hi, On Wed, Feb 23, 2022 at 10:27:33PM +0100, Moritz Mühlenhoff wrote: > Am Mon, Feb 21, 2022 at 01:57:54PM +0100 schrieb Yadd: > > Package: release.debian.org > > Severity: normal > > Tags: bullseye > > User: release.debian....@packages.debian.org > > Usertags: pu > > > > [ Reason ] > > node-prismjs has 2 vulnerabilities: > > * Regex DoS (CVE-2021-40438) > > Where did you get that CVE reference from? CVE-2021-40438 is for a > mod_proxy vulnerability in Apache httpd?
The used changelog entry actually has: +node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix ReDoS (Closes: CVE-2021-3801) + * Command Line: Escape markup in command line output + (Closes: CVE-2022-23647) + + -- Yadd <y...@debian.org> Mon, 21 Feb 2022 11:57:44 +0100 But this seems odd: CVE-2021-3801 was already fixed in the last bullseye point rlease with 1.23.0+dfsg-1+deb11u1. So should this update be only for CVE-2022-23647 and the version be 1.23.0+dfsg-1+deb11u2? Regards, Salvatore
