Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.4910
node-thenify security update
4 October 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: node-thenify
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2020-7677
Original Bulletin:
https://www.debian.org/lts/security/2022/dla-3128
Comment: CVSS (Max): 9.8 CVE-2020-7677 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3128-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Utkarsh Gupta
October 01, 2022 https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------
Package : node-thenify
Version : 3.3.0-1+deb10u1
CVE ID : CVE-2020-7677
thenify is a Promisify a callback-based function using any-promise.
Affected versions of this package are vulnerable to Arbitrary Code
Execution. The name argument provided to the package can be controlled
by users without any sanitization, and this is provided to the eval
function without any sanitization.
For Debian 10 buster, this problem has been fixed in version
3.3.0-1+deb10u1.
We recommend that you upgrade your node-thenify packages.
For the detailed security status of node-thenify please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-thenify
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmM3c5kACgkQgj6WdgbD
S5YWGBAAh9lS8RZFRQoQTkfQtJlljYURsJPRoiSrUrtFYu9rq7TeBUxDfk16AmFN
6LV5hPT8780sHso+k9ZXjGPL+mdUDkyXZP9uV32fwzR+7V7M8cbLKHnWY9Kpmxkr
pRupCDdwWr3JmBl0+xM+8oodX58PwMjZiQPq2wVt1EgX9FCU4GrlA3yD02zG8c6V
ct/BQTSV9LXLboiaR7Rp4di7oAI7X/S64MhRO2nUmtAhJ0KN1DKzDJJ0X+iZbfVO
LtOeThXU9JGOrrQwaUhB19Jwxf9sQZYli7irae/2Mu3gkcuLnv412Sh6cw90YusI
yt6U/95DpneWBkMyzAC4EIvlbsx7S3F1X9GcamHyqESbZ6XU0txfWrTeL2/moMHW
+yn5SA0EP4fQinWU6Pzs8waJ88OQa0CdCVEGjhHGV+2J8OmNpbbTOdZr3Sxtu+20
sYPcgaAEWw+g7Oqj8uKOcxGq0VA1ZoEE3H7uuU9DSmVnxKqtgYOePFYuQDiluItl
u9rHHMqHFo1QZXUz6IjcIAA47M1kpxig4uj557ZICPtEMwdPFhSgaJVjFPmfosB5
Zm3kzkUiQvmeGOnomfV/8hXmIr3aMT3A2pL95A/gr4gCgR0SzQImafO1oEN+0dVH
dNV0kkH7HmscRFaiZFQu0F/1qQeSICVLg7iQFdA2K+2f77HvbeI=
=9l/0
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYzuiAskNZI30y1K9AQjEfg/9G4l3DyoGEtTf2ejBpfUMtY8Mbj1mTu1V
Z1fusn9u1NBYyUCcv+8WSqzgzFSwz4FpHkGxIA647pqxUWaQn5rScshVN/nuh2dH
v6377pS9fQ3VB4whApShYqvVa6r8skY/9LmBOw/pcIT2WAVG2d6+4URu2b4hZekd
ZQCpVP9jGpOLV2xFHzhhEvBMdtvdtk3o+NqknWuIN3ZiBTwNc/2tqSqrHn6GviaT
19W6l/mRtP618mIc7t9Evd2pxoxTE3qEZjRI6uvzF+KrFr2Y/XWpzd7Bako0N3Dv
bieHucGuEJL/coDU+shgRSuCLrK5b/PhiOkyKEzvc9XZvH3L8UzWPEgDJYF0CnpH
0cEpOhrGYqwy4hM5feDp4Yuzg7GjtzC1Oi3IoSwabB9mofKF+UcK7nVv95U9enSp
qc7tyFA09iDNeziGUXkGCK+osVQnCBinOE6Kx3fF+WT6nGddEzqzKuuDBB4du9RD
qfMuQGWPjpZjBt99XENrZSfTj50Y34QUPYtKAWL26o6gSiUe5csB7NeweV+1qrte
wUDNCaDuqxxPF89b393XJRS4rI3O7jQTAZ4fmI3853EZydUzT3dKrwfqEcSNTXru
XtIa0b28ScI/QvJSyGlDfcyg/V1B5PAq+tWllLYF/B/x01IbLcXjgUYFzmpLxqp/
mQOZV1Oc9o0=
=MJ51
-----END PGP SIGNATURE-----