CVE-2020-15095: Versions of the CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files. Maintainer, please let us know if our versions are vulnerable and if so please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b982d273c955a12408b0fdbd78f4f7a50662b549 commit b982d273c955a12408b0fdbd78f4f7a50662b549 Author: Jeroen Roovers <jer@gentoo.org> AuthorDate: 2020-07-22 06:21:49 +0000 Commit: Jeroen Roovers <jer@gentoo.org> CommitDate: 2020-07-22 06:22:10 +0000 net-libs/nodejs: Version 14.6.0 Package-Manager: Portage-3.0.0, Repoman-2.3.23 Bug: https://bugs.gentoo.org/show_bug.cgi?id=731654 Signed-off-by: Jeroen Roovers <jer@gentoo.org> net-libs/nodejs/Manifest | 1 + net-libs/nodejs/nodejs-14.6.0.ebuild | 200 +++++++++++++++++++++++++++++++++++ 2 files changed, 201 insertions(+)
Thanks. Let's stable when ready.
Sanity check failed: > net-libs/nodejs-14.6.0 > depend amd64 stable profile default/linux/amd64/17.0 (68 total) > >=dev-libs/libuv-1.38.1:= > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (34 total) > >=dev-libs/libuv-1.38.1:= > rdepend amd64 stable profile default/linux/amd64/17.0 (68 total) > >=dev-libs/libuv-1.38.1:= > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (34 total) > >=dev-libs/libuv-1.38.1:=
All sanity-check issues have been resolved
Unable to check for sanity: > no match for package: =net-libs/nodejs-14.6.0
Sanity check failed: > net-libs/nodejs-14.15.0 > depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total) > >=dev-libs/libuv-1.40.0:= > depend amd64 stable profile default/linux/amd64/17.1 (54 total) > >=dev-libs/libuv-1.40.0:= > rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total) > >=dev-libs/libuv-1.40.0:= > rdepend amd64 stable profile default/linux/amd64/17.1 (54 total) > >=dev-libs/libuv-1.40.0:=
Unable to check for sanity: > no match for package: dev-libs/libuv-1.40
Stabling in other bug
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b094fb3db96fe457eecee465812486cb7880e5a commit 4b094fb3db96fe457eecee465812486cb7880e5a Author: Marek Szuba <marecki@gentoo.org> AuthorDate: 2020-11-21 20:16:13 +0000 Commit: Marek Szuba <marecki@gentoo.org> CommitDate: 2020-11-21 20:26:27 +0000 net-libs/nodejs: remove 12.18.4 and 14.2.0 Tickets pertaining to CVE-2020-8201, CVE-2020-8251, CVE-2020-8172, CVE-2020-8174 and CVE-2020-15095 should now be safe to close. Bug: https://bugs.gentoo.org/726836 Bug: https://bugs.gentoo.org/731654 Bug: https://bugs.gentoo.org/742893 Signed-off-by: Marek Szuba <marecki@gentoo.org> net-libs/nodejs/Manifest | 2 - net-libs/nodejs/nodejs-12.18.4-r1.ebuild | 216 ------------------------------- net-libs/nodejs/nodejs-14.2.0.ebuild | 201 ---------------------------- 3 files changed, 419 deletions(-)
This issue was resolved and addressed in GLSA 202101-07 at https://security.gentoo.org/glsa/202101-07 by GLSA coordinator Sam James (sam_c).
