Source: node-browserslist Version: 4.16.3+~cs5.4.72-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for node-browserslist. CVE-2021-23364[0]: | The package browserslist from 4.0.0 and before 4.16.5 are vulnerable | to Regular Expression Denial of Service (ReDoS) during parsing of | queries. The patch will probably not cleanly apply, but according to the available information at least 4.0.0 onwards until 4.16.5 are affected. Not sure if earlier versions were just not checkd or if they are confirmed to be not affected. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-23364 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364 [1] https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98 [2] https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194 [3] https://github.com/browserslist/browserslist/pull/593 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
