diff options
| author | Guilhem Moulin <guilhem@debian.org> | 2022-12-12 15:22:36 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@debian.org> | 2022-12-12 15:22:36 +0100 |
| commit | 189e22544546d06630e4cf4819ba99dbe42f4175 (patch) | |
| tree | 8420437c51b3c88ccbbe8e0a8a50d51cb3ea89f9 | |
| parent | d43d115f21b7dfc2992618a391e3a59179a65b4a (diff) | |
DLA-3237-1
| -rw-r--r-- | english/lts/security/2022/dla-3237.data | 10 | ||||
| -rw-r--r-- | english/lts/security/2022/dla-3237.wml | 49 |
2 files changed, 59 insertions, 0 deletions
diff --git a/english/lts/security/2022/dla-3237.data b/english/lts/security/2022/dla-3237.data new file mode 100644 index 00000000000..ef54cf33286 --- /dev/null +++ b/english/lts/security/2022/dla-3237.data @@ -0,0 +1,10 @@ +<define-tag pagetitle>DLA-3237-1 node-tar</define-tag> +<define-tag report_date>2022-12-12</define-tag> +<define-tag secrefs>CVE-2021-37701 CVE-2021-37712 Bug#993981</define-tag> +<define-tag packages>node-tar</define-tag> +<define-tag isvulnerable>yes</define-tag> +<define-tag fixed>yes</define-tag> +<define-tag fixed-section>no</define-tag> + +#use wml::debian::security + diff --git a/english/lts/security/2022/dla-3237.wml b/english/lts/security/2022/dla-3237.wml new file mode 100644 index 00000000000..70289f867bf --- /dev/null +++ b/english/lts/security/2022/dla-3237.wml @@ -0,0 +1,49 @@ +<define-tag description>LTS security update</define-tag> +<define-tag moreinfo> +<p>Cache poisoning vulnerabilities were found in node-tar, a Node.js module +used to read and write portable tar archives, which may result in +arbitrary file creation or overwrite.</p> + +<ul> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2021-37701">CVE-2021-37701</a> + + <p>It was discovered that node-tar performed insufficient symlink + protection, thereby making directory cache vulnerable to poisoning + using symbolic links.</p> + + <p>Upon extracting an archive containing a directory `foo/bar` followed + with a symbolic link `foo\\bar` to an arbitrary location, node-tar + would extract arbitrary files into the symlink target, thus allowing + arbitrary file creation and overwrite.</p> + + <p>Moreover, on case-insensitive filesystems, a similar issue occurred + with a directory `FOO` followed with a symbolic link `foo`.</p></li> + +<li><a href="https://security-tracker.debian.org/tracker/CVE-2021-37712">CVE-2021-37712</a> + + <p>Similar to <a href="https://security-tracker.debian.org/tracker/CVE-2021-37701">CVE-2021-37701</a>, a specially crafted tar archive + containing two directories and a symlink with names containing + unicode values that normalized to the same value, would bypass + node-tar's symlink checks on directories, thus allowing arbitrary + file creation and overwrite.</p></li> + +</ul> + +<p>For Debian 10 buster, these problems have been fixed in version +4.4.6+ds1-3+deb10u2.</p> + +<p>We recommend that you upgrade your node-tar packages.</p> + +<p>For the detailed security status of node-tar please refer to +its security tracker page at: +<a href="https://security-tracker.debian.org/tracker/node-tar">https://security-tracker.debian.org/tracker/node-tar</a></p> + +<p>Further information about Debian LTS security advisories, how to apply +these updates to your system and frequently asked questions can be +found at: <a href="https://wiki.debian.org/LTS">https://wiki.debian.org/LTS</a></p> +</define-tag> + +# do not modify the following line +#include "$(ENGLISHDIR)/lts/security/2022/dla-3237.data" +# $Id: $ |