Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 731654 (CVE-2020-15095) - <net-libs/nodejs-14.6.0: Information disclosure via npm (CVE-2020-15095)
Summary: <net-libs/nodejs-14.6.0: Information disclosure via npm (CVE-2020-15095)
Status: RESOLVED FIXED
Alias: CVE-2020-15095
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/npm/cli/security/a...
Whiteboard: B4 [glsa+ cve]
Keywords:
Depends on: CVE-2020-8201, CVE-2020-8251
Blocks:
  Show dependency tree
 
Reported: 2020-07-07 23:38 UTC by John Helmert III (ajak)
Modified: 2021-01-11 09:16 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III (ajak) 2020-07-07 23:38:01 UTC
CVE-2020-15095:

Versions of the CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. 

The cli supports URLs like <protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>. The password value is not redacted and is printed to stdout and also to any generated log files.


Maintainer, please let us know if our versions are vulnerable and if so please bump.
Comment 1 Larry the Git Cow gentoo-dev 2020-07-22 06:22:14 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b982d273c955a12408b0fdbd78f4f7a50662b549

commit b982d273c955a12408b0fdbd78f4f7a50662b549
Author:     Jeroen Roovers <jer@gentoo.org>
AuthorDate: 2020-07-22 06:21:49 +0000
Commit:     Jeroen Roovers <jer@gentoo.org>
CommitDate: 2020-07-22 06:22:10 +0000

    net-libs/nodejs: Version 14.6.0
    
    Package-Manager: Portage-3.0.0, Repoman-2.3.23
    Bug: https://bugs.gentoo.org/show_bug.cgi?id=731654
    Signed-off-by: Jeroen Roovers <jer@gentoo.org>

 net-libs/nodejs/Manifest             |   1 +
 net-libs/nodejs/nodejs-14.6.0.ebuild | 200 +++++++++++++++++++++++++++++++++++
 2 files changed, 201 insertions(+)
Comment 2 John Helmert III (ajak) 2020-07-22 18:47:10 UTC
Thanks. Let's stable when ready.
Comment 3 NATTkA bot gentoo-dev 2020-07-22 18:48:53 UTC
Sanity check failed:

> net-libs/nodejs-14.6.0
>   depend amd64 stable profile default/linux/amd64/17.0 (68 total)
>     >=dev-libs/libuv-1.38.1:=
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (34 total)
>     >=dev-libs/libuv-1.38.1:=
>   rdepend amd64 stable profile default/linux/amd64/17.0 (68 total)
>     >=dev-libs/libuv-1.38.1:=
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (34 total)
>     >=dev-libs/libuv-1.38.1:=
Comment 4 NATTkA bot gentoo-dev 2020-07-22 18:56:41 UTC
All sanity-check issues have been resolved
Comment 5 NATTkA bot gentoo-dev 2020-08-27 17:52:54 UTC
Unable to check for sanity:

> no match for package: =net-libs/nodejs-14.6.0
Comment 6 NATTkA bot gentoo-dev 2020-11-09 15:17:10 UTC
Sanity check failed:

> net-libs/nodejs-14.15.0
>   depend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total)
>     >=dev-libs/libuv-1.40.0:=
>   depend amd64 stable profile default/linux/amd64/17.1 (54 total)
>     >=dev-libs/libuv-1.40.0:=
>   rdepend amd64 dev profile default/linux/amd64/17.0/no-multilib/prefix/kernel-3.2+ (35 total)
>     >=dev-libs/libuv-1.40.0:=
>   rdepend amd64 stable profile default/linux/amd64/17.1 (54 total)
>     >=dev-libs/libuv-1.40.0:=
Comment 7 NATTkA bot gentoo-dev 2020-11-09 15:21:00 UTC
Unable to check for sanity:

> no match for package: dev-libs/libuv-1.40
Comment 8 John Helmert III (ajak) 2020-11-09 20:17:45 UTC
Stabling in other bug
Comment 9 Larry the Git Cow gentoo-dev 2020-11-21 20:26:40 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4b094fb3db96fe457eecee465812486cb7880e5a

commit 4b094fb3db96fe457eecee465812486cb7880e5a
Author:     Marek Szuba <marecki@gentoo.org>
AuthorDate: 2020-11-21 20:16:13 +0000
Commit:     Marek Szuba <marecki@gentoo.org>
CommitDate: 2020-11-21 20:26:27 +0000

    net-libs/nodejs: remove 12.18.4 and 14.2.0
    
    Tickets pertaining to CVE-2020-8201, CVE-2020-8251, CVE-2020-8172,
    CVE-2020-8174 and CVE-2020-15095 should now be safe to close.
    
    Bug: https://bugs.gentoo.org/726836
    Bug: https://bugs.gentoo.org/731654
    Bug: https://bugs.gentoo.org/742893
    Signed-off-by: Marek Szuba <marecki@gentoo.org>

 net-libs/nodejs/Manifest                 |   2 -
 net-libs/nodejs/nodejs-12.18.4-r1.ebuild | 216 -------------------------------
 net-libs/nodejs/nodejs-14.2.0.ebuild     | 201 ----------------------------
 3 files changed, 419 deletions(-)
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2021-01-11 09:16:58 UTC
This issue was resolved and addressed in
 GLSA 202101-07 at https://security.gentoo.org/glsa/202101-07
by GLSA coordinator Sam James (sam_c).