[Pkg-javascript-devel] Bug#773623: nodejs: CVE-2014-7192
Michael Gilbert
mgilbert at debian.org
Sun Dec 21 17:43:54 UTC 2014
On Sun, Dec 21, 2014 at 5:31 AM, Jérémy Lal wrote:
> Le samedi 20 décembre 2014 à 22:07 -0500, Michael Gilbert a écrit :
>> package: src:nodejs
>> CVE-2014-7192[0],[1]:
>> | Eval injection vulnerability in index.js in the syntax-error package
>> | before 1.1.1 for Node.js 0.10.x, as used in IBM Rational Application
>> | Developer and other products, allows remote attackers to execute
>> | arbitrary code via a crafted file.
>
> This doesn't affect nodejs, but the "syntax-error" module, a dependency
> of browserify - both not packaged in debian.
>
> Cannot reassign, then. Maybe close ?
The advisories seem to indicate that the origin of the flaw lies
within nodejs, not the libraries using it. That may be right or
wrong, but it should be checked.
Best wishes,
Mike
More information about the Pkg-javascript-devel
mailing list