Your message dated Fri, 23 Aug 2024 10:17:29 +0000
with message-id <e1shrmh-006ufd...@fasolo.debian.org>
and subject line Bug#1078880: fixed in gettext.js 0.7.0-2+deb11u1
has caused the Debian Bug report #1078880,
regarding gettext.js: CVE-2024-43370
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1078880: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078880
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gettext.js
Version: 0.7.0-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for gettext.js.
CVE-2024-43370[0]:
| gettext.js is a GNU gettext port for node and the browser. There is
| a cross-site scripting (XSS) injection if `.po` dictionary
| definition files are corrupted. This vulnerability has been patched
| in version 2.0.3. As a workaround, control the origin of the
| definition catalog to prevent the use of this flaw in the definition
| of plural forms.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-43370
https://www.cve.org/CVERecord?id=CVE-2024-43370
[1]
https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg
[2]
https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8fa7d7c8b358e78b613d47ea332b8a56c
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gettext.js
Source-Version: 0.7.0-2+deb11u1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
gettext.js, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1078...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated gettext.js package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 20 Aug 2024 17:26:52 +0400
Source: gettext.js
Architecture: source
Version: 0.7.0-2+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1078880
Changes:
gettext.js (0.7.0-2+deb11u1) bullseye; urgency=medium
.
* Team upload
* Fix SSRF issue (Closes: #1078880, CVE-2024-43370)
Checksums-Sha1:
3352ef61fbbafeeaf45ed6db3cb72915993b2fc7 2121 gettext.js_0.7.0-2+deb11u1.dsc
e4e5c4a288ae139f80a9442b673af36f48880a0c 3372
gettext.js_0.7.0-2+deb11u1.debian.tar.xz
Checksums-Sha256:
91fd11a4874a69f6d9091512494e482e8beba155a455b70af5dbb0109c849c51 2121
gettext.js_0.7.0-2+deb11u1.dsc
b66e0b26f219ca76ad40fe5a5629c0ade3394ad0ad49ccac42760d2d45f3a6b0 3372
gettext.js_0.7.0-2+deb11u1.debian.tar.xz
Files:
df6889aad05dc991848224fc02ccc923 2121 javascript optional
gettext.js_0.7.0-2+deb11u1.dsc
af2d18a1eeb756a99a627d96ae51aba1 3372 javascript optional
gettext.js_0.7.0-2+deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmbHB5UACgkQ9tdMp8mZ
7umVmg/+Kj+MYDoMDmS78EVCpw7b5VrgQj+3GqaE4jO3aBjWNjWMOXKw9iXOQKik
mFI/5MUVsnhXrCtS9T+Bspjbn94TJfGqY1E3/5KFHcvODeK71i2jcioCTHZEPBZq
0bUhdMksSb041HwcPHNZ6cGdX0/SJMCugCGj+oLKHbzo8CVQ+QclaI9nWpt1Y/eu
AM4SneCTz9HY3SlaGpoPi1WWW+flfczZupC/9OYtwxDvnZ70z2TXnudEOyLSpe8C
sdvymLfS+Scu0iBiNG20XO2SYS8PI4PtGbKmnP4PxEAHQBuarfVdtlT2iMLOEAlg
ZH8BH8NCqR30QvxUjKrNZKfkw6I+/HH2i0TXx6MCwfZKPFYoU2bt/TQixR9b3G0v
vvZF/kkaF4NhWz2hhLZqmFvfvoS/glnZB/oNr1dOIuJlFIHFvWG9gbINby9Q7Ola
oZTx7ARmd/NYgAK/0SfbOgigfMEFAlMY1dkKVmS3leDaZfv1dEPu1Tw2WH5/LY8z
DDFM7i4Tj/9/ExWXsn8PEAo0Fnsz/l8vtz0Z+FiXFfWZDHKlgUORv+mS1aL/u77f
GWorS4cfq+NsUxi4ANlxfBtQaxc3IzDpXmjuXbOQuGmSaCOWzQNpNRRircCh6zuE
9K8BjbG9T0p0FnJXlKj5OkBMv8NUpssWNOrxn7rKYU64OHqBh7k=
=Henx
-----END PGP SIGNATURE-----
pgpURIFM9uS_Z.pgp
Description: PGP signature
--- End Message ---
