Your message dated Sun, 10 Jan 2021 00:20:03 +0000 with message-id <e1kyosh-0004wx...@fasolo.debian.org> and subject line Bug#979364: fixed in nodejs 12.20.1~dfsg-1 has caused the Debian Bug report #979364, regarding nodejs: CVE-2020-8265 CVE-2020-8287 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 979364: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=979364 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: nodejs Version: 12.19.0~dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 10.21.0~dfsg-1~deb10u1 Control: found -1 14.13.0~dfsg-1 Hi, The following vulnerabilities were published for nodejs. CVE-2020-8265[0]: | nodejs: use-after-free in TLSWrap CVE-2020-8287[1]: | nodejs: HTTP Request Smuggling If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8265 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8265 [1] https://security-tracker.debian.org/tracker/CVE-2020-8287 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8287 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: nodejs Source-Version: 12.20.1~dfsg-1 Done: Jérémy Lal <kapo...@melix.org> We believe that the bug you reported is fixed in the latest version of nodejs, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 979...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Jérémy Lal <kapo...@melix.org> (supplier of updated nodejs package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 10 Jan 2021 00:02:53 +0100 Source: nodejs Binary: libnode-dev libnode72 libnode72-dbgsym nodejs nodejs-dbgsym nodejs-doc Architecture: source ppc64el all Version: 12.20.1~dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@alioth-lists.debian.net> Changed-By: Jérémy Lal <kapo...@melix.org> Description: libnode-dev - evented I/O for V8 javascript (development files) libnode72 - evented I/O for V8 javascript - runtime library nodejs - evented I/O for V8 javascript - runtime executable nodejs-doc - API documentation for Node.js, the javascript platform Closes: 979364 Changes: nodejs (12.20.1~dfsg-1) unstable; urgency=medium . * New upstream version 12.20.1~dfsg. Closes: #979364. Fixed vulnerabilities: + CVE-2020-8265: use-after-free in TLSWrap (High) + CVE-2020-8287: HTTP Request Smuggling (Low) * Patch to always use pure javascript cjs lexer instead of wasm files that can't be generated with currently available packages. * copyright: cjs-module-lexer is expat * copyright: exclude cjs-module-lexer unbuildable files * copyright: fix some copyright years * lintian-overrides: false positive for a unicode regexp * copyright: shjs is no longer used Checksums-Sha1: d6d4f4ec976f40f840d76462aaaf06dfe57578a6 3450 nodejs_12.20.1~dfsg-1.dsc 3d9244fa2ed24aafa75924c7998c0f00ce478f7a 85444 nodejs_12.20.1~dfsg.orig-types-node.tar.xz 593071b6c5765dc98b7dc7cb76026feb21ede4a0 18558244 nodejs_12.20.1~dfsg.orig.tar.xz 4b298bc0d70b35d96ce3cfb4f974ff36ec4d07c6 134176 nodejs_12.20.1~dfsg-1.debian.tar.xz f57e0711a7211e7278516bbf5fcacb3f5897441a 409400 libnode-dev_12.20.1~dfsg-1_ppc64el.deb c798baafd5393bce742e7a5b97fbd3b5a6929b1d 367647752 libnode72-dbgsym_12.20.1~dfsg-1_ppc64el.deb 472509639d0bf876e5c99707a83105d068c0668b 8743944 libnode72_12.20.1~dfsg-1_ppc64el.deb 25ceaa5f95d3fd5cda8fa91aee6ff1cbf71be927 122752 nodejs-dbgsym_12.20.1~dfsg-1_ppc64el.deb b2bffc8b5e5f87e08264895ea33242419f58d38d 2537628 nodejs-doc_12.20.1~dfsg-1_all.deb c7dab3f5773413ebb1c4e3e64d567aada301583b 10214 nodejs_12.20.1~dfsg-1_ppc64el.buildinfo 77eb08282a07b5ddec182f1f22419d9e152615e7 144908 nodejs_12.20.1~dfsg-1_ppc64el.deb Checksums-Sha256: 21caa233c2b1b6075ff70c487053f6c5a7ad536c5844ff3dfa62467db8b6435b 3450 nodejs_12.20.1~dfsg-1.dsc ad7f1131cb433ff0c472c4c4aef5b60690430d7e230b857666ba08d7537e6f70 85444 nodejs_12.20.1~dfsg.orig-types-node.tar.xz 8be643fbbf0720839dd653a638a5c55263a0636450bf00c62470eb5e80af1325 18558244 nodejs_12.20.1~dfsg.orig.tar.xz 97e5da1b8abe935f7ee2a127b28e5f7dd02f0fc7941c0efb1f6b4e9dc19552a7 134176 nodejs_12.20.1~dfsg-1.debian.tar.xz 3810edebf3d5786f9775619addd5c98fb894faa4e6abbb3bc3f51f4f08702165 409400 libnode-dev_12.20.1~dfsg-1_ppc64el.deb 653e06b127a9ef4dd7622508f588cdfb4dc15941c226757385c3839e5d50f794 367647752 libnode72-dbgsym_12.20.1~dfsg-1_ppc64el.deb 26eed3f6dbceb9567b49ccb9e5327ce425f7e418574923ec2c4dbabc1879579d 8743944 libnode72_12.20.1~dfsg-1_ppc64el.deb 5677abd4cf396a418bf1a74e191fe42a74b6aeda975863eb7cde15dd184d8bc7 122752 nodejs-dbgsym_12.20.1~dfsg-1_ppc64el.deb 7ce14ef3aee60b0173dfbe616bba00320bab966b105dd68dd837bb661940fa85 2537628 nodejs-doc_12.20.1~dfsg-1_all.deb 68c3ed57b8e837680ef0916d6024c40f682c36485bdeaa42560af5e4bea23a4e 10214 nodejs_12.20.1~dfsg-1_ppc64el.buildinfo b4e4b77ad712d8bebf46418f5dbfdaf925b9249ed13aa69cc18fc6e0e1e1fd5d 144908 nodejs_12.20.1~dfsg-1_ppc64el.deb Files: d83cdc8747ddd8ccf2b446fbb208bd76 3450 javascript optional nodejs_12.20.1~dfsg-1.dsc 307d240b33772672fc28f0407be6ce71 85444 javascript optional nodejs_12.20.1~dfsg.orig-types-node.tar.xz 31588fac609b2171c1c63f7c90f56eba 18558244 javascript optional nodejs_12.20.1~dfsg.orig.tar.xz 0924fc1e6f7e1c82624ad656e574487e 134176 javascript optional nodejs_12.20.1~dfsg-1.debian.tar.xz 51465ae1b7c6ed4b6705b8b8960c7353 409400 libdevel optional libnode-dev_12.20.1~dfsg-1_ppc64el.deb 314d20f70b7296a96dd3c7e8a982eac4 367647752 debug optional libnode72-dbgsym_12.20.1~dfsg-1_ppc64el.deb 5d31cc84c9309a315ad90b02eced4196 8743944 libs optional libnode72_12.20.1~dfsg-1_ppc64el.deb 2dc97596c98ea4dec0dc47f7e7f74730 122752 debug optional nodejs-dbgsym_12.20.1~dfsg-1_ppc64el.deb 8de5ca483ead7d8c8e6550534d2de31c 2537628 doc optional nodejs-doc_12.20.1~dfsg-1_all.deb eaf7e5bf33f63cd633a11359fd7f0f17 10214 javascript optional nodejs_12.20.1~dfsg-1_ppc64el.buildinfo d07c3250355d8a8a8d49e128627a0aee 144908 javascript optional nodejs_12.20.1~dfsg-1_ppc64el.deb -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAl/6Q1YSHGthcG91ZXJA bWVsaXgub3JnAAoJEGYRwF7dOfN03rYQAIDuEwMf5S9fP0nYhyFDLPSQ0EYAaLHl JjIBt3gTgNXyqniVPDQlf5w4E4ZWFCwM8N98uoHhVCmgRRaoHIB2kGI+32w58ex+ Atl4edOgA3Za6VFZ2iGy1D+ENrbIRaSQbinZ5T5KgsuegBmV5VGkEQ95Aal0CleA /NBJspe1Pf9MagQf7IoWpZJI/ED/Aqcjy+7dXbCp4ugzb5DODa9GdSMluIBYG4g4 dFf5xrH2i+vNEHcMqwSrf8QnXOWig/DnzsVusQRx6IYHRfuMn9CY2AKttQyfP2Nr b4J6ba37qJ/AUkk3NyR4nNKj2kJqM30JDXNy1A0MT531urOnoiNt7sDctWctQFiE hrtJgxEMZfkjrIpXPR7JrtCscMIw3x5hHZQPab5Vn8EGaKkTs1owASO17D0+J5Kk P2m0PK4kDc9Z9BpI+twsl8qGgrq3x/GsrZQlR01fPtcjOdblcOCRYD+Ec3tRQTyK W2/0bIQQYMDsH/loPUyPSI9PFl073LG2DBVJVtF6JdqRJm5HffF7e3zL7ULhq22i tXIGesGTgBe+s4ZcM8XAX7+Vq214yiH1WcQvLTUsT7TPvqKUaO8M2uDGSpDbMjag Frb8bOt+scUtb+5SalX4IJW5vbMO6e6lX8KOlcN3E2SWCuQBfcyyRc0nkBZNsyHN Gt7AQFpUsKD4 =oS5I -----END PGP SIGNATURE-----
--- End Message ---
