[Pkg-javascript-devel] Bug#1054892: marked as done (nodejs: CVE-2023-39333 CVE-2023-38552)

[Debian Bug Tracking System]

Your message dated Fri, 21 Jun 2024 16:47:10 +0000
with message-id <e1skhpq-0009qv...@fasolo.debian.org>
and subject line Bug#1054892: fixed in nodejs 18.19.0+dfsg-6~deb12u1
has caused the Debian Bug report #1054892,
regarding nodejs: CVE-2023-39333 CVE-2023-38552
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1054892: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1054892
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: nodejs
Version: 18.13.0+dfsg1-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for nodejs.

CVE-2023-39333[0]:
| Code injection via WebAssembly export names


CVE-2023-38552[1]:
| When the Node.js policy feature checks the integrity of a resource
| against a trusted manifest, the application can intercept the
| operation and return a forged checksum to the node's policy
| implementation, thus effectively disabling the integrity check.
| Impacts: This vulnerability affects all users using the experimental
| policy mechanism in all active release lines: 18.x and, 20.x. Please
| note that at the time this CVE was issued, the policy mechanism is
| an experimental feature of Node.js.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-39333
    https://www.cve.org/CVERecord?id=CVE-2023-39333
[1] https://security-tracker.debian.org/tracker/CVE-2023-38552
    https://www.cve.org/CVERecord?id=CVE-2023-38552
[2] https://nodejs.org/en/blog/vulnerability/october-2023-security-releases

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: nodejs
Source-Version: 18.19.0+dfsg-6~deb12u1
Done: Jérémy Lal <kapo...@melix.org>

We believe that the bug you reported is fixed in the latest version of
nodejs, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1054...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jérémy Lal <kapo...@melix.org> (supplier of updated nodejs package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 20 Dec 2023 18:07:36 +0100
Source: nodejs
Binary: libnode-dev libnode108 nodejs nodejs-doc
Architecture: source amd64 all
Version: 18.19.0+dfsg-6~deb12u1
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<pkg-javascript-devel@alioth-lists.debian.net>
Changed-By: Jérémy Lal <kapo...@melix.org>
Description:
 libnode-dev - evented I/O for V8 javascript (development files)
 libnode108 - evented I/O for V8 javascript - runtime library
 nodejs     - evented I/O for V8 javascript - runtime executable
 nodejs-doc - API documentation for Node.js, the javascript platform
Closes: 1031834 1039990 1050739 1054892
Changes:
 nodejs (18.19.0+dfsg-6~deb12u1) bookworm-security; urgency=medium
 .
   * Upstream update.
   * CVE-2023-23918: Permissions policies can be bypassed via
     process.mainModule. Closes #1031834.
   * CVE-2023-23919: OpenSSL error handling issues in nodejs crypto
     library. Closes: #1031834.
   * CVE-2023-23920: Insecure loading of ICU data through ICU_DATA
     environment variable. Closes: #1031834.
   * CVE-2023-30590: DiffieHellman do not generate keys after setting a
     private key. Closes: #1039990.
   * CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR.
     Closes: #1039990.
   * CVE-2023-30588: Process interuption due to invalid Public Key information
     in x509 certificates. Closes: #1039990.
   * CVE-2023-32559: Permissions policies can be bypassed via process.binding.
     Closes: #1050739.
   * CVE-2023-30581: mainModule.proto bypass experimental policy mechanism.
     Closes: #1039990.
   * CVE-2023-32002: Permissions policies can be bypassed via Module._load.
     Closes: #1050739.
   * CVE-2023-32006: Permissions policies can impersonate other modules in
     using module.constructor.createRequire(). Closes: #1050739.
   * CVE-2023-38552: Integrity checks according to policies can be
     circumvented. Closes: #1054892.
   * CVE-2023-39333: Code injection via WebAssembly export names.
     Closes: #1054892.
Checksums-Sha1:
 5c9ba67d633821d2099506acc6d5db43ee3d5ee5 4359 nodejs_18.19.0+dfsg-6~deb12u1.dsc
 2540b9b84f230689afcbf507a307d46d4ef2a411 269724 
nodejs_18.19.0+dfsg.orig-ada.tar.xz
 4cad22f4545483163b468271d06f425b15f1dcf0 267236 
nodejs_18.19.0+dfsg.orig-types-node.tar.xz
 c13643047f17105984c02bdd123c4d39beda156b 28794768 
nodejs_18.19.0+dfsg.orig.tar.xz
 eea9120dfa45899f40e62516895f69587c24e16f 166408 
nodejs_18.19.0+dfsg-6~deb12u1.debian.tar.xz
 c4e6203abd1c8757d1928dbd4a5e337439eb99f9 503364 
libnode-dev_18.19.0+dfsg-6~deb12u1_amd64.deb
 17c87755aea49527dc180260184ae75a89fa8080 10548072 
libnode108_18.19.0+dfsg-6~deb12u1_amd64.deb
 a0813bea42eeead268ec77db4ad66c167572c27b 3569432 
nodejs-doc_18.19.0+dfsg-6~deb12u1_all.deb
 cc1906898782233c5c1ff5010582a1c847ad4dc8 10936 
nodejs_18.19.0+dfsg-6~deb12u1_amd64.buildinfo
 62456a9ac9af80aaa8ecf0ca85f93849363e2296 318736 
nodejs_18.19.0+dfsg-6~deb12u1_amd64.deb
Checksums-Sha256:
 78bf3883bd7bea2c6495020d9a183769ea33b5d0b32b6babf2550d076b8ffca7 4359 
nodejs_18.19.0+dfsg-6~deb12u1.dsc
 0c3caa8771a2bc6ac5d32912d07383dcae8a0cf145ed6f7017cbf6b41478acd2 269724 
nodejs_18.19.0+dfsg.orig-ada.tar.xz
 5bd8293f0adfb7bc744e3071bdbd184fd02f973931396ba816ff61514ecd62a9 267236 
nodejs_18.19.0+dfsg.orig-types-node.tar.xz
 3bbb4c7e3196be83085b181de90def38b96a5f0d2999d86f00658bc2aa692705 28794768 
nodejs_18.19.0+dfsg.orig.tar.xz
 54a8fe0757f3a692869667f406727fa46411f15a42da22e8bda43d4ec72b4940 166408 
nodejs_18.19.0+dfsg-6~deb12u1.debian.tar.xz
 da7a5b8ecb2413f7d2e6ce0a81abd628bc3f5ac116faacb91c8ac248c53a9d9b 503364 
libnode-dev_18.19.0+dfsg-6~deb12u1_amd64.deb
 164ab232abf375eddbbafdaa953306ae0348bcdeba33ac439e2024008e67ff8e 10548072 
libnode108_18.19.0+dfsg-6~deb12u1_amd64.deb
 3e29ef4c58025c8b931d402a8cabfcbd03cac8b817d9321229e9987258c86ded 3569432 
nodejs-doc_18.19.0+dfsg-6~deb12u1_all.deb
 c08b75165134f54093fc886ff20398068ddaab2c28e487dd146ea102e5c839b7 10936 
nodejs_18.19.0+dfsg-6~deb12u1_amd64.buildinfo
 81dd77001ae1d4019e06bece8a0f6b8a22e97580d13528196f8a89b400cf82c2 318736 
nodejs_18.19.0+dfsg-6~deb12u1_amd64.deb
Files:
 8c6544194de9d7c1eae4a2d1513c9cb2 4359 javascript optional 
nodejs_18.19.0+dfsg-6~deb12u1.dsc
 327a080764e93ab10a593efba5b84fd3 269724 javascript optional 
nodejs_18.19.0+dfsg.orig-ada.tar.xz
 8cabd2aa436c05f698a17368826a8645 267236 javascript optional 
nodejs_18.19.0+dfsg.orig-types-node.tar.xz
 945588714462db1adddad53ebee66b3b 28794768 javascript optional 
nodejs_18.19.0+dfsg.orig.tar.xz
 585e641a77a377147e363aea9ffeedde 166408 javascript optional 
nodejs_18.19.0+dfsg-6~deb12u1.debian.tar.xz
 05bf88f0e7e2ac1a30e86b8ce00dda21 503364 libdevel optional 
libnode-dev_18.19.0+dfsg-6~deb12u1_amd64.deb
 d6eb05097fa3de0e6f3de1400a5024e6 10548072 libs optional 
libnode108_18.19.0+dfsg-6~deb12u1_amd64.deb
 4aa5b543721a9d2e3e4ac0df7a0cd4d1 3569432 doc optional 
nodejs-doc_18.19.0+dfsg-6~deb12u1_all.deb
 d54db5ff4b251e5e3738a6726cb3bc9f 10936 javascript optional 
nodejs_18.19.0+dfsg-6~deb12u1_amd64.buildinfo
 d04a8dc597869b7672801fccb2ed6cb2 318736 javascript optional 
nodejs_18.19.0+dfsg-6~deb12u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmWF5voSHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN0f6cP/0pLuQvD+qgRRilI3e8hw+cPuQSxR6QN
j1UnGoqZQuIS9jOJzhFjwHpo5BAN/sfi8LmBtm1NyH573Q47iIGM3XQGsYm5FccV
dZCDWP3g8tIrfh4d/jQSESdKSUudrxA/c1c9H4cF58g9DAkHTFQzUUkf7Sd2s+Nz
o/Tq+k9H1+Ax4BpTZwqLP1SBycrALVeOVGIsEwlwsDkpaBbxdsW4FuR9zL+374jh
LwriUJ0QYTvy5ZFK4XOw6sYEFrFpma6izuS0vSkLQ5K0mOL8LCDB1OmN6NGxFRfE
vlOiDgnxBZwF00LW4VEe7E6MGSIwItmk8T36BdYqSzVkq25As+SQ5Sev8pb6DjWE
PWSt5/1OG/qvQznrXrIIvUuu4rR+35zC6RednVKIfKuOMjBUQrG+UP/AFmq6lcND
hUps5rDLdAy8mtZfBwng8vOoN6dzDsaWyESTGMjXpq0mzuxmDDOjeM46d7Hyqhfp
esz1sJqt+x84C6Mdjq97Rz0WY+LubEHxmcKDHZQK8IiHoik9XBGHSgAGFVzHyEiq
u52bZ47yzlVf1pR5pZZk0EDEEb8JrKjynyxTSkoZ2a7aB6mGSqAd6tV2xkGgFjY4
1ZAwtOOz/puR6SuxHUfG4fNgJUsFv0CE8OSk20pIuJ+WIPgA+RB/V25DP3Hbpxqx
Bz7lyJctliRV
=LB3Q
-----END PGP SIGNATURE-----

pgpxhjLWb5ty2.pgp
Description: PGP signature

--- End Message ---

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel