Your message dated Fri, 06 Mar 2026 14:36:21 +0000
with message-id <[email protected]>
and subject line Bug#1128619: fixed in node-bn.js 5.2.3+~5.2.0-1
has caused the Debian Bug report #1128619,
regarding node-bn.js: CVE-2026-2739
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1128619: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128619
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-bn.js
Version: 5.2.1+~5.1.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/indutny/bn.js/pull/317
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-bn.js.
CVE-2026-2739[0]:
| This affects versions of the package bn.js before 5.2.3. Calling
| maskn(0) on any BN instance corrupts the internal state, causing
| toString(), divmod(), and other methods to enter an infinite loop,
| hanging the process indefinitely.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-2739
https://www.cve.org/CVERecord?id=CVE-2026-2739
[1] https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301
[2] https://github.com/indutny/bn.js/issues/316
[3] https://github.com/indutny/bn.js/issues/186
[4] https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91
[5] https://github.com/indutny/bn.js/pull/317
[6]
https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-bn.js
Source-Version: 5.2.3+~5.2.0-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-bn.js, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-bn.js package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 06 Mar 2026 15:15:23 +0100
Source: node-bn.js
Architecture: source
Version: 5.2.3+~5.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1128619
Changes:
node-bn.js (5.2.3+~5.2.0-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.3
* Drop "Rules-Requires-Root: no"
* debian/watch version 5
* New upstream version 5.2.3+~5.2.0 (Closes: #1128619, CVE-2026-2739)
Checksums-Sha1:
f7b816fa16026f87a54cdf992f6feb7834a00fcb 2424 node-bn.js_5.2.3+~5.2.0-1.dsc
4349b9710e98f9ab3cdc50f1c5e4dcbd8ef29c80 3735
node-bn.js_5.2.3+~5.2.0.orig-types-bn-js.tar.gz
b31c279c3554d29de9496a653c3731e972bd7176 99775
node-bn.js_5.2.3+~5.2.0.orig.tar.gz
08d08bb79bda970fe22fbe5014bc87170460877d 3400
node-bn.js_5.2.3+~5.2.0-1.debian.tar.xz
Checksums-Sha256:
47f871030a40b4e9a637b4b1dd0396e788486328e88223a54d98de7e754e858d 2424
node-bn.js_5.2.3+~5.2.0-1.dsc
8409a91d51fcf97e895f41b904aa3cded0104d2a188232fc4d7f7e4e5d24e8b5 3735
node-bn.js_5.2.3+~5.2.0.orig-types-bn-js.tar.gz
cf5d6468fb63027b3f9bf5cc3963d088f2379662bd79c3964d53b404ec281abc 99775
node-bn.js_5.2.3+~5.2.0.orig.tar.gz
68a7c973f7b315fc803f0e4c08a2666ac7f9dfdffa1b97e9affca5dc7ae80500 3400
node-bn.js_5.2.3+~5.2.0-1.debian.tar.xz
Files:
6eeec1222be44d980165be624a436bd6 2424 javascript optional
node-bn.js_5.2.3+~5.2.0-1.dsc
fbe608bb03cf3fe82ff07e595da167c0 3735 javascript optional
node-bn.js_5.2.3+~5.2.0.orig-types-bn-js.tar.gz
4c428019c4b9821407c6147de0e4571b 99775 javascript optional
node-bn.js_5.2.3+~5.2.0.orig.tar.gz
2d5a6ce764ff2b7763e15774b8bce10d 3400 javascript optional
node-bn.js_5.2.3+~5.2.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmmq4c4ACgkQ9tdMp8mZ
7unRjA//eJYU8rshl2Q2Zx4CI4KtU3Lth2zhDsfBOC5Jb0yx7Kv7NBIFqSAwkXKF
vQhfVkpu56FEe51VXdxahgpSE2qfdnoChp3qSmw3jNREQEhTUw0H7YYmsraQ7mIE
dGCXF+qynWLe4es94eMTZYuDNQ56FhwugcAKQul3v+DqKfKTOikA/ccmKHyaFaeU
usc6OmUUlI6u9UsVmGP970az8asqpvA3fls2c0iCAdbmxAE8TWazrE46Sggk8nrM
FsvNCGc7WvkVPkqqcmIVVT2rvgzL2SHb6pVgBSSWNWC8mSA52A7XTfuo9qFngqxO
HNUnOpCrsw071OgYOfgR08t2Skn0L+lgGRgGQFzOwuKyh/lOBz/v38VHxLfu4lad
4iwc3pFr4BnKYtz+DghfuB2gcvf+Vw+ycwW6IhZw6KdRzPzkRyOOlXOHhCGm+OIg
urSDEU54dlWENGcRWYYfGDSsSwtiASIUDVbxHfCMSuVggf7u1gs0ppHYzbg+Dli9
Bj+sQI7jhUmbsY+UEKH1u0atWDQOUzUdWX1fAuHbveRk5/PIK9vKFs9i4+FYCq0T
xJZubcgVsgES7H9oM+5dlza1DuOz2F6lrejK5CsAaFmoKhjYC/C2L1LqhXk8ekyM
18kcSPbBnqGO8Rj10uHUuxINl+mFndkDCkmHne5Kdiynj0Xf8ZU=
=zR87
-----END PGP SIGNATURE-----
pgpLPfebP2Crw.pgp
Description: PGP signature
--- End Message ---
