Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.6316
node-fetch security update
5 December 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: node-fetch
Publisher: Debian
Operating System: Debian GNU/Linux
Resolution: Patch/Upgrade
CVE Names: CVE-2022-0235
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html
Comment: CVSS (Max): 6.1 CVE-2022-0235 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVSS Source: NVD
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3222-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Guilhem Moulin
December 05, 2022 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : node-fetch
Version : 1.7.3-1+deb10u1
CVE ID : CVE-2022-0235
ranjit-git discovered an information leak vulnerability in node-fetch, a
Node.js module exposing a window.fetch compatible API on Node.js
runtime: the module was not honoring the same-origin-policy and upon
following a redirect would leak cookies to the the target URL.
For Debian 10 buster, this problem has been fixed in version
1.7.3-1+deb10u1.
We recommend that you upgrade your node-fetch packages.
For the detailed security status of node-fetch please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-fetch
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmONOdAACgkQ05pJnDwh
pVLhpQ/+ORAGLgJv7p2SH45fR+CwIbDCaZAo1zydHAKZWGD8EbvpJOHvG3/0r05E
SQMkOlzfCPC2sJvIyS6zTfc82fz0uY3keFHtknsGK/3BELM9AR2RfpNvZe5+sR83
k4cLQ21QjUbMeijUl10CY6G2m0lZQ0fa/jYBnRdRpK4QngM4zRw2m+13k8wn4p21
wvo4Bc344WgxLcK0TXZObZq5PgSez9BIi1pqahdd6DavDNw0T4BnMkrWCGueMK9s
35ITZIhLRO0UQnUa9iH671nrqju8lhtECc/wO4M4MS8LD45j909wAgrqlbUsA2aY
XQEdYRoE6dIkwCxgug8DjTHQfsFfdKuW3He4GkEkRU4npBcMsihufJBOjljcQAny
6bjQP+PG/NBBRnH2egFtci1gewDQDTdZV3tEIGFHzY09TRQ8y3NVXqsPkhdRUWvV
Si2U+eqbgz5WaAwIuqphdKlRNobtfwQLj1kCZRXSlYjzFAJgEXKuNRIiNNeH0dEY
KlZFr9zByBagkniFj5N8cgE8fleCY4dVQCTj2j04rfDQzNap0yX2zkUq6CpSw+0U
yPQbWPKNdGmfpWl6A6j7eN5AjXVlNAR1UAH8X+JQNuS9/fSDwoJFnG6gBPnXt1RC
IoirdpoDXYcSb4BAyzSfSfleoXGWv0PxSxzDtx3gcqm+U6Ei7nc=
=gYCz
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBY41Sm8kNZI30y1K9AQgT/Q//Q5mH2XsrmxbxAmKGuaPgDH5gq3Ueg5D8
Rcqo5SvLw3m8vofefbR5IJWK1x2EwSLS0yat4/FowzdhmHpvCUYSYsk1hwGM0niW
AHcGKuBZyi2uH1j1t3w4jKZhuMeGoZT2iS3mqGXkxdkKTCbebsBzimEClxe1h4X/
r+5+T8We7lKHfLmkPt/XZw0r9GRbzC3epJF8u7Wfqp2/AksgW/QzOsK2BUPfFo5K
vtPrAk1I9LrncsFQSEbrj8vFsNo0Ewca3+z8UJNAXxDZo6k1qrADgZpN9VsKtCnS
wn31nF8Lr+3Z8ezxvBnYZS7Dl9TGTNfk5nqVUlIzvOm9YI498s4O1zikOjKAwwc1
QQzZFjGMO0qU+K//EqkIH7doqsNyjQ6P5pBnfGFflvLAiawy+K7aBoYKlo9uvPDL
l4uM+7dpQaVB0Mk0aHkEb4ZkFw2/47OzyC3yiulpwuBheXVwsDcmgYlSmMuHPlDB
g8F54w2VYTq62ItcjLHNk5bbcz6JbP8PYgw0oKS32JcIp1f1s1bZdMdo/DR+J3wC
PyGBXBswuf90olrJ28sxAP8pTP95ZChLch2FcbQleazJtTgLytYc2Mnhfo6VR29W
X7zdv8b61ThfBy0fMVr/g1ACBhJbwChanWOGshH3sKLpQFFHGheX4KGAFHTGUJwE
F+lmOKREIgc=
=nPvu
-----END PGP SIGNATURE-----