Your message dated Thu, 24 Nov 2022 08:36:02 +0000
with message-id <e1oy7ie-00cfcs...@fasolo.debian.org>
and subject line Bug#1024736: fixed in node-xmldom 0.8.6-1
has caused the Debian Bug report #1024736,
regarding node-xmldom: CVE-2022-39353
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1024736: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024736
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-xmldom
Version: 0.8.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/jindw/xmldom/issues/150
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-xmldom.
CVE-2022-39353[0]:
| xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core)
| `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not
| well-formed because it contains multiple top level elements, and adds
| all root nodes to the `childNodes` collection of the `Document`,
| without reporting any error or throwing. This breaks the assumption
| that there is only a single root node in the tree, which led to
| issuance of CVE-2022-39299 as it is a potential issue for dependents.
| Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag
| latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a
| workaround, please one of the following approaches depending on your
| use case: instead of searching for elements in the whole DOM, only
| search in the `documentElement`or reject a document with a document
| that has more then 1 `childNode`.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-39353
https://www.cve.org/CVERecord?id=CVE-2022-39353
[1] https://github.com/jindw/xmldom/issues/150
[2] https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-xmldom
Source-Version: 0.8.6-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-xmldom, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1024...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-xmldom package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 24 Nov 2022 09:03:06 +0100
Source: node-xmldom
Architecture: source
Version: 0.8.6-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1024736
Changes:
node-xmldom (0.8.6-1) unstable; urgency=medium
.
* Team upload
* Set upstream metadata fields: Security-Contact.
* New upstream release (Closes: #1024736, CVE-2022-39353)
Checksums-Sha1:
c7215ce3fb5d271a1a2d70e75e27cb0b6ac198cb 2022 node-xmldom_0.8.6-1.dsc
0c208388138933518748680a3e686175e02ce532 318742 node-xmldom_0.8.6.orig.tar.gz
a9841bcedfa7eb2b574dba180d94e63cfc258a5b 3512 node-xmldom_0.8.6-1.debian.tar.xz
Checksums-Sha256:
7e461daba7c7b1a237364648a295939af1c7f73fa8599bc7c3e0be9b6920e196 2022
node-xmldom_0.8.6-1.dsc
ff8313ae508287c23fda321655c94247ca5e4e841487b7103b5259fbb903dd97 318742
node-xmldom_0.8.6.orig.tar.gz
0cb251321ad51efaa5f2d0a6340e666a601c58b80907e0de766e4f49fad6dc8f 3512
node-xmldom_0.8.6-1.debian.tar.xz
Files:
a3d9d519964cedb2da52d9a9f0d4c2f6 2022 javascript optional
node-xmldom_0.8.6-1.dsc
226ddb5b83975654597c1828c46bca8c 318742 javascript optional
node-xmldom_0.8.6.orig.tar.gz
baa7d17dee01da19f60e2a05104a0461 3512 javascript optional
node-xmldom_0.8.6-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmN/JbkACgkQ9tdMp8mZ
7uncFRAAjgvzISBlQZSQqIlCtHRqDKSzADsuJquZrcU1oCEXw+CneFBvDQ+ot87t
zyq7FuabhMk4LO2ftQ3P42Wiwo+Njh0L6PDLWEYDZlA6UNs46wQTK6vRNgLmef6Y
SCbqWqBKDq7HKToXvCj/mYq+3WN9s/l1T3kXU4jBSq25ORQwl4EwbkrKjiqOv9zC
GmpunZ7bPM/9VlqVt3f0/T7/k5yny5zPDgzW9fPZv3vhv/aCy5csBxnF+xhwdAxx
Z1o20gToLhJK/VCzmPY+SA2U9qHCN/5lwP/5q3jVZ/A+ZrkikxUgj3V1GKxKmynD
iIQHHkBbRTUcJC3o6FG+MUDH7pCM1T5zFBJ6X7BGYtTnd7xjVkHx0dq+qqR0PAg/
/kSpK8Gckt6Ij+QWcZPHg9nMZNDGMrDHjHoHLZxQt5+vsuvCOQmGlSGi+Nt4OSCC
ItHRN0U7T88fGdcyMj0JJDyHIpanGMOV3efW0lb+HXizG5MOhepbTs8zJpF8FncJ
bQ6U90mUBqR7OSbEKXFyagfUTLtfT9TunivnSdfRbwH/uMSj382Pnzo4l1QsjTAt
1vVPakcq4BQAYODDiMFGkkMDZaL5zuRqLwTEuowqGgPCkgIHFQwibKa/q1PYdMNx
Bp1WeNxDJwpPgE4rU+bQ/O92g84Q/CGC1PSU/MJzdIYpgWgEdyI=
=fakR
-----END PGP SIGNATURE-----
--- End Message ---
