Hi! On Sat, Sep 15, 2018 at 06:19:29PM +0530, Pirate Praveen wrote: > Control: fixed -1 5.8.0+ds-1 > > On Thu, 05 Jan 2017 22:16:38 +0100 Salvatore Bonaccorso > <car...@debian.org> wrote: > > > the following vulnerability was published for npm. > > > > CVE-2016-3956[0]: > > | The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js > > | 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before > > | 5.10.0, includes bearer tokens with arbitrary requests, which allows > > | remote HTTP servers to obtain sensitive information by reading > > | Authorization headers. > > > > No fix has been made for 1.x versions. > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > This bug was not noticed while uploading 5.8, so security tracker will > need a manual update.
Thanks, I have updated the security-tracker information! FTR, we never update automatically a fixed version. Regards, Salvatore
