Your message dated Wed, 12 Oct 2022 07:19:48 +0000
with message-id <[email protected]>
and subject line Bug#1021618: fixed in node-xmldom 0.8.3-1
has caused the Debian Bug report #1021618,
regarding node-xmldom: CVE-2022-37616
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1021618: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1021618
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-xmldom
Version: 0.7.5-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/xmldom/xmldom/issues/436
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-xmldom.
CVE-2022-37616[0]:
| A prototype pollution vulnerability exists in the function copy in
| dom.js in the xmldom (published as @xmldom/xmldom) package before
| 0.8.3 for Node.js via the p variable.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-37616
https://www.cve.org/CVERecord?id=CVE-2022-37616
[1] https://github.com/xmldom/xmldom/issues/436
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-xmldom
Source-Version: 0.8.3-1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-xmldom, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-xmldom package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 12 Oct 2022 08:56:03 +0200
Source: node-xmldom
Built-For-Profiles: nocheck
Architecture: source
Version: 0.8.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1021618
Changes:
node-xmldom (0.8.3-1) unstable; urgency=medium
.
* Team upload
* Update standards version to 4.6.1, no changes needed.
* New upstream version 0.8.3 (Closes: #1021618, CVE-2022-37616)
* Add fix for jest >= 29
Checksums-Sha1:
2319bf964d528c73045726a96a76e7fd3e4b1003 2022 node-xmldom_0.8.3-1.dsc
f34d36537a5156dce0f6239e2d9b46c5e57ab2ca 314999 node-xmldom_0.8.3.orig.tar.gz
3b7d97dd3a054237581cc587076f8d5ccedf975c 3512 node-xmldom_0.8.3-1.debian.tar.xz
Checksums-Sha256:
cf542ebde717945f7114e2356e4bf525bd9fe261f1bf806b180429d098b4054f 2022
node-xmldom_0.8.3-1.dsc
1c23c83a817c876154823f464059c68859367037f3288397af27db512aa4ac26 314999
node-xmldom_0.8.3.orig.tar.gz
d61966e4dfbfa027bd418ce3d49a375785185ada70e7e73251258c4afa8c79f2 3512
node-xmldom_0.8.3-1.debian.tar.xz
Files:
fff681d26442c8468252e82b5d3f1ecc 2022 javascript optional
node-xmldom_0.8.3-1.dsc
82fdd82059a3cbf4bc4a3f756a0454d4 314999 javascript optional
node-xmldom_0.8.3.orig.tar.gz
95b2e80a4e2afae913aa50c0aa499795 3512 javascript optional
node-xmldom_0.8.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmNGZWQACgkQ9tdMp8mZ
7ulG3Q/+MKVDSTnkxV6S7akbVO/uFdrtwg85GE4GZZmajQhfxkQm+6R5+z+mpB2L
CCQzdbv2kWoeJzNV1BofsaGQQ45P5j5d8fzWV/eUGxxq6t5P8XCA5C9VvXWYRcnI
pcWGZGIXk8Z4yTixc+FjbDFv1/xEiYFljKnwq+G2mxQjZKs4tZrGpV1pU8Ig7LYh
iwNYKQnMPOhVw5nJCNYfP6Kb9TI+GdHgdDETdEK6YbmXxT0GwMB4PTB3lziIFaAY
LptR0RsANVQl1Hn60oilcy0Jyo7vopeUcjw5W22Zl41ZiT/3bTYrDHw0hMVr/KLk
6c0MTHXdo9GVUTtkcboKd/UcOTcrcwyaov3iqdDLLCr9fBI4URl2ZYqIHG7+Nut+
dNA4k1IA9h4tPSMco9Hv3IRfAnJ+CsS5LhL9WZ5La298YSkQtbeFmiwxlYJo6V8o
/OXpbXxEsQbqniYXxUzgoG21d6nsqPAFB06mUrZR4fvevXNNDqBdllysaYxJuB3K
r7s1I9o8NFQaMSQlt8Ag29W7UyEdwbDE6dQ8kvePTBbICbsU3/OHjyfktwRQBNXU
qeGBVgz5Leq1eNYuJlHGNSCB5fkIYB2mNOvF+IDLcJb4kwqc96kytmZ+QX/Y6RXd
xWSRHJkk3UxZywUOjq2DaBAkCNv2LASwEUWbplio7oyDx76FobQ=
=svyh
-----END PGP SIGNATURE-----
--- End Message ---
