Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.4910 node-thenify security update 4 October 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: node-thenify Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2020-7677 Original Bulletin: https://www.debian.org/lts/security/2022/dla-3128 Comment: CVSS (Max): 9.8 CVE-2020-7677 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3128-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Utkarsh Gupta October 01, 2022 https://wiki.debian.org/LTS - - ------------------------------------------------------------------------- Package : node-thenify Version : 3.3.0-1+deb10u1 CVE ID : CVE-2020-7677 thenify is a Promisify a callback-based function using any-promise. Affected versions of this package are vulnerable to Arbitrary Code Execution. The name argument provided to the package can be controlled by users without any sanitization, and this is provided to the eval function without any sanitization. For Debian 10 buster, this problem has been fixed in version 3.3.0-1+deb10u1. We recommend that you upgrade your node-thenify packages. For the detailed security status of node-thenify please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-thenify Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmM3c5kACgkQgj6WdgbD S5YWGBAAh9lS8RZFRQoQTkfQtJlljYURsJPRoiSrUrtFYu9rq7TeBUxDfk16AmFN 6LV5hPT8780sHso+k9ZXjGPL+mdUDkyXZP9uV32fwzR+7V7M8cbLKHnWY9Kpmxkr pRupCDdwWr3JmBl0+xM+8oodX58PwMjZiQPq2wVt1EgX9FCU4GrlA3yD02zG8c6V ct/BQTSV9LXLboiaR7Rp4di7oAI7X/S64MhRO2nUmtAhJ0KN1DKzDJJ0X+iZbfVO LtOeThXU9JGOrrQwaUhB19Jwxf9sQZYli7irae/2Mu3gkcuLnv412Sh6cw90YusI yt6U/95DpneWBkMyzAC4EIvlbsx7S3F1X9GcamHyqESbZ6XU0txfWrTeL2/moMHW +yn5SA0EP4fQinWU6Pzs8waJ88OQa0CdCVEGjhHGV+2J8OmNpbbTOdZr3Sxtu+20 sYPcgaAEWw+g7Oqj8uKOcxGq0VA1ZoEE3H7uuU9DSmVnxKqtgYOePFYuQDiluItl u9rHHMqHFo1QZXUz6IjcIAA47M1kpxig4uj557ZICPtEMwdPFhSgaJVjFPmfosB5 Zm3kzkUiQvmeGOnomfV/8hXmIr3aMT3A2pL95A/gr4gCgR0SzQImafO1oEN+0dVH dNV0kkH7HmscRFaiZFQu0F/1qQeSICVLg7iQFdA2K+2f77HvbeI= =9l/0 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYzuiAskNZI30y1K9AQjEfg/9G4l3DyoGEtTf2ejBpfUMtY8Mbj1mTu1V Z1fusn9u1NBYyUCcv+8WSqzgzFSwz4FpHkGxIA647pqxUWaQn5rScshVN/nuh2dH v6377pS9fQ3VB4whApShYqvVa6r8skY/9LmBOw/pcIT2WAVG2d6+4URu2b4hZekd ZQCpVP9jGpOLV2xFHzhhEvBMdtvdtk3o+NqknWuIN3ZiBTwNc/2tqSqrHn6GviaT 19W6l/mRtP618mIc7t9Evd2pxoxTE3qEZjRI6uvzF+KrFr2Y/XWpzd7Bako0N3Dv bieHucGuEJL/coDU+shgRSuCLrK5b/PhiOkyKEzvc9XZvH3L8UzWPEgDJYF0CnpH 0cEpOhrGYqwy4hM5feDp4Yuzg7GjtzC1Oi3IoSwabB9mofKF+UcK7nVv95U9enSp qc7tyFA09iDNeziGUXkGCK+osVQnCBinOE6Kx3fF+WT6nGddEzqzKuuDBB4du9RD qfMuQGWPjpZjBt99XENrZSfTj50Y34QUPYtKAWL26o6gSiUe5csB7NeweV+1qrte wUDNCaDuqxxPF89b393XJRS4rI3O7jQTAZ4fmI3853EZydUzT3dKrwfqEcSNTXru XtIa0b28ScI/QvJSyGlDfcyg/V1B5PAq+tWllLYF/B/x01IbLcXjgUYFzmpLxqp/ mQOZV1Oc9o0= =MJ51 -----END PGP SIGNATURE-----