Your message dated Sun, 26 Apr 2026 19:27:29 +0000
with message-id <[email protected]>
and subject line Bug#1093446: fixed in node-katex 0.16.10+~cs6.1.0-7
has caused the Debian Bug report #1093446,
regarding node-katex: CVE-2025-23207
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1093446: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1093446
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-katex
Version: 0.16.10+~cs6.1.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-katex.
CVE-2025-23207[0]:
| KaTeX is a fast, easy-to-use JavaScript library for TeX math
| rendering on the web. KaTeX users who render untrusted mathematical
| expressions with `renderToString` could encounter malicious input
| using `\htmlData` that runs arbitrary JavaScript, or generate
| invalid HTML. Users are advised to upgrade to KaTeX v0.16.21 to
| remove this vulnerability. Users unable to upgrade should avoid use
| of or turn off the `trust` option, or set it to forbid `\htmlData`
| commands, forbid inputs containing the substring `"\\htmlData"` and
| sanitize HTML output from KaTeX.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-23207
https://www.cve.org/CVERecord?id=CVE-2025-23207
[1] https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cg87-wmx4-v546
[2]
https://github.com/KaTeX/KaTeX/commit/ff289955e81aab89086eef09254cbf88573d415c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-katex
Source-Version: 0.16.10+~cs6.1.0-7
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-katex, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-katex package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 26 Apr 2026 19:57:48 +0200
Source: node-katex
Architecture: source
Version: 0.16.10+~cs6.1.0-7
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1093446
Changes:
node-katex (0.16.10+~cs6.1.0-7) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* Import fix for CVE-2025-23207 (Closes: #1093446)
Checksums-Sha1:
de1c1a5cdaff42347eefc1cfd164631973d5fad6 3467 node-katex_0.16.10+~cs6.1.0-7.dsc
553701424ee951da3c618c45bcd1d773320f41f6 38920
node-katex_0.16.10+~cs6.1.0-7.debian.tar.xz
Checksums-Sha256:
5f385e9c503f6c55048d266f95e7359416f14ac145e4f6d0ce98aeafe4d17236 3467
node-katex_0.16.10+~cs6.1.0-7.dsc
d6511fed8117d36b645ffb22c9153e8768c00d3882644ef2c2934437b99b51a7 38920
node-katex_0.16.10+~cs6.1.0-7.debian.tar.xz
Files:
cf3d02e8c3dee11ebdeb6ca7415e2121 3467 javascript optional
node-katex_0.16.10+~cs6.1.0-7.dsc
8efacf6b277ad16153e9e6ca9cc56e6f 38920 javascript optional
node-katex_0.16.10+~cs6.1.0-7.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnuUncACgkQ9tdMp8mZ
7ukSTA//c0h24K81wzS5zGteml7PaLcQT09lqWGwxYYJxtEzHvgBCEH3prbvdu9z
CKdKc4IjhFfA7gNQs25UI3TE5PFA4vbnzdCGj4JxUi4EqbxyfH0HQFRN0EDYRgAk
ULiUiCuV9ObMrKucyw3oE1myMEwBDhO4UG7LWm/qD2KRNNvF0O4c29ruovW280ML
UonZhR8rWaDSvn/7idtZqrnCK8thQLm2yAoC+6zHJq/FXUM5b4GnPXyON5iUhGCI
kvc/zeekwbCiAntKXSCKCFeAH843MFPBwv/5M07jZsmZPVDluU1/uUe7QNQMIl+O
oAh9+WxtQiC+3baM+ddUouchN2tYuXsJ3Eii6RM8j+ZodPOznUWwV4WLavTx23jL
sVzkVbzn6hUrXdyo0wpyzHMAkgKh2EYa0n0Gg8zsRfAuvMlRZAqiJ8p/B8zWXS/U
oEnHM6PEJlIq5SiJOtMLp/yQqZ2I37ixHEGqSHYytOxUq6Rom+VLX+b0U+BcPEeX
0RMG1mwqdnBgHRitD2rrrDl9Onsjh3WtZtk3L7jQXdXOfMWAoJG6dYJxKRqKDU2P
6kNxLFUQ61HP9IkEz6Uj3pvnEbeG8lNuunlYPpXZe6nTH5JbTOEVH0oKDlpSXtI+
P3f9h3PPVj5zgkmksRDGBpEVXdDyYPJWNfp43Elmdc5PovUI9KI=
=yL+t
-----END PGP SIGNATURE-----
pgpvW_NTnSC81.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
