6.0+~1.0.0.orig.tar.gz
 dd1a9c315521c933e02b9ff3c574cc0e57706491 5828 passportjs_0.6.0+~1.0.0-1.debian.tar.xz
Checksums-Sha256: 
 462658c4c68b520a6e76ed3025e2daccca68ef1b6f4494c371d00458100cac8e 2523 passportjs_0.6.0+~1.0.0-1.dsc
 e25c91b49663956b0a430abff9e7854f5e44c76eae15ea04d4742faeb60a2e7d 4185 passportjs_0.6.0+~1.0.0.orig-passport-strategy.tar.gz
 725c3c3b78fc52cba8e521591e2e59a6c37acc58c327e3331366adddc5071371 59564 passportjs_0.6.0+~1.0.0.orig.tar.gz
 e2cef85624e268ff10dbaf954f7e80d86cf720b56e573026e1ca0c41f3f366ae 5828 passportjs_0.6.0+~1.0.0-1.debian.tar.xz
Files: 
 5b91f903d58fa649ed963783be273da7 2523 javascript optional passportjs_0.6.0+~1.0.0-1.dsc
 67521797f18094ba9e4736e6218a2a0c 4185 javascript optional passportjs_0.6.0+~1.0.0.orig-passport-strategy.tar.gz
 927bf93de358b5be470aa5bb4ec0dc37 59564 javascript optional passportjs_0.6.0+~1.0.0.orig.tar.gz
 373361a047d3e156b908539fee4034bc 5828 javascript optional passportjs_0.6.0+~1.0.0-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmLEMKAACgkQ9tdMp8mZ
7ulQ+Q/+JgxLW4SzN09VDEyzzsmrfCpIkIvVKzU+qNFlIRvsY8BRN+oQ+Am3j4os
UA+rYPh8qznMkWJmYq22lj8K9RYaArU7wXYmQ38Xi2rQlguABJq+NwRHJKbaY5QU
y626fezrwGQoSphBY7vyqi5kacW7jCAOZQwBm4+bLxiGMMfb/NXXm8w+IIqhWZgz
zQnzgW9XMcrppDW7fqzQyfiB9xrsyH6ILjD4iVM9W53EjfxCJDNzfHOQv2Zqy2b7
SafgWFmMujMeDHG2z6YWaGeWVoWxbHArWunNRMIPiaxN0gepjWS01AKJEfJxcY75
oT2tDAVVFYivMaQeprobEPNFQQ8Np0gYgChUnpTJl1BYZeLORfLeU5YNdbmc1Q8R
wR7gvtmYGJbjkHq9Mhzn0JcDa0YT0LtVhpP0RJy3PWALcuzHarG2MJEwkInCiune
3iQM2cwkTCvoRzF2vrgzckO9h/ULXacDBwekeZQKm6eOWyty+BYKtYbumnIGLan5
CpHyfwYRTZvG7IRk/ZwmNDHUKhGdITbfJJmVSvVg25NzF2dtr0NlUr83UULumQuM
xW3mAOECusRg4ETbjPH5nqXnx604x+fmvjkgogTmd9wpDl7USyr9H4k5cL5UY1WI
rifXBmtO0kTRZE9QajSWewsKWAw3BgGNdit/RTyF/wMp6q526r8=
=fA1E
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Tue Jul 5 13:15:19 2022; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started