Hi Bastien, If you would like me to prepare an upload to unstable for this (& unblock request), let me know. I have some time today & tomorrow - but travelling with work next week. I have DM upload rights for it.
Only asking in case you are already working on it. Cheers, Ross On 05/27/2017 04:51 PM, Bastien ROUCARIÈS wrote: > Package: node-concat-stream > Version: 1.5.1-1 > Severity: grave > Tags: patch security fixed-upstream fixed-in-experimental > X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org > forwarded: https://snyk.io/vuln/npm:concat-stream:20160901 > > Overview > > concat-stream is writable stream that concatenates strings or binary data and > calls a callback with the result. Affected versions of the package are > vulnerable to Uninitialized Memory Exposure. > > A possible memory disclosure vulnerability exists when a value of type number > is provided to the stringConcat() method and results in concatination of > uninitialized memory to the stream collection. > > This is a result of unobstructed use of the Buffer constructor, whose > insecure > default constructor increases the odds of memory leakage. > >