Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.6316 node-fetch security update 5 December 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: node-fetch Publisher: Debian Operating System: Debian GNU/Linux Resolution: Patch/Upgrade CVE Names: CVE-2022-0235 Original Bulletin: https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html Comment: CVSS (Max): 6.1 CVE-2022-0235 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVSS Source: NVD Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3222-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Guilhem Moulin December 05, 2022 https://wiki.debian.org/LTS - ------------------------------------------------------------------------- Package : node-fetch Version : 1.7.3-1+deb10u1 CVE ID : CVE-2022-0235 ranjit-git discovered an information leak vulnerability in node-fetch, a Node.js module exposing a window.fetch compatible API on Node.js runtime: the module was not honoring the same-origin-policy and upon following a redirect would leak cookies to the the target URL. For Debian 10 buster, this problem has been fixed in version 1.7.3-1+deb10u1. We recommend that you upgrade your node-fetch packages. For the detailed security status of node-fetch please refer to its security tracker page at: https://security-tracker.debian.org/tracker/node-fetch Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmONOdAACgkQ05pJnDwh pVLhpQ/+ORAGLgJv7p2SH45fR+CwIbDCaZAo1zydHAKZWGD8EbvpJOHvG3/0r05E SQMkOlzfCPC2sJvIyS6zTfc82fz0uY3keFHtknsGK/3BELM9AR2RfpNvZe5+sR83 k4cLQ21QjUbMeijUl10CY6G2m0lZQ0fa/jYBnRdRpK4QngM4zRw2m+13k8wn4p21 wvo4Bc344WgxLcK0TXZObZq5PgSez9BIi1pqahdd6DavDNw0T4BnMkrWCGueMK9s 35ITZIhLRO0UQnUa9iH671nrqju8lhtECc/wO4M4MS8LD45j909wAgrqlbUsA2aY XQEdYRoE6dIkwCxgug8DjTHQfsFfdKuW3He4GkEkRU4npBcMsihufJBOjljcQAny 6bjQP+PG/NBBRnH2egFtci1gewDQDTdZV3tEIGFHzY09TRQ8y3NVXqsPkhdRUWvV Si2U+eqbgz5WaAwIuqphdKlRNobtfwQLj1kCZRXSlYjzFAJgEXKuNRIiNNeH0dEY KlZFr9zByBagkniFj5N8cgE8fleCY4dVQCTj2j04rfDQzNap0yX2zkUq6CpSw+0U yPQbWPKNdGmfpWl6A6j7eN5AjXVlNAR1UAH8X+JQNuS9/fSDwoJFnG6gBPnXt1RC IoirdpoDXYcSb4BAyzSfSfleoXGWv0PxSxzDtx3gcqm+U6Ei7nc= =gYCz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY41Sm8kNZI30y1K9AQgT/Q//Q5mH2XsrmxbxAmKGuaPgDH5gq3Ueg5D8 Rcqo5SvLw3m8vofefbR5IJWK1x2EwSLS0yat4/FowzdhmHpvCUYSYsk1hwGM0niW AHcGKuBZyi2uH1j1t3w4jKZhuMeGoZT2iS3mqGXkxdkKTCbebsBzimEClxe1h4X/ r+5+T8We7lKHfLmkPt/XZw0r9GRbzC3epJF8u7Wfqp2/AksgW/QzOsK2BUPfFo5K vtPrAk1I9LrncsFQSEbrj8vFsNo0Ewca3+z8UJNAXxDZo6k1qrADgZpN9VsKtCnS wn31nF8Lr+3Z8ezxvBnYZS7Dl9TGTNfk5nqVUlIzvOm9YI498s4O1zikOjKAwwc1 QQzZFjGMO0qU+K//EqkIH7doqsNyjQ6P5pBnfGFflvLAiawy+K7aBoYKlo9uvPDL l4uM+7dpQaVB0Mk0aHkEb4ZkFw2/47OzyC3yiulpwuBheXVwsDcmgYlSmMuHPlDB g8F54w2VYTq62ItcjLHNk5bbcz6JbP8PYgw0oKS32JcIp1f1s1bZdMdo/DR+J3wC PyGBXBswuf90olrJ28sxAP8pTP95ZChLch2FcbQleazJtTgLytYc2Mnhfo6VR29W X7zdv8b61ThfBy0fMVr/g1ACBhJbwChanWOGshH3sKLpQFFHGheX4KGAFHTGUJwE F+lmOKREIgc= =nPvu -----END PGP SIGNATURE-----