Hi Bastien,

If you would like me to prepare an upload to unstable for this (&
unblock request), let me know. I have some time today & tomorrow - but
travelling with work next week. I have DM upload rights for it.

Only asking in case you are already working on it.

Cheers,

Ross

On 05/27/2017 04:51 PM, Bastien ROUCARIÈS wrote:
> Package: node-concat-stream
> Version: 1.5.1-1
> Severity: grave
> Tags: patch security fixed-upstream fixed-in-experimental
> X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
> forwarded: https://snyk.io/vuln/npm:concat-stream:20160901
>
> Overview
>
> concat-stream is writable stream that concatenates strings or binary data and 
> calls a callback with the result. Affected versions of the package are 
> vulnerable to Uninitialized Memory Exposure.
>
> A possible memory disclosure vulnerability exists when a value of type number 
> is provided to the stringConcat() method and results in concatination of 
> uninitialized memory to the stream collection.
>
> This is a result of unobstructed use of the Buffer constructor, whose 
> insecure 
> default constructor increases the odds of memory leakage.
>
>

Reply via email to