Control: fixed -1 5.8.0+ds-1 On Thu, 05 Jan 2017 22:16:38 +0100 Salvatore Bonaccorso <car...@debian.org> wrote:
> the following vulnerability was published for npm. > > CVE-2016-3956[0]: > | The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js > | 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before > | 5.10.0, includes bearer tokens with arbitrary requests, which allows > | remote HTTP servers to obtain sensitive information by reading > | Authorization headers. > > No fix has been made for 1.x versions. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. This bug was not noticed while uploading 5.8, so security tracker will need a manual update.
