[SECURITY] [DLA 3128-1] node-thenify security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3128-1] node-thenify security update
From: Utkarsh Gupta <guptautkarsh2102@gmail.com>
Date: Sat, 1 Oct 2022 04:25:44 +0530
Message-id: <[🔎] CAPP0f96uJqoF+H59=zpfFd47BxN9KeiJqMM5iRLSPp932eD0Tg@mail.gmail.com>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3128-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                        Utkarsh Gupta
October 01, 2022                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : node-thenify
Version        : 3.3.0-1+deb10u1
CVE ID         : CVE-2020-7677

thenify is a Promisify a callback-based function using any-promise.
Affected versions of this package are vulnerable to Arbitrary Code
Execution. The name argument provided to the package can be controlled
by users without any sanitization, and this is provided to the eval
function without any sanitization.

For Debian 10 buster, this problem has been fixed in version
3.3.0-1+deb10u1.

We recommend that you upgrade your node-thenify packages.

For the detailed security status of node-thenify please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-thenify

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAmM3c5kACgkQgj6WdgbD
S5YWGBAAh9lS8RZFRQoQTkfQtJlljYURsJPRoiSrUrtFYu9rq7TeBUxDfk16AmFN
6LV5hPT8780sHso+k9ZXjGPL+mdUDkyXZP9uV32fwzR+7V7M8cbLKHnWY9Kpmxkr
pRupCDdwWr3JmBl0+xM+8oodX58PwMjZiQPq2wVt1EgX9FCU4GrlA3yD02zG8c6V
ct/BQTSV9LXLboiaR7Rp4di7oAI7X/S64MhRO2nUmtAhJ0KN1DKzDJJ0X+iZbfVO
LtOeThXU9JGOrrQwaUhB19Jwxf9sQZYli7irae/2Mu3gkcuLnv412Sh6cw90YusI
yt6U/95DpneWBkMyzAC4EIvlbsx7S3F1X9GcamHyqESbZ6XU0txfWrTeL2/moMHW
+yn5SA0EP4fQinWU6Pzs8waJ88OQa0CdCVEGjhHGV+2J8OmNpbbTOdZr3Sxtu+20
sYPcgaAEWw+g7Oqj8uKOcxGq0VA1ZoEE3H7uuU9DSmVnxKqtgYOePFYuQDiluItl
u9rHHMqHFo1QZXUz6IjcIAA47M1kpxig4uj557ZICPtEMwdPFhSgaJVjFPmfosB5
Zm3kzkUiQvmeGOnomfV/8hXmIr3aMT3A2pL95A/gr4gCgR0SzQImafO1oEN+0dVH
dNV0kkH7HmscRFaiZFQu0F/1qQeSICVLg7iQFdA2K+2f77HvbeI=
=9l/0
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3127-1] libhttp-daemon-perl security update
Next by Date: [SECURITY] [DLA 3129-1] gdal security update
Previous by thread: [SECURITY] [DLA 3127-1] libhttp-daemon-perl security update
Next by thread: [SECURITY] [DLA 3129-1] gdal security update
Index(es):
- Date
- Thread