[Git][security-tracker-team/security-tracker][master] CVE-2023-28154 is not present in webpack3

Thu, 04 Jan 2024 15:14:11 -0800 


Bastien Roucariès pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
c96e2f59 by Bastien Roucariès at 2024-01-04T23:07:26+00:00
CVE-2023-28154 is not present in webpack3

Magic comment are not interpreted by vm.runInNewContext(`(function(){return 
{${value}};})()`); and use json.parse that is safe

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -45603,7 +45603,7 @@ CVE-2023-28154 (Webpack 5 before 5.76.0 does not avoid 
cross-realm object access
        - node-webpack 5.76.1+dfsg1+~cs17.16.16-1 (bug #1032904)
        [bookworm] - node-webpack 5.75.0+dfsg+~cs17.16.14-1+deb12u1
        [bullseye] - node-webpack 4.43.0-6+deb11u1
-       [buster] - node-webpack <no-dsa> (Minor issue)
+       [buster] - node-webpack <not-affected> (vulnerable code 
vm.runInNewContext(`(function(){return {${value}};})()`); is not present. 
Introduced latter)
        NOTE: https://github.com/webpack/webpack/pull/16500
        NOTE: Merge commit: 
https://github.com/webpack/webpack/commit/4b4ca3bb53f36a5b8fc6bc1bd976ed7af161bd80
 (v5.76.0)
 CVE-2023-1363 (A vulnerability, which was classified as problematic, was found 
in Sou ...)


=====================================
data/dla-needed.txt
=====================================
@@ -146,10 +146,6 @@ linux-5.10
 mariadb-10.3
   NOTE: 20231129: Added by Front-Desk (Beuc)
 --
-node-webpack
-  NOTE: 20231005: Added by Front-Desk (Beuc)
-  NOTE: 20231005: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk)
---
 nova
   NOTE: 20230302: Re-add, request by maintainer (Beuc)
   NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific 
CVE-2022-47951 backport that introduces regression



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c96e2f599fd0e3ef214e427c84232e0b8ce65d5a

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c96e2f599fd0e3ef214e427c84232e0b8ce65d5a
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
debian-security-tracker-commits@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to