Control: tags -1 + confirmed On Fri, 2023-03-03 at 08:57 +0000, Bastien Roucariès wrote: > CVE-2022-21222/CVE-2021-33587 The package css-what before 2.1.3 are > vulnerable > to Regular Expression Denial of Service (ReDoS) due to the usage of > insecure > regular expression in the re_attr variable of index.js. The > exploitation of > this vulnerability could be triggered via the parse function. >
+node-css-what (4.0.0-3+deb11u1) bullseye-security; urgency=medium The distribution needs to simply be "bullseye" for a stable upload. With that change, please go ahead. Regards, Adam
