Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#990561: libuv1: CVE-2021-22918
6 views
Skip to first unread message
Moritz Mühlenhoff
Jul 2, 2021, 4:50:02 AM7/2/21
to
Source: libuv1
X-Debbugs-CC: te...@security.debian.org
Severity: grave
Tags: security
Hi,
the latest nodejs security release included an issue in libuv:
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
The patch hasn't landed in libuv.git, but here's the patch as applied
by nodejs:
https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-22918
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
Please adjust the affected versions in the BTS as needed.
X-Debbugs-CC: te...@security.debian.org
Severity: grave
Tags: security
Hi,
the latest nodejs security release included an issue in libuv:
https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
The patch hasn't landed in libuv.git, but here's the patch as applied
by nodejs:
https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-22918
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22918
Please adjust the affected versions in the BTS as needed.
Dominique Dumont
Jul 4, 2021, 3:50:03 AM7/4/21
to
On Friday, 2 July 2021 10:36:18 CEST you wrote:
> The patch hasn't landed in libuv.git, but here's the patch as applied
> by nodejs:
> https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d9716318
> 29
This patch modifies a file that was introduced in version 1.24.
> The patch hasn't landed in libuv.git, but here's the patch as applied
> by nodejs:
> https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d9716318
> 29
So I guess that buster and backport are also vulnerables.
I will upload a new package to unstable soon.
All the best.
Debian Bug Tracking System
Jul 4, 2021, 4:30:03 AM7/4/21
to
Your message dated Sun, 04 Jul 2021 08:16:49 +0000
with message-id <E1lzxJ3-...@fasolo.debian.org>
and subject line Bug#990561: fixed in libuv1 1.40.0-2
has caused the Debian Bug report #990561,
regarding libuv1: CVE-2021-22918
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
990561: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990561
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
with message-id <E1lzxJ3-...@fasolo.debian.org>
and subject line Bug#990561: fixed in libuv1 1.40.0-2
has caused the Debian Bug report #990561,
regarding libuv1: CVE-2021-22918
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
990561: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990561
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
Debian Bug Tracking System
Jul 6, 2021, 2:40:03 PM7/6/21
to
Your message dated Tue, 06 Jul 2021 18:32:07 +0000
with message-id <E1m0prb-...@fasolo.debian.org>
and subject line Bug#990561: fixed in libuv1 1.24.1-1+deb10u1
with message-id <E1m0prb-...@fasolo.debian.org>
and subject line Bug#990561: fixed in libuv1 1.24.1-1+deb10u1
0 new messages