Debian Bug report logs -
#1068347
nodejs: CVE-2024-27983 CVE-2024-27982
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Wed, 3 Apr 2024 21:15:05 UTC
Severity: grave
Tags: security, upstream
Found in version nodejs/18.19.1+dfsg-3
Fixed in version nodejs/18.20.1+dfsg-1
Done: Salvatore Bonaccorso <carnil@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>:
Bug#1068347; Package src:nodejs.
(Wed, 03 Apr 2024 21:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>.
(Wed, 03 Apr 2024 21:15:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: nodejs
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for nodejs.
CVE-2024-27983[0]:
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/
CVE-2024-27982[1]:
https://nodejs.org/en/blog/vulnerability/april-2024-security-releases/
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-27983
https://www.cve.org/CVERecord?id=CVE-2024-27983
[1] https://security-tracker.debian.org/tracker/CVE-2024-27982
https://www.cve.org/CVERecord?id=CVE-2024-27982
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 04 Apr 2024 02:24:04 GMT) (full text, mbox, link).
Marked as found in versions nodejs/18.19.1+dfsg-3.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Thu, 04 Apr 2024 03:51:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>:
Bug#1068347; Package src:nodejs.
(Thu, 04 Apr 2024 04:51:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>.
(Thu, 04 Apr 2024 04:51:06 GMT) (full text, mbox, link).
Message #14 received at 1068347@bugs.debian.org (full text, mbox, reply):
Source: nodejs
Source-Version: 18.20.1+dfsg-1
----- Forwarded message from Debian FTP Masters <ftpmaster@ftp-master.debian.org> -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 03 Apr 2024 16:50:38 +0200
Source: nodejs
Architecture: source
Version: 18.20.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@alioth-lists.debian.net>
Changed-By: Jérémy Lal <kapouer@melix.org>
Changes:
nodejs (18.20.1+dfsg-1) unstable; urgency=medium
.
* New upstream version 18.20.1+dfsg
+ CVE-2024-27983: HTTP/2 server crash (High)
+ CVE-2024-27982: HTTP Request Smuggling (Medium)
* Breaks libnode108, not 109
* copyright: remove file
* Drop build/test_dns_resolveany_bad_ancount.patch, applied
Checksums-Sha1:
6a1c634577a5c44ffc9a8add91de854f8d52f3c6 4359 nodejs_18.20.1+dfsg-1.dsc
2540b9b84f230689afcbf507a307d46d4ef2a411 269724 nodejs_18.20.1+dfsg.orig-ada.tar.xz
fe2823889f88c0ba801ec4565b302dc987f27168 274360 nodejs_18.20.1+dfsg.orig-types-node.tar.xz
224708ebbaaada74e786059a276dca0054fabf33 29305332 nodejs_18.20.1+dfsg.orig.tar.xz
85cf8906b32eaf766c2b08690fd24be97ddc619a 163104 nodejs_18.20.1+dfsg-1.debian.tar.xz
ffe31e7755d29173054a343fa72cc978878d4e8e 10916 nodejs_18.20.1+dfsg-1_source.buildinfo
Checksums-Sha256:
b8eeb8d2a7cc17dc772fa9f0817d8d294842eb8e3ea4cdf34cc59fd29baf768a 4359 nodejs_18.20.1+dfsg-1.dsc
0c3caa8771a2bc6ac5d32912d07383dcae8a0cf145ed6f7017cbf6b41478acd2 269724 nodejs_18.20.1+dfsg.orig-ada.tar.xz
ea406dd59b86fb2ab96043231d9ff763611c0fb08d5cabbaeccad770d1b34068 274360 nodejs_18.20.1+dfsg.orig-types-node.tar.xz
558c42f89f57a56e8d1e131fb6bb0a40f1cc844e52e2393837f932c0d8c8b31b 29305332 nodejs_18.20.1+dfsg.orig.tar.xz
9213d005e8a8e4e758db1e4f3f13eb22f611ce2be1d48d558cb4558d946f7f30 163104 nodejs_18.20.1+dfsg-1.debian.tar.xz
18067729aa2e52618b01a9dc2c6bd1dfbdbb469cce8a5b8f379fb9294947fea6 10916 nodejs_18.20.1+dfsg-1_source.buildinfo
Files:
0e064ee9907fcb2b19f8f6fe88215a53 4359 javascript optional nodejs_18.20.1+dfsg-1.dsc
327a080764e93ab10a593efba5b84fd3 269724 javascript optional nodejs_18.20.1+dfsg.orig-ada.tar.xz
93414acee8286f9dc2e1b649cda05b09 274360 javascript optional nodejs_18.20.1+dfsg.orig-types-node.tar.xz
dae02efb441915a83486babec21c8186 29305332 javascript optional nodejs_18.20.1+dfsg.orig.tar.xz
175f3688d3380ceb1b3fe3fbf65fe59f 163104 javascript optional nodejs_18.20.1+dfsg-1.debian.tar.xz
06d37a9966050b373c0e0b13d103f9a3 10916 javascript optional nodejs_18.20.1+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmYNu8wSHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN0iF8P/jgSVspzx+1vifQxluwWLsWXJSp7jgxr
f1iOvKrmf5rXb7W1FICDoa53bOd+SmIL4Lbmd066+38k90n0zKEK61hpZoA84F6C
jYekdGsGNPGoJeygJjxK99+ZEUvAAsBmtOvq5l7aLAHQJskPXZSD7zRxRbvoAt9k
PRPQKh7uqreV3LoJGOMHnSdxUHNroM89oSqzx73nLyvfjW4+/xWkXIf3+DBoycFr
X0b9PaQmlRWH3bWdYBTb5GXMNL6qkQD41YdN4KpJd3oe17qUVBfI9+VssJuN3Gii
EQ6DQni0E4nPw9AmDG9nACjbqq1QOfWiJRmCZ6bHtPxRrTdaFUJeIhxymBqFq6V+
u4hGTgLJno2HQJ/8dPNIK2cYI/NbSRhBSIx62OPvyAEeSLAUJ9coDvoZ5/euazwS
YFxlLnp0+/FqwXR2LWAw+Za5SNdSPoTbbYyE93yxBtTFBAhq7XIIf2IoEkgLkV+z
7jYXn+DGUFnthHz1e4XAfrIHagMn/hfYgyrpzp37UyLRhY2Rk3t8/Brt44lcE001
rREGxh8QYR7ECimOdpobzoXk4JbmFf2VlvYxl7mVTzRsTeuBHaHX1VH+Dy4qLGfK
vuUBF7bjIeMCkCXrahu3kW3DFsWopqcmAGIOk/mA4iQsDvMzk7hfqNqdI/JbMPPu
jGMuZfAIvxbk
=8Xn2
-----END PGP SIGNATURE-----
----- End forwarded message -----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 04 Apr 2024 04:51:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Thu, 04 Apr 2024 04:51:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Apr 4 11:53:10 2024;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon