Your message dated Sat, 14 Sep 2024 20:39:39 +0200
with message-id <zuxya5klocsww...@eldamar.lan>
and subject line [ftpmas...@ftp-master.debian.org: Accepted node-path-to-regexp
6.3.0-1 (source) into unstable]
has caused the Debian Bug report #1081656,
regarding node-path-to-regexp: CVE-2024-45296
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1081656: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081656
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-path-to-regexp
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-path-to-regexp.
CVE-2024-45296[0]:
| path-to-regexp turns path strings into a regular expressions. In
| certain cases, path-to-regexp will output a regular expression that
| can be exploited to cause poor performance. Because JavaScript is
| single threaded and regex matching runs on the main thread, poor
| performance will block the event loop and lead to a DoS. The bad
| regular expression is generated any time you have two parameters
| within a single segment, separated by something that is not a period
| (.). For users of 0.1, upgrade to 0.1.10. All other users should
| upgrade to 8.0.0.
https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-9wv6-86v2-598j
https://github.com/pillarjs/path-to-regexp/commit/60f2121e9b66b7b622cc01080df0aabda9eedee6
(v8.0.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-45296
https://www.cve.org/CVERecord?id=CVE-2024-45296
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-path-to-regexp
Source-Version: 6.3.0-1
----- Forwarded message from Debian FTP Masters
<ftpmas...@ftp-master.debian.org> -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 14 Sep 2024 16:14:48 +0400
Source: node-path-to-regexp
Architecture: source
Version: 6.3.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Changes:
node-path-to-regexp (6.3.0-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.0
* New upstream version (Closes: CVE-2024-45296)
Checksums-Sha1:
4e8f59bb28e0d95d90544564761e6a5091e666d7 2202 node-path-to-regexp_6.3.0-1.dsc
9fe909d6aa2f95c7970f03e7dfcae9a0204c172e 80617
node-path-to-regexp_6.3.0.orig.tar.gz
7e86270b548dcf7c3a03f3214f09dcdc9ffc9664 9040
node-path-to-regexp_6.3.0-1.debian.tar.xz
Checksums-Sha256:
5a26088ebb6e507babb7dbd69f8f4bd1011286aff8ae3ffdf5741f1e1eabccab 2202
node-path-to-regexp_6.3.0-1.dsc
d1577c50e72307a698b1a096efbd00a642d967c63777abc4ee53e497bcba0df2 80617
node-path-to-regexp_6.3.0.orig.tar.gz
a0810b49bbff67c8b0066c2fa88a04471ef6aeeb2bebcb26402f456b52544213 9040
node-path-to-regexp_6.3.0-1.debian.tar.xz
Files:
e8d0c0847be734a5daf7c43b531fd8e2 2202 javascript optional
node-path-to-regexp_6.3.0-1.dsc
66ad0ee9f4d5bcc64dc0fc995c1d919c 80617 javascript optional
node-path-to-regexp_6.3.0.orig.tar.gz
d3e652ab66161e37efde02258346c2da 9040 javascript optional
node-path-to-regexp_6.3.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmblfmMACgkQ9tdMp8mZ
7ulD3g/8DkqL0462jOdr/6AXpPs96A0joYz3RzN9wIyn6XwAj6CQziz6GCKLjjR8
FppW1ULaQPvOitOJLXjI3FTNqSGEQJPKcZdl3ixwevsqgNykQlul2F+Ko4S6UF46
sR7rexanYOTIzjnQP4C5IgCHd6YUrmWixZ5xNfbNFIdBGkQbGizHeFqtGEUJm3LX
gQc8YUltzqasqRTOa9CtWiUjqvGkEV5C9/shhurL/zIXgR0l4pKFFGwSoSABxDr9
cJ2BG46HMmLO4MglVGrIJDxoxYzEZHUJsMAM4rbSRawGun9La6iw8Mk9yTUJozVV
NQoTAYSiAIgEExcyDvJXizvwz0W1BpE3otChLMMp6aJL+B8x3t0tKxe12w1hyFmn
VW4aaUVoDfvrhN/OchRWsq+w1mbv0gZ9H/H3YjR6K27gh/9LDABGNXW/N6fvXTbM
1sDBjq7jsCCvmFYrUUdlsM9i1SIQUDjZATvfFqN5+7tSchqLfY1WHiTwjrN6t3w9
VZA4HqULE4EB0SYU8zNEEfOnysvTlFuBSNsI4P1gsxpMEYAlgcWLA03+25UPvm/O
RZe62zzjkAjglLuPudPCIZQrkRakBMNO9KGAobXqLSm65b7+CHkwaIWB+UfyH+Yg
gQYWHXKcVmyXnuqZq1/00aRBtwvo7v1RxXVDafARA0c7R2lLj70=
=8LgH
-----END PGP SIGNATURE-----
----- End forwarded message -----
--- End Message ---
