Re: [Pkg-javascript-devel] Bug#1074059: bookworm-pu: package nodejs/18.19.0+dfsg-6~deb12u2
Hi, On Wed, Jul 03, 2024 at 11:36:46PM +0200, Jérémy Lal wrote: > Le mer. 3 juil. 2024 à 23:04, Andres Salomon a écrit : > > > > > > > On 6/25/24 16:34, Jérémy Lal wrote: > > > > > > > > > Le mar. 25 juin 2024 à 22:22, Salvatore Bonaccorso > > <mailto:car...@debian.org>> a écrit : > > [...] > > > > > > Thanks a lot for your work Adrian. Please note that there is > > currently > > > a nodejs upload pending for releasing via a DSA, which will rebase > > > nodejs to 18.20.3+dfsg-1~deb12u1 so this might invalidate those > > > changes. > > > > > > Jérémy, Aron is that something you want to have included in your > > > prepared update? > > > > > > > > > Indeed, it's applied to 18.20.3+dfsg-1~deb12u1, along with other skipped > > > tests. > > > I'll resume work on this by the end of the week. > > > > > > > While we wait for this, is there any reason to keep the existing > > 18.20.3+dfsg-1~deb12u1 upload in the embargoed security queue? Security > > packages are actively building against it, which is a bit of a problem > > for reproducibility. Someone actually asked me about oddities in the > > chromium package that was originally built for bookworm-security, and > > now sits in the 12.6 point release. It turns out that it built against > > the embargoed nodejs, but since that nodejs package was never released, > > they can't use it to reproduce the chromium in 12.6. > > > > If there's a new nodejs bookworm-security package being uploaded at some > > point and the currently embargoed nodejs package will never be released, > > perhaps we should REJECT it now? > > > > Sorry, probably me being overbooked here. > I was supposed to check the regressions against it, and been on another job > since then. Aron is taking care of the DSA, so I do not want to interfer here with his planning, but sharing an idea: There will be an upcoming release for nodejs on Monday, 8th (actually was planned for today): https://nodejs.org/en/blog/vulnerability/july-2024-security-releases Do you think you will be less overbooked, can review the regression report and with Aron's help work on fixing the new CVEs for mondays release and we base the update upon that? Again, I do not mean to interfer here with Aron was thinking about releasing the packages. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Bug#1074059: bookworm-pu: package nodejs/18.19.0+dfsg-6~deb12u2
Hi all, On Sat, Jun 22, 2024 at 06:26:23PM +0300, Adrian Bunk wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: secur...@debian.org, Debian Javascript Maintainers > , Jérémy Lal > > This upload aims at fixing the failing build of 18.19.0+dfsg-6~deb12u1 > on mips64el and mipsel. > > The changes are: > - copy mips/flaky_tests.patch with mips64el skip/flaky from 18.19.1+dfsg-6 > - add test-http2-forget-closed-streams to flaky on mips64el > - skip two failing tests on mipsel > > This is based on reading the output of the build failures last night > with some testing done on amd64. > > I am kinda optimistic that it will work and even in the worst case > it shouldn't make anything worse, but there is not enough time to > properly verify it on MIPS before the point release deadline. > > I've just uploaded it, feel free to accept or reject it. > diffstat for nodejs-18.19.0+dfsg nodejs-18.19.0+dfsg Thanks a lot for your work Adrian. Please note that there is currently a nodejs upload pending for releasing via a DSA, which will rebase nodejs to 18.20.3+dfsg-1~deb12u1 so this might invalidate those changes. Jérémy, Aron is that something you want to have included in your prepared update? Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Accepted node-sanitize-html 2.13.0+~2.11.0-1 (source) into unstable
Source: node-sanitize-html Source-Version: 2.13.0+~2.11.0-1 On Sun, Apr 28, 2024 at 02:40:18PM +, Debian FTP Masters wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Format: 1.8 > Date: Sun, 28 Apr 2024 17:48:12 +0400 > Source: node-sanitize-html > Built-For-Profiles: nocheck > Architecture: source > Version: 2.13.0+~2.11.0-1 > Distribution: unstable > Urgency: medium > Maintainer: Debian Javascript Maintainers > > Changed-By: Yadd > Changes: > node-sanitize-html (2.13.0+~2.11.0-1) unstable; urgency=medium > . >* Team upload >* Update lintian override info format in d/source/lintian-overrides > on line 4-5 >* Declare compliance with policy 4.7.0 >* New upstream release (Closes: CVE-2024-21501) >* Unfuzz patches > Checksums-Sha1: > fcf4b0215aafdcede7959494b0da422d54e1cfb5 2729 > node-sanitize-html_2.13.0+~2.11.0-1.dsc > 582d8c72215c0228e3af2be136e40e0b531addf2 2828 > node-sanitize-html_2.13.0+~2.11.0.orig-types-sanitize-html.tar.gz > ae75ec4d6145dabd57328e9ab0cbddcf5a59830b 45951 > node-sanitize-html_2.13.0+~2.11.0.orig.tar.gz > e5ba4b5c3f17715597b63a7566a44b31e268cdd2 3736 > node-sanitize-html_2.13.0+~2.11.0-1.debian.tar.xz > Checksums-Sha256: > 248588aadd03932b4a6f8c7545127894e5058379706d361fc77d0e7786860c49 2729 > node-sanitize-html_2.13.0+~2.11.0-1.dsc > c0f4ed19e9f1dd0a53fbe204e803e73008d760a549116cd98f3ec67a7d434ad7 2828 > node-sanitize-html_2.13.0+~2.11.0.orig-types-sanitize-html.tar.gz > f50aec59bb5de24115864a852bccc2bd7033b3459f4087910f2173f4e9bf3e54 45951 > node-sanitize-html_2.13.0+~2.11.0.orig.tar.gz > 9790307661157f4a9c2b24d76a9c646f0c6b64e6cc8396cfd1234a0226176f57 3736 > node-sanitize-html_2.13.0+~2.11.0-1.debian.tar.xz > Files: > 357330bee53c034e00803a83216f1062 2729 javascript optional > node-sanitize-html_2.13.0+~2.11.0-1.dsc > 11a9538eda02816f35805a34e88eb09d 2828 javascript optional > node-sanitize-html_2.13.0+~2.11.0.orig-types-sanitize-html.tar.gz > d8cb51cb238cc377e69d1a651be83435 45951 javascript optional > node-sanitize-html_2.13.0+~2.11.0.orig.tar.gz > 7486b0a164aa88b192c0300022070e7f 3736 javascript optional > node-sanitize-html_2.13.0+~2.11.0-1.debian.tar.xz > > -BEGIN PGP SIGNATURE- > > iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmYuVCcACgkQ9tdMp8mZ > 7um/qQ/+OjkDvMLLDu2JQLHsZh0OvuKFfjUgFdnhXdRZeS2kg1IVZd9xVUu864Ri > quHE88QVy+4Ak5TxChEhYZxl8GAXXCpoe5oirHRIJlhw1FS4B7Uf2i50ccTm9OfE > K22lr6VBgxhP8XzkDE4yLVfUyXS2NjbVW7olTYqL6GFzAllA2Xu6EFC+u25C3ruH > drCg/MO33NZRal68qBUSNEenDmT9IEpfHUNOLxrukSSx1512DlcCJvw8EqAPMCwR > wsJwvvJb6ryh7BouE6qsELG+DnwOHARx00I3iir48mWjAjNV46haj1y5Rc3+TIQm > vC2Dsr7aWdtucAlyRWxl4X+E+15WUkOollbG3y5cLExHFUpXqu5SbSYqBqDepdYm > xf1Oc/nSAv5/1mtDgT6nl72lr5OeGEGc+eDN9yEyy7cxwHMttI7IM/iZ/nd6l9Ie > l1e1ySCJqO/D2Vcg7HOWWq8v8hj/ZVZnllaT3+d9Q22SGtwNuQIJfyq8GOHuxjli > 8SnBemEUB4xEsbJpNz+d5woh3Uvf/0Z4Pk9UK1F4Rz0VeDGuhkHuyVLFxcPm20el > 7E1WJ63zN4xg8B0zCWfJ3TJLRgWhJnzPF0IkoQiovXU6ha368TmAouuQRa2Pzy4Z > D/jNaOxb1OqPdwtjfZ40fNu+9VaLjsFiIRRs2Eueaa/nMuy5r2k= > =+7g+ > -END PGP SIGNATURE- > -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Accepted node-ip 2.0.1+~1.1.3-1 (source) into unstable
Source: node-ip Source-Version: 2.0.1+~1.1.3-1 On Sun, Apr 28, 2024 at 02:40:08PM +, Debian FTP Masters wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Format: 1.8 > Date: Sun, 28 Apr 2024 17:44:01 +0400 > Source: node-ip > Architecture: source > Version: 2.0.1+~1.1.3-1 > Distribution: unstable > Urgency: medium > Maintainer: Debian Javascript Maintainers > > Changed-By: Yadd > Changes: > node-ip (2.0.1+~1.1.3-1) unstable; urgency=medium > . >* Team upload >* Declare compliance with policy 4.7.0 >* New upstream version (Closes: CVE-2023-42282) >* Unfuzz patches > Checksums-Sha1: > c951a3237457516c4932de97e6b040eb590e1945 2302 node-ip_2.0.1+~1.1.3-1.dsc > 5d8634b3514a51768adda5e17c91a11cdb2e5247 2392 > node-ip_2.0.1+~1.1.3.orig-types-ip.tar.gz > 497fb529449bf1db7734ffb9f26ec18db0553267 35824 > node-ip_2.0.1+~1.1.3.orig.tar.gz > 18ada04f9e27e8b73408cc5857b9105c72752094 3536 > node-ip_2.0.1+~1.1.3-1.debian.tar.xz > Checksums-Sha256: > 155a2eff41959eb5ac609794197da71c85fa2563cc2d2cc8a2441f8b33a056d7 2302 > node-ip_2.0.1+~1.1.3-1.dsc > 5dae9ca606ec5b95e21c78609c8c9ceef7808b36592258766a40a9aeade753b5 2392 > node-ip_2.0.1+~1.1.3.orig-types-ip.tar.gz > ee8b0634c671b58d135a07fcfb70b41d7d9c9e457db6ade06982f7c38df526d3 35824 > node-ip_2.0.1+~1.1.3.orig.tar.gz > d54aea7b8f3bf090547c1792e659eec9568b9eae4d18a4c7a42f83e5275d2540 3536 > node-ip_2.0.1+~1.1.3-1.debian.tar.xz > Files: > 9fc45e1089a79918b594c09a71f33198 2302 javascript optional > node-ip_2.0.1+~1.1.3-1.dsc > d937a8472e46d87f5a6928bc92599ff9 2392 javascript optional > node-ip_2.0.1+~1.1.3.orig-types-ip.tar.gz > f4f085a822f61608dac1de6bdf1377fb 35824 javascript optional > node-ip_2.0.1+~1.1.3.orig.tar.gz > a9a1508cc10542a3d1751143ed098ec2 3536 javascript optional > node-ip_2.0.1+~1.1.3-1.debian.tar.xz > > -BEGIN PGP SIGNATURE- > > iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmYuUssACgkQ9tdMp8mZ > 7ukK1RAAnntmtKJD/wR6EU/ELjRRQEbQOYf+WQ0Uek09Sv5fKlC/tpbQT8uHFJAc > ibBb85CIo0gzCd4+k1BZzXQwCt1eoaqTfNITjHIjyFIEu+KKQP4HVCkxxqRz1MNE > 9WHWHEyH+Qfy60zVVwPgaDz7L16J4Pf//KwdROJMLLPDT4sa9VZjyp/nDsGTtZTp > 6oBpWrvpVmfEVKl4ovx6jSPzGSd7s/MTcP9HqIy+v39fyMxCdyMHigf4T+hZNgi1 > 0sa6kaXjMicDEdyCfdz8ZMGagO0hyGadJnxguIm9yz0svz5ykk2JnDGKEWJ76h0H > smDXP1BW9SSpPfPyERDev2V4jjGdgy2XsJOAQ3H6RzQCvAD4lAK95Ca6shoPU6/y > ZNmVwbZaueRJfSYZNbOVBSJEup2UenGkb34Wge00gd7IlJFo/Ts6b0TOl1BApGuI > N2IbB00Q7h7Dg+4YdOyVROi74sXXzn8V0Ehv1vdimr8+qr1X+a+/lbYBBqoPiUSS > S0xcgzJ8UmJDVp3C6CjSJifANi0SIrdT1IDqSmNxATyXAszQ+7WTbzJDUKclxASa > g7+Vd/piIaO4nd3pv2SsyFdoW/pe+o9Wkqb9HAnQ9UIpaJrJVbGLcGiRN1xt1Dtj > naAhta0leuGeHvgJqr9NtFQEypSuPlMZD7Agm50dS0k3Jag9mmI= > =Bygl > -END PGP SIGNATURE- > -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Accepted node-es5-ext 0.10.64+dfsg1+~1.1.0-1 (source) into unstable
Source: node-es5-ext Source-Version: 0.10.64+dfsg1+~1.1.0-1 On Sun, Apr 28, 2024 at 02:39:58PM +, Debian FTP Masters wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Format: 1.8 > Date: Sun, 28 Apr 2024 17:42:38 +0400 > Source: node-es5-ext > Architecture: source > Version: 0.10.64+dfsg1+~1.1.0-1 > Distribution: unstable > Urgency: medium > Maintainer: Debian Javascript Maintainers > > Changed-By: Yadd > Changes: > node-es5-ext (0.10.64+dfsg1+~1.1.0-1) unstable; urgency=medium > . >* Team upload >* Declare compliance with policy 4.7.0 >* New upstream version (CLoses: CVE-2024-27088) > Checksums-Sha1: > 00ac9a9cc333a9591819f29f9dc201a44b86ed39 2502 > node-es5-ext_0.10.64+dfsg1+~1.1.0-1.dsc > 47adcb21fae6891d7ee7361925cd9271b17014d8 4000 > node-es5-ext_0.10.64+dfsg1+~1.1.0.orig-next-tick.tar.xz > a14349957458b4c3a550ddc89a8eb46d3ac55060 98820 > node-es5-ext_0.10.64+dfsg1+~1.1.0.orig.tar.xz > b66861c5b13af54d9f17fb848bf2ef97bc05f010 4368 > node-es5-ext_0.10.64+dfsg1+~1.1.0-1.debian.tar.xz > Checksums-Sha256: > 56f461199b70efb68d0a7b6fc1933dccd192682112334c404fd0af77b4ca729b 2502 > node-es5-ext_0.10.64+dfsg1+~1.1.0-1.dsc > 4b88466e757b6cddefed1275407b4aced0f9379c1caec88fc0dbd737f218ea67 4000 > node-es5-ext_0.10.64+dfsg1+~1.1.0.orig-next-tick.tar.xz > 73eefa5ace80aa1ca02c4e8d941c892c92d511ecc90186313bcef739f0e960a5 98820 > node-es5-ext_0.10.64+dfsg1+~1.1.0.orig.tar.xz > f70ca85871aa3c5c8a6eaf8d4bf1d5789fdd46e08511d3230bf87057b359a306 4368 > node-es5-ext_0.10.64+dfsg1+~1.1.0-1.debian.tar.xz > Files: > 96882f12a6df1d1e5cbd19205a4b2c85 2502 javascript optional > node-es5-ext_0.10.64+dfsg1+~1.1.0-1.dsc > 503a8a5ea72aeab3a8f9af621752bb1e 4000 javascript optional > node-es5-ext_0.10.64+dfsg1+~1.1.0.orig-next-tick.tar.xz > ecbd763c6d41f64d0a4b762d3e5fb921 98820 javascript optional > node-es5-ext_0.10.64+dfsg1+~1.1.0.orig.tar.xz > a12714528ad453fe2de55bcf011c2b15 4368 javascript optional > node-es5-ext_0.10.64+dfsg1+~1.1.0-1.debian.tar.xz > > -BEGIN PGP SIGNATURE- > > iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmYuUrgACgkQ9tdMp8mZ > 7ulscA//fdH9BrZjJRz5yrUIEJBIQPGwmjbLgv0pYfOBXCcchb6jlt2eCGrZhocQ > sUju3+bf3XwsOhPiESJ8crt50VhQrF4ymGFlYZKxpAURFcQYFJ0s2+BAybwo6o60 > JOa1+rvcU/qFUm+yvECRFgH4rO67uWkIYfdxPYRiW5Q9+Elu/BqBqVW778sxzXai > n/auHL6v0yWh002ATorJWN0BqcVDTIvc+O9dX8WjWquNb0xylTnCv8xIMrskaIOj > g2yu7Wpd2n7d4FsF7RNcauUHRb+tUl1b3uDrfLjf/twH6BEfNa6u0ASIdrPNNtw5 > z7Nn2JlbdQuoSjPfQXNHJ6u9ihRfEuHKfV2CLorxt/yS5QrrpxyaEIPRE1KbhO/L > +SAlM5PfLg2boMxSoWXjTL3emamsFa46P6BdzpEQQl/6uhKYjTCQucP8NAAgoPUx > G4QKE0kkgBF08dxn4e7WKmkkMfP1xeJ3hFVC9qD8BcCmKij0kCU9SAMmm9rEMsKD > MEJnho+7kqO+Y3owwjrMFaKkLR0dXNiox81CF/gtVwK77Mka/sX95sSrS4A2mecb > /jCMmc4JRJ8tuLcrnb3AMC/EAkPCnd36T3OEez3gWD/qYOR/afirNN2h5EhSrNcH > qMRuG6IHhBvRLeUd9L1R2TA7KdPGr431cOVQr/ojsRnA2I5gTaM= > =UP4E > -END PGP SIGNATURE- -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] [ftpmas...@ftp-master.debian.org: Accepted node-express 4.19.2+~cs8.36.21-1 (source) into unstable]
Source: node-express Source-Version: 4.19.2+~cs8.36.21-1 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 07 Apr 2024 07:52:14 +0400 Source: node-express Architecture: source Version: 4.19.2+~cs8.36.21-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Yadd Changes: node-express (4.19.2+~cs8.36.21-1) unstable; urgency=medium . * Team upload * New upstream version 4.19.2+~cs8.36.21 (Closes: CVE-2024-29041) * Unfuzz patches Checksums-Sha1: 5acf5179d1b48d8019fa3f96fb0062d6a561e8cf 4250 node-express_4.19.2+~cs8.36.21-1.dsc 3ae8ab3767d98d0b682cda063c3339e1e86ccfaa 12489 node-express_4.19.2+~cs8.36.21.orig-types-express-serve-static-core.tar.gz c26d4a151e60efe0084b23dc3369ebc631ed192d 2699 node-express_4.19.2+~cs8.36.21.orig-types-express.tar.gz 0de8181cc5ac0334fbe0142b510ea66ad45920bb 148014 node-express_4.19.2+~cs8.36.21.orig.tar.gz 54d3fc7adacc1437efb7cb729794ee6c7b942cb0 26632 node-express_4.19.2+~cs8.36.21-1.debian.tar.xz Checksums-Sha256: 3a82fb4c483ebd00803a1b7318959c6e3ac36b1f65de447efc41173b7a603aaa 4250 node-express_4.19.2+~cs8.36.21-1.dsc 341f919fe2c4929497bac01a6dc29ed8b50485aa2f282896e7532b58bff88399 12489 node-express_4.19.2+~cs8.36.21.orig-types-express-serve-static-core.tar.gz d292c477ae1b654d6422d7a168a86b7a680f8f0e176e854d6c7ce02e3e202f57 2699 node-express_4.19.2+~cs8.36.21.orig-types-express.tar.gz 08542d21662fead677b6d262ac98383030804b0e5a6c75bca9697dfd7260891a 148014 node-express_4.19.2+~cs8.36.21.orig.tar.gz e0ce6a40be8f7df3271214924d0f566877b2dfb0afe48d04bbfa5295622cc6d5 26632 node-express_4.19.2+~cs8.36.21-1.debian.tar.xz Files: 77d68000e84f2b9cb03ab0d2e4bef6cf 4250 javascript optional node-express_4.19.2+~cs8.36.21-1.dsc 152a87d8e5f6a37982f10c5be3d65948 12489 javascript optional node-express_4.19.2+~cs8.36.21.orig-types-express-serve-static-core.tar.gz 50f392ae641a36e9cf75ae2eed0600f0 2699 javascript optional node-express_4.19.2+~cs8.36.21.orig-types-express.tar.gz 755bb69941658f54651b08017ac2dbfb 148014 javascript optional node-express_4.19.2+~cs8.36.21.orig.tar.gz 7c13d3b855af65df666a76a8946f900a 26632 javascript optional node-express_4.19.2+~cs8.36.21-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmYSIGgACgkQ9tdMp8mZ 7ukYjA//b+Lm49hKE8Yx3KWD25S77PURUKnnmW9G78y9Drwb0aj9Xa0d3eYxzKp6 z1sYpbdGzJbMlLFKsxAbiWLEnM9hVlNbXQOuazmiGqfz/opIQqeq58iS7YK1RLCA aVdIK9lL8TM64jMbysqr6ZoPIp09t7gFJU/anjm2KomPxvmYb7x7BHQZOjHmmQMg VnHl+UphUFlIbLIjoLEcFosspTf9jDhJ5XEcxoM9d6LwcGnXZuJvl+GfcZ41hujF v11VPZWCC9Vfei4kHgZDGlTHiP8LHcL7TwS9L+gHlCwhekVw3Ols3kjLuOTBhqWk bRQsZM9LkxWQfHwqtPyLMQIFs72tcwSKivuBj6XYXqedSisj4EIAcBEOurTtlc0c AGuX2TjFiZX3lajBG0zLqxgUsKESwvORuMAOmxhXsO9/vx3mW47BPWsZjK9c6Xgm M4YBP23hEhip7iCstFdRAEjuEbmQMoSkR3tZxLQwS1E8K16iaLygygkZ0qvIKv+7 QQainMVjWCcZXfgMBhaMqdREoMBD2UgwXzoR/LQiZTvCt5IPqCKesNhua1cAvo2t t8hTeNVsTp8wts54gpV5DffQrzlcR0uP/xxTfp5vr9a+l4YWsB8mnGpvNpOxNouf FB7r0szSeITSRHJLcssKrsPSzd3CYcWECQ3GMS3zcmZtihqztGw= =b+7+ -END PGP SIGNATURE- - End forwarded message - -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] [ftpmas...@ftp-master.debian.org: Accepted nodejs 18.20.1+dfsg-1 (source) into unstable]
Source: nodejs Source-Version: 18.20.1+dfsg-1 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 03 Apr 2024 16:50:38 +0200 Source: nodejs Architecture: source Version: 18.20.1+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Jérémy Lal Changes: nodejs (18.20.1+dfsg-1) unstable; urgency=medium . * New upstream version 18.20.1+dfsg + CVE-2024-27983: HTTP/2 server crash (High) + CVE-2024-27982: HTTP Request Smuggling (Medium) * Breaks libnode108, not 109 * copyright: remove file * Drop build/test_dns_resolveany_bad_ancount.patch, applied Checksums-Sha1: 6a1c634577a5c44ffc9a8add91de854f8d52f3c6 4359 nodejs_18.20.1+dfsg-1.dsc 2540b9b84f230689afcbf507a307d46d4ef2a411 269724 nodejs_18.20.1+dfsg.orig-ada.tar.xz fe2823889f88c0ba801ec4565b302dc987f27168 274360 nodejs_18.20.1+dfsg.orig-types-node.tar.xz 224708ebbaaada74e786059a276dca0054fabf33 29305332 nodejs_18.20.1+dfsg.orig.tar.xz 85cf8906b32eaf766c2b08690fd24be97ddc619a 163104 nodejs_18.20.1+dfsg-1.debian.tar.xz ffe31e7755d29173054a343fa72cc978878d4e8e 10916 nodejs_18.20.1+dfsg-1_source.buildinfo Checksums-Sha256: b8eeb8d2a7cc17dc772fa9f0817d8d294842eb8e3ea4cdf34cc59fd29baf768a 4359 nodejs_18.20.1+dfsg-1.dsc 0c3caa8771a2bc6ac5d32912d07383dcae8a0cf145ed6f7017cbf6b41478acd2 269724 nodejs_18.20.1+dfsg.orig-ada.tar.xz ea406dd59b86fb2ab96043231d9ff763611c0fb08d5cabbaeccad770d1b34068 274360 nodejs_18.20.1+dfsg.orig-types-node.tar.xz 558c42f89f57a56e8d1e131fb6bb0a40f1cc844e52e2393837f932c0d8c8b31b 29305332 nodejs_18.20.1+dfsg.orig.tar.xz 9213d005e8a8e4e758db1e4f3f13eb22f611ce2be1d48d558cb4558d946f7f30 163104 nodejs_18.20.1+dfsg-1.debian.tar.xz 18067729aa2e52618b01a9dc2c6bd1dfbdbb469cce8a5b8f379fb9294947fea6 10916 nodejs_18.20.1+dfsg-1_source.buildinfo Files: 0e064ee9907fcb2b19f8f6fe88215a53 4359 javascript optional nodejs_18.20.1+dfsg-1.dsc 327a080764e93ab10a593efba5b84fd3 269724 javascript optional nodejs_18.20.1+dfsg.orig-ada.tar.xz 93414acee8286f9dc2e1b649cda05b09 274360 javascript optional nodejs_18.20.1+dfsg.orig-types-node.tar.xz dae02efb441915a83486babec21c8186 29305332 javascript optional nodejs_18.20.1+dfsg.orig.tar.xz 175f3688d3380ceb1b3fe3fbf65fe59f 163104 javascript optional nodejs_18.20.1+dfsg-1.debian.tar.xz 06d37a9966050b373c0e0b13d103f9a3 10916 javascript optional nodejs_18.20.1+dfsg-1_source.buildinfo -BEGIN PGP SIGNATURE- iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmYNu8wSHGthcG91ZXJA bWVsaXgub3JnAAoJEGYRwF7dOfN0iF8P/jgSVspzx+1vifQxluwWLsWXJSp7jgxr f1iOvKrmf5rXb7W1FICDoa53bOd+SmIL4Lbmd066+38k90n0zKEK61hpZoA84F6C jYekdGsGNPGoJeygJjxK99+ZEUvAAsBmtOvq5l7aLAHQJskPXZSD7zRxRbvoAt9k PRPQKh7uqreV3LoJGOMHnSdxUHNroM89oSqzx73nLyvfjW4+/xWkXIf3+DBoycFr X0b9PaQmlRWH3bWdYBTb5GXMNL6qkQD41YdN4KpJd3oe17qUVBfI9+VssJuN3Gii EQ6DQni0E4nPw9AmDG9nACjbqq1QOfWiJRmCZ6bHtPxRrTdaFUJeIhxymBqFq6V+ u4hGTgLJno2HQJ/8dPNIK2cYI/NbSRhBSIx62OPvyAEeSLAUJ9coDvoZ5/euazwS YFxlLnp0+/FqwXR2LWAw+Za5SNdSPoTbbYyE93yxBtTFBAhq7XIIf2IoEkgLkV+z 7jYXn+DGUFnthHz1e4XAfrIHagMn/hfYgyrpzp37UyLRhY2Rk3t8/Brt44lcE001 rREGxh8QYR7ECimOdpobzoXk4JbmFf2VlvYxl7mVTzRsTeuBHaHX1VH+Dy4qLGfK vuUBF7bjIeMCkCXrahu3kW3DFsWopqcmAGIOk/mA4iQsDvMzk7hfqNqdI/JbMPPu jGMuZfAIvxbk =8Xn2 -END PGP SIGNATURE- - End forwarded message - -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1067805: node-katex: CVE-2024-28243 CVE-2024-28244 CVE-2024-28245 CVE-2024-28246
Source: node-katex Version: 0.16.4+~cs6.1.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for node-katex. CVE-2024-28243[0]: | KaTeX is a JavaScript library for TeX math rendering on the web. | KaTeX users who render untrusted mathematical expressions could | encounter malicious input using `\edef` that causes a near-infinite | loop, despite setting `maxExpand` to avoid such loops. This can be | used as an availability attack, where e.g. a client rendering | another user's KaTeX input will be unable to use the site due to | memory overflow, tying up the main thread, or stack overflow. | Upgrade to KaTeX v0.16.10 to remove this vulnerability. CVE-2024-28244[1]: | KaTeX is a JavaScript library for TeX math rendering on the web. | KaTeX users who render untrusted mathematical expressions could | encounter malicious input using `\def` or `\newcommand` that causes | a near-infinite loop, despite setting `maxExpand` to avoid such | loops. KaTeX supports an option named maxExpand which aims to | prevent infinitely recursive macros from consuming all available | memory and/or triggering a stack overflow error. Unfortunately, | support for "Unicode (sub|super)script characters" allows an | attacker to bypass this limit. Each sub/superscript group | instantiated a separate Parser with its own limit on macro | executions, without inheriting the current count of macro executions | from its parent. This has been corrected in KaTeX v0.16.10. CVE-2024-28245[2]: | KaTeX is a JavaScript library for TeX math rendering on the web. | KaTeX users who render untrusted mathematical expressions could | encounter malicious input using `\includegraphics` that runs | arbitrary JavaScript, or generate invalid HTML. Upgrade to KaTeX | v0.16.10 to remove this vulnerability. CVE-2024-28246[3]: | KaTeX is a JavaScript library for TeX math rendering on the web. | Code that uses KaTeX's `trust` option, specifically that provides a | function to blacklist certain URL protocols, can be fooled by URLs | in malicious inputs that use uppercase characters in the protocol. | In particular, this can allow for malicious input to generate | `javascript:` links in the output, even if the `trust` function | tries to forbid this protocol via `trust: (context) => | context.protocol !== 'javascript'`. Upgrade to KaTeX v0.16.10 to | remove this vulnerability. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28243 https://www.cve.org/CVERecord?id=CVE-2024-28243 https://github.com/KaTeX/KaTeX/security/advisories/GHSA-64fm-8hw2-v72w [1] https://security-tracker.debian.org/tracker/CVE-2024-28244 https://www.cve.org/CVERecord?id=CVE-2024-28244 https://github.com/KaTeX/KaTeX/security/advisories/GHSA-cvr6-37gx-v8wc [2] https://security-tracker.debian.org/tracker/CVE-2024-28245 https://www.cve.org/CVERecord?id=CVE-2024-28245 https://github.com/KaTeX/KaTeX/security/advisories/GHSA-f98w-7cxr-ff2h [3] https://security-tracker.debian.org/tracker/CVE-2024-28246 https://www.cve.org/CVERecord?id=CVE-2024-28246 https://github.com/KaTeX/KaTeX/security/advisories/GHSA-3wc5-fcw2-2329 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1066971: node-follow-redirects: CVE-2024-28849
Source: node-follow-redirects Version: 1.15.3+~1.14.2-1 Severity: important Tags: security upstream Forwarded: https://github.com/psf/requests/issues/1885 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-follow-redirects. CVE-2024-28849[0]: | follow-redirects is an open source, drop-in replacement for Node's | `http` and `https` modules that automatically follows redirects. In | affected versions follow-redirects only clears authorization header | during cross-domain redirect, but keep the proxy-authentication | header which contains credentials too. This vulnerability may lead | to credentials leak, but has been addressed in version 1.15.6. Users | are advised to upgrade. There are no known workarounds for this | vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28849 https://www.cve.org/CVERecord?id=CVE-2024-28849 [1] https://github.com/psf/requests/issues/1885 [2] https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp [3] https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1064933: node-es5-ext: CVE-2024-27088
Source: node-es5-ext Version: 0.10.62+dfsg1+~1.1.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/medikoo/es5-ext/issues/201 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-es5-ext. CVE-2024-27088[0]: | es5-ext contains ECMAScript 5 extensions. Passing functions with | very long names or complex default argument names into | `function#copy` or `function#toStringTokens` may cause the script to | stall. The vulnerability is patched in v0.10.63. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-27088 https://www.cve.org/CVERecord?id=CVE-2024-27088 [1] https://github.com/medikoo/es5-ext/issues/201 [2] https://github.com/medikoo/es5-ext/security/advisories/GHSA-4gmj-3p3h-gm8h Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1064808: node-sanitize-html: CVE-2024-21501
Source: node-sanitize-html Version: 2.8.0+~2.6.2-1 Severity: important Tags: security upstream Forwarded: https://github.com/apostrophecms/sanitize-html/pull/650 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-sanitize-html. CVE-2024-21501[0]: | Versions of the package sanitize-html before 2.12.1 are vulnerable | to Information Exposure when used on the backend and with the style | attribute allowed, allowing enumeration of files in the system | (including project dependencies). An attacker could exploit this | vulnerability to gather details about the file system structure and | dependencies of the targeted server. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-21501 https://www.cve.org/CVERecord?id=CVE-2024-21501 [1] https://github.com/apostrophecms/sanitize-html/pull/650 [2] https://github.com/apostrophecms/sanitize-html/commit/075499d1b98c387f4200fd59972ca9b15796b51b Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1064312: node-undici: CVE-2024-24758
Source: node-undici Version: 5.28.2+dfsg1+~cs23.11.12.3-6 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-undici. CVE-2024-24758[0]: | Undici is an HTTP/1.1 client, written from scratch for Node.js. | Undici already cleared Authorization headers on cross-origin | redirects, but did not clear `Proxy-Authentication` headers. This | issue has been patched in versions 5.28.3 and 6.6.1. Users are | advised to upgrade. There are no known workarounds for this | vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24758 https://www.cve.org/CVERecord?id=CVE-2024-24758 [1] https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3 [2] https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1059926: node-follow-redirects: CVE-2023-26159
Source: node-follow-redirects Version: 1.15.3+~1.14.2-1 Severity: important Tags: security upstream Forwarded: https://github.com/follow-redirects/follow-redirects/issues/235 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-follow-redirects. CVE-2023-26159[0]: | Versions of the package follow-redirects before 1.15.4 are | vulnerable to Improper Input Validation due to the improper handling | of URLs by the url.parse() function. When new URL() throws an error, | it can be manipulated to misinterpret the hostname. An attacker | could exploit this weakness to redirect traffic to a malicious site, | potentially leading to information disclosure, phishing attacks, or | other security breaches. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-26159 https://www.cve.org/CVERecord?id=CVE-2023-26159 [1] https://github.com/follow-redirects/follow-redirects/issues/235 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Hi, [CC'ing node-undici uploader] On Wed, Dec 20, 2023 at 09:12:36PM +0100, J??r??my Lal wrote: > Le mer. 19 juil. 2023 ?? 21:51, J??r??my Lal a ??crit : > > > > > > > Le mer. 19 juil. 2023 ?? 14:18, Moritz M??hlenhoff a > > ??crit : > > > >> Am Fri, Jun 30, 2023 at 08:12:37PM +0200 schrieb J??r??my Lal: > >> > Hi, > >> > > >> > Le ven. 30 juin 2023 ?? 19:21, Salvatore Bonaccorso > >> a > >> > ??crit : > >> > > >> > > Source: nodejs > >> > > Version: 18.13.0+dfsg1-1 > >> > > Severity: important > >> > > Tags: security upstream > >> > > X-Debbugs-Cc: car...@debian.org, Debian Security Team < > >> > > t...@security.debian.org> > >> > > > >> > > Hi, > >> > > > >> > > The following vulnerabilities were published for nodejs. > >> > > > >> > > CVE-2023-30581[0], CVE-2023-30588[1], CVE-2023-30589[2] and > >> > > CVE-2023-30590[3]. > >> > > > >> > > > >> > > If you fix the vulnerabilities please also make sure to include the > >> > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > >> > > > >> > > >> > It would be interesting to know if we adopt the same plan we had with > >> > security team: > >> > full upstream updates in the same branch, 18.x here. > >> > >> Ack, let's do that. Could you prepare bookworm-security updates > >> based on 18.17.0 (after it has landed in unstable)? > > > > > nodejs 18.19.0 has landed in testing. > It rebuilds fine in bookworm, and test-suite-during-build pass on amd64. > > It also requires "node-undici", precisely for that change: > > node-undici (5.28.2+dfsg1+~cs23.11.12.3-2) unstable; urgency=medium > > * Build and publish undici-types, needed by new @types/node > > Is there a way to deal with this ? Then I guess we need this as pre-requisite upload to bookworm as well. Maybe Moritz has a better idea, but one option is to propose this update regularly as bookworm-pu and once it's in proposed update ask DSA to make the security chroots pick as well updates from prpopsoed-updates if we plan to release nodejs via a DSA (or otherwise via bookworm-pu as well). One other alternative is to make a non-security upload for node-unidici containing that change to the security archive, which the nodejs update can pick. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1056099: node-axios: CVE-2023-45857
Source: node-axios Version: 1.5.1+dfsg-1 Severity: important Tags: security upstream Forwarded: https://github.com/axios/axios/issues/6006 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-axios. CVE-2023-45857[0]: | An issue discovered in Axios 1.5.1 inadvertently reveals the | confidential XSRF-TOKEN stored in cookies by including it in the | HTTP header X-XSRF-TOKEN for every request made to any host allowing | attackers to view sensitive information. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45857 https://www.cve.org/CVERecord?id=CVE-2023-45857 [1] https://github.com/axios/axios/issues/6006 [2] https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1055612: libjs-bootbox: CVE-2023-46998
Source: libjs-bootbox Version: 5.5.3~ds-1 Severity: important Tags: security upstream Forwarded: https://github.com/bootboxjs/bootbox/issues/661 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libjs-bootbox. CVE-2023-46998[0]: | Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 | through 6.0 allows a remote attacker to execute arbitrary code via a | crafted payload to alert(), confirm(), prompt() functions. At time of writing, there is no upstream fix for this issue. Cf. as well [1]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46998 https://www.cve.org/CVERecord?id=CVE-2023-46998 [1] https://github.com/bootboxjs/bootbox/issues/661 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1054667: Bug#1054667: node-browserify-sign: CVE-2023-46234
Hi Yadd, On Sat, Oct 28, 2023 at 12:05:25PM +0400, Yadd wrote: > On 10/27/23 20:20, Moritz Mühlenhoff wrote: > > Source: node-browserify-sign > > X-Debbugs-CC: t...@security.debian.org > > Severity: grave > > Tags: security > > > > Hi, > > > > The following vulnerability was published for node-browserify-sign. > > > > CVE-2023-46234[0]: > > | browserify-sign is a package to duplicate the functionality of > > | node's crypto public key functions, much of this is based on Fedor > > | Indutny's work on indutny/tls.js. An upper bound check issue in > > | `dsaVerify` function allows an attacker to construct signatures that > > | can be successfully verified by any public key, thus leading to a > > | signature forgery attack. All places in this project that involve > > | DSA verification of user-input signatures will be affected by this > > | vulnerability. This issue has been patched in version 4.2.2. > > > > https://github.com/browserify/browserify-sign/security/advisories/GHSA-x9w5-v3q2-3rhw > > https://github.com/browserify/browserify-sign/commit/85994cd6348b50f2fd1b73c54e20881416f44a30 > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2023-46234 > > https://www.cve.org/CVERecord?id=CVE-2023-46234 > > > > Please adjust the affected versions in the BTS as needed. > > Hi, > > please find attached the debdiff for Bookworm Thanks looks good and think we can release a DSA for it. FTR, please wait next time for an ack first. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1054892: nodejs: CVE-2023-39333 CVE-2023-38552
Source: nodejs Version: 18.13.0+dfsg1-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for nodejs. CVE-2023-39333[0]: | Code injection via WebAssembly export names CVE-2023-38552[1]: | When the Node.js policy feature checks the integrity of a resource | against a trusted manifest, the application can intercept the | operation and return a forged checksum to the node's policy | implementation, thus effectively disabling the integrity check. | Impacts: This vulnerability affects all users using the experimental | policy mechanism in all active release lines: 18.x and, 20.x. Please | note that at the time this CVE was issued, the policy mechanism is | an experimental feature of Node.js. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-39333 https://www.cve.org/CVERecord?id=CVE-2023-39333 [1] https://security-tracker.debian.org/tracker/CVE-2023-38552 https://www.cve.org/CVERecord?id=CVE-2023-38552 [2] https://nodejs.org/en/blog/vulnerability/october-2023-security-releases Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1053282: node-postcss: CVE-2023-44270
Source: node-postcss
Version: 8.4.20+~cs8.0.23-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for node-postcss.
CVE-2023-44270[0]:
| An issue was discovered in PostCSS before 8.4.31. It affects linters
| using PostCSS to parse external Cascading Style Sheets (CSS). There
| may be \r discrepancies, as demonstrated by @font-face{
| font:(\r/*);} in a rule.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-44270
https://www.cve.org/CVERecord?id=CVE-2023-44270
[1]
https://github.com/postcss/postcss/commit/58cc860b4c1707510c9cd1bc1fa30b423a9ad6c5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1053262: node-get-func-name: CVE-2023-43646
Source: node-get-func-name Version: 2.0.0+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-get-func-name. CVE-2023-43646[0]: | get-func-name is a module to retrieve a function's name securely and | consistently both in NodeJS and the browser. Versions prior to 2.0.1 | are subject to a regular expression denial of service (redos) | vulnerability which may lead to a denial of service when parsing | malicious input. This vulnerability can be exploited when there is | an imbalance in parentheses, which results in excessive backtracking | and subsequently increases the CPU load and processing time | significantly. This vulnerability can be triggered using the | following input: '\t'.repeat(54773) + '\t/function/i'. This issue | has been addressed in commit `f934b228b` which has been included in | releases from 2.0.1. Users are advised to upgrade. There are no | known workarounds for this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-43646 https://www.cve.org/CVERecord?id=CVE-2023-43646 [1] https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5 [2] https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1050739: nodejs: CVE-2023-32002 CVE-2023-32006 CVE-2023-32559
Source: nodejs
Version: 18.13.0+dfsg1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerabilities were published for nodejs.
CVE-2023-32002[0]:
| The use of `Module._load()` can bypass the policy mechanism and
| require modules outside of the policy.json definition for a given
| module. This vulnerability affects all users using the experimental
| policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
| Please note that at the time this CVE was issued, the policy is an
| experimental feature of Node.js.
CVE-2023-32006[1]:
| The use of `module.constructor.createRequire()` can bypass the
| policy mechanism and require modules outside of the policy.json
| definition for a given module. This vulnerability affects all users
| using the experimental policy mechanism in all active release lines:
| 16.x, 18.x, and, 20.x. Please note that at the time this CVE was
| issued, the policy is an experimental feature of Node.js.
CVE-2023-32559[2]:
| A privilege escalation vulnerability exists in the experimental
| policy mechanism in all active release lines: 16.x, 18.x and, 20.x.
| The use of the deprecated API `process.binding()` can bypass the
| policy mechanism by requiring internal modules and eventually take
| advantage of `process.binding('spawn_sync')` run arbitrary code,
| outside of the limits defined in a `policy.json` file. Please note
| that at the time this CVE was issued, the policy is an experimental
| feature of Node.js.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-32002
https://www.cve.org/CVERecord?id=CVE-2023-32002
[1] https://security-tracker.debian.org/tracker/CVE-2023-32006
https://www.cve.org/CVERecord?id=CVE-2023-32006
[2] https://security-tracker.debian.org/tracker/CVE-2023-32559
https://www.cve.org/CVERecord?id=CVE-2023-32559
Regards,
Salvatore
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Hi [CC'ing the security team alias] On Fri, Jun 30, 2023 at 08:12:37PM +0200, Jérémy Lal wrote: > Hi, > > Le ven. 30 juin 2023 à 19:21, Salvatore Bonaccorso a > écrit : > > > Source: nodejs > > Version: 18.13.0+dfsg1-1 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team < > > t...@security.debian.org> > > > > Hi, > > > > The following vulnerabilities were published for nodejs. > > > > CVE-2023-30581[0], CVE-2023-30588[1], CVE-2023-30589[2] and > > CVE-2023-30590[3]. > > > > > > If you fix the vulnerabilities please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. > > > > It would be interesting to know if we adopt the same plan we had with > security team: > full upstream updates in the same branch, 18.x here. Yes I think we can do the same for bookworm and follow the 18.x releases given it is a LTS branch. Unless you have some reason to believe it would not be wise to do for the 18.x series. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
Source: nodejs Version: 18.13.0+dfsg1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for nodejs. CVE-2023-30581[0], CVE-2023-30588[1], CVE-2023-30589[2] and CVE-2023-30590[3]. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-30581 https://www.cve.org/CVERecord?id=CVE-2023-30581 [1] https://security-tracker.debian.org/tracker/CVE-2023-30588 https://www.cve.org/CVERecord?id=CVE-2023-30588 [2] https://security-tracker.debian.org/tracker/CVE-2023-30589 https://www.cve.org/CVERecord?id=CVE-2023-30589 [3] https://security-tracker.debian.org/tracker/CVE-2023-30590 https://www.cve.org/CVERecord?id=CVE-2023-30590 [4] https://nodejs.org/en/blog/vulnerability/june-2023-security-releases Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: trixie/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.3.0-1-amd64 (SMP w/8 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Accepted jquery-minicolors 2.3.5+dfsg-4 (source) into unstable
Source: jquery-minicolors Source-Version: 2.3.5+dfsg-4 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 31 May 2023 16:44:37 +0400 Source: jquery-minicolors Architecture: source Version: 2.3.5+dfsg-4 Distribution: unstable Urgency: medium Maintainer: Debian JavaScript Maintainers Changed-By: Yadd Changes: jquery-minicolors (2.3.5+dfsg-4) unstable; urgency=medium . * Team upload * Declare compliance with policy 4.6.2 * Fix cross-site scripting issue (Closes: CVE-2021-32850) Checksums-Sha1: 67cedb34a3218a1f1088d1edbe30caef7f18f643 2064 jquery-minicolors_2.3.5+dfsg-4.dsc 155bc5ab18516e9c1813b084ebe19c13efca5818 4840 jquery-minicolors_2.3.5+dfsg-4.debian.tar.xz Checksums-Sha256: cf9934693d1f54670a68fb89ac59dde8c203734cf3e2a4a00f175933741caf62 2064 jquery-minicolors_2.3.5+dfsg-4.dsc d0a8a02438629da14daeecdbba9c476a1316fb277c73cc93677313c697356dc7 4840 jquery-minicolors_2.3.5+dfsg-4.debian.tar.xz Files: ac8a8e1f33d14098d25158e13530bd09 2064 javascript optional jquery-minicolors_2.3.5+dfsg-4.dsc 74d71eede5d66409326b7473c5b165f6 4840 javascript optional jquery-minicolors_2.3.5+dfsg-4.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmR3QXMACgkQ9tdMp8mZ 7umdaQ/9EhS9HIufpHiWT/16f3YrrbJy7wSrWxltytTHf8VUty38urR4aBjCx7Jn D/r+XESkfFFK+zaXrFX9qUXmdi+nHtcqCNiLhxLGv7uaGiiOQt8zkjugxehBCdmu ugcQaQZxK1lt0BmP5W4hi5ByNrXpLyY0Y8VVa44qjBptLzcG9GJDF9tuM0+AMilx DEWWz1C1ShWJDlGuM+uTgPdQe0dkWeWlSodrjqcTspOqVLnqp0h9Bj3lydephk/0 WO9kl+11PPk/CHljCO4evUewmqHU3eGMCL0hcgK0s4Vj82zcp8LzDfhZV5YUZT6w coxLk+echB4qVeva/DCnM4jUGgSFJQxT1Xil6vJSEHPlyFWvsucdjvCr9DOL6abi qPikkT6O+NnpN128EipKAHz4nQzEUy/8Yuj8HgK8To3ypNK2PGD6Y5qLqaSdUt9u dH6IMb4cLS1TIHnkEtyZrjos7EDUq5gHQAzIiuV4e146io9NyBncE6jTYIr8TKYC gDnBr8pijO3NQFVNmJAmVNewGXw9gaf2jbibHJoQS/ZcVINvVAkZxei/4T8wp7Gp VpGi17s++rKdfi8pSD1nEc/TT2phTTKZMrMsoAkINvUDOPDc93jCYzmK2kAZvKKF n0b5hHjgX8IGt2Uor/BtK2IWx0fhr1UEg8c0jyRAjs2bVCI3x1M= =cPoo -END PGP SIGNATURE- - End forwarded message - -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1035580: node-yaml: CVE-2023-2251
Source: node-yaml Version: 2.1.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-yaml. CVE-2023-2251[0]: | Uncaught Exception in GitHub repository eemeli/yaml. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-2251 https://www.cve.org/CVERecord?id=CVE-2023-2251 [1] https://huntr.dev/bounties/4b494e99-5a3e-40d9-8678-277f3060e96c [2] https://www.github.com/eemeli/yaml/commit/984f5781ffd807e58cad3b5c8da1f940dab75fba Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1034481: ckeditor: CVE-2023-28439
Source: ckeditor Version: 4.19.1+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ckeditor. CVE-2023-28439[0]: | CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. | A cross-site scripting vulnerability has been discovered affecting | Iframe Dialog and Media Embed packages. The vulnerability may trigger | a JavaScript code after fulfilling special conditions: using one of | the affected packages on a web page with missing proper Content | Security Policy configuration; initializing the editor on an element | and using an element other than `textarea` as a base; and | destroying the editor instance. This vulnerability might affect a | small percentage of integrators that depend on dynamic editor | initialization/destroy mechanism. A fix is available in CKEditor4 | version 4.21.0. In some rare cases, a security fix may be considered a | breaking change. Starting from version 4.21.0, the Iframe Dialog | plugin applies the `sandbox` attribute by default, which restricts | JavaScript code execution in the iframe element. To change this | behavior, configure the `config.iframe_attributes` option. Also | starting from version 4.21.0, the Media Embed plugin regenerates the | entire content of the embed widget by default. To change this | behavior, configure the `config.embed_keepOriginalContent` option. | Those who choose to enable either of the more permissive options or | who cannot upgrade to a patched version should properly configure | Content Security Policy to avoid any potential security issues that | may arise from embedding iframe elements on their web page. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28439 https://www.cve.org/CVERecord?id=CVE-2023-28439 [1] https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g [2] https://github.com/ckeditor/ckeditor4/commit/b85af23f020a61397c6c0024aef73f2c7f62bfef Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1034148: node-xml2js: CVE-2023-0842
Source: node-xml2js Version: 0.4.23+~cs15.4.0+dfsg-4 Severity: important Tags: security upstream Forwarded: https://github.com/Leonidas-from-XIV/node-xml2js/issues/663 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-xml2js. CVE-2023-0842[0]: | xml2js version 0.4.23 allows an external attacker to edit or add new | properties to an object. This is possible because the application does | not properly validate incoming JSON keys, thus allowing the __proto__ | property to be edited. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-0842 https://www.cve.org/CVERecord?id=CVE-2023-0842 [1] https://github.com/Leonidas-from-XIV/node-xml2js/issues/663 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1032904: node-webpack: CVE-2023-28154
Source: node-webpack Version: 5.75.0+dfsg+~cs17.16.14-1 Severity: important Tags: security upstream Forwarded: https://github.com/webpack/webpack/pull/16500 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-webpack. CVE-2023-28154[0]: | Webpack 5 before 5.76.0 does not avoid cross-realm object access. | ImportParserPlugin.js mishandles the magic comment feature. An | attacker who controls a property of an untrusted object can obtain | access to the real global object. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-28154 https://www.cve.org/CVERecord?id=CVE-2023-28154 [1] https://github.com/webpack/webpack/pull/16500 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1032313: node-mermaid: CVE-2022-48345
Source: node-mermaid Version: 8.14.0+~cs11.4.14-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-mermaid. CVE-2022-48345[0]: | sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via | HTML entities. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-48345 https://www.cve.org/CVERecord?id=CVE-2022-48345 [1] https://github.com/braintree/sanitize-url/commit/d4bdc89f1743fe3cdb7c3f24b06e4c875f349b0c Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1031834: nodejs: CVE-2023-23918 CVE-2023-23919 CVE-2023-23920
Source: nodejs Version: 18.13.0+dfsg1-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for nodejs. CVE-2023-23918[0]: | A privilege escalation vulnerability exists in Node.js 19.6.1, | 18.14.1, 16.19.1 and 14.21.3 that made it possible to | bypass the experimental Permissions | (https://nodejs.org/api/permissions.html) feature in Node.js and | access non authorized modules by using process.mainModule.require(). | This only affects users who had enabled the experimental permissions | option with --experimental-policy. CVE-2023-23919[1]: | A cryptographic vulnerability exists in Node.js 19.2.0, | 18.14.1, 16.19.1, 14.21.3 that in some cases did does not | clear the OpenSSL error stack after operations that may set it. This | may lead to false positive errors during subsequent cryptographic | operations that happen to be on the same thread. This in turn could be | used to cause a denial of service. CVE-2023-23920[2]: | An untrusted search path vulnerability exists in Node.js. 19.6.1, | 18.14.1, 16.19.1, and 14.21.3 that could allow an attacker | to search and potentially load ICU data when running with elevated | privileges. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-23918 https://www.cve.org/CVERecord?id=CVE-2023-23918 [1] https://security-tracker.debian.org/tracker/CVE-2023-23919 https://www.cve.org/CVERecord?id=CVE-2023-23919 [2] https://security-tracker.debian.org/tracker/CVE-2023-23920 https://www.cve.org/CVERecord?id=CVE-2023-23920 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1031791: jquery-minicolors: CVE-2021-32850
Source: jquery-minicolors Version: 2.3.5+dfsg-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for jquery-minicolors. CVE-2021-32850[0]: | jQuery MiniColors is a color picker built on jQuery. Prior to version | 2.3.6, jQuery MiniColors is prone to cross-site scripting when | handling untrusted color names. This issue is patched in version | 2.3.6. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32850 https://www.cve.org/CVERecord?id=CVE-2021-32850 [1] https://securitylab.github.com/advisories/GHSL-2021-1045_jQuery_MiniColors_Plugin/ [2] https://github.com/claviska/jquery-minicolors/commit/ef134824a7f4110ada53ea6c173111a4fa2f48f3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1031418: node-undici: CVE-2023-23936 CVE-2023-24807
Source: node-undici Version: 5.15.0+dfsg1+~cs20.10.9.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for node-undici. CVE-2023-23936[0]: | Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 | and prior to version 5.19.1, the undici library does not protect | `host` HTTP header from CRLF injection vulnerabilities. This issue is | patched in Undici v5.19.1. As a workaround, sanitize the | `headers.host` string before passing to undici. CVE-2023-24807[1]: | Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the | `Headers.set()` and `Headers.append()` methods are vulnerable to | Regular Expression Denial of Service (ReDoS) attacks when untrusted | values are passed into the functions. This is due to the inefficient | regular expression used to normalize the values in the | `headerValueNormalize()` utility function. This vulnerability was | patched in v5.19.1. No known workarounds are available. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-23936 https://www.cve.org/CVERecord?id=CVE-2023-23936 [1] https://security-tracker.debian.org/tracker/CVE-2023-24807 https://www.cve.org/CVERecord?id=CVE-2023-24807 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1024736: node-xmldom: CVE-2022-39353
Source: node-xmldom Version: 0.8.3-1 Severity: important Tags: security upstream Forwarded: https://github.com/jindw/xmldom/issues/150 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-xmldom. CVE-2022-39353[0]: | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) | `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not | well-formed because it contains multiple top level elements, and adds | all root nodes to the `childNodes` collection of the `Document`, | without reporting any error or throwing. This breaks the assumption | that there is only a single root node in the tree, which led to | issuance of CVE-2022-39299 as it is a potential issue for dependents. | Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag | latest) or @xmldom/xmldom@=0.9.0-beta.4 (dist-tag next). As a | workaround, please one of the following approaches depending on your | use case: instead of searching for elements in the whole DOM, only | search in the `documentElement`or reject a document with a document | that has more then 1 `childNode`. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39353 https://www.cve.org/CVERecord?id=CVE-2022-39353 [1] https://github.com/jindw/xmldom/issues/150 [2] https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1023518: nodejs: CVE-2022-43548
Source: nodejs Version: 18.12.0+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for nodejs. CVE-2022-43548[0]: | DNS rebinding in --inspect via invalid octal IP address If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-43548 https://www.cve.org/CVERecord?id=CVE-2022-43548 [1] https://nodejs.org/en/blog/vulnerability/november-2022-security-releases/#dns-rebinding-in-inspect-via-invalid-octal-ip-address-medium-cve-2022-43548 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1021618: node-xmldom: CVE-2022-37616
Source: node-xmldom Version: 0.7.5-1 Severity: important Tags: security upstream Forwarded: https://github.com/xmldom/xmldom/issues/436 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-xmldom. CVE-2022-37616[0]: | A prototype pollution vulnerability exists in the function copy in | dom.js in the xmldom (published as @xmldom/xmldom) package before | 0.8.3 for Node.js via the p variable. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-37616 https://www.cve.org/CVERecord?id=CVE-2022-37616 [1] https://github.com/xmldom/xmldom/issues/436 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1019219: node-sanitize-html: CVE-2022-25887
Source: node-sanitize-html Version: 2.7.0+~2.6.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-sanitize-html. CVE-2022-25887[0]: | The package sanitize-html before 2.7.1 are vulnerable to Regular | Expression Denial of Service (ReDoS) due to insecure global regular | expression replacement logic of HTML comment removal. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-25887 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25887 [1] https://github.com/apostrophecms/sanitize-html/commit/b4682c12fd30e12e82fa2d9b766de91d7d2cd23c [2] https://github.com/apostrophecms/sanitize-html/pull/557 [3] https://security.snyk.io/vuln/SNYK-JS-SANITIZEHTML-2957526 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1017707: RM: rainloop -- RoQA; "unmaintained" upstream, security issues, upstream-fork exists (but not yet packaged in Debian)
Package: ftp.debian.org Severity: normal X-Debbugs-Cc: car...@debian.org, anar...@debian.org, t...@security.debian.org, pkg-javascript-de...@lists.alioth.debian.org, y...@debian.org Hi As it was mentioned in #debian-security: rainloop seems to have now a unmaintained upstream and has security issues. There would be a fork (snappymail) but which is not yet packaged in Debian (Cf. #1017641). , [ dak rm --suite=unstable -n -R rainloop ] | Will remove the following packages from unstable: | | rainloop | 1.16.0+dfsg-1 | source, all | | Maintainer: Debian Javascript Maintainers | | --- Reason --- | | -- | | Checking reverse dependencies... | No dependency problem found. ` There are no conflicts in removing it, but I'm adding both Antoine and Xavier to recipients to comment on. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1016497: node-fetch: CVE-2022-2596
Source: node-fetch Version: 3.2.9+~cs18.4.14-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-fetch. CVE-2022-2596[0]: | Denial of Service in GitHub repository node-fetch/node-fetch prior to | 3.2.10. TTBOMK it has introduced in v3.1.0 only so affects only the version in experimental, but please double-check again. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-2596 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2596 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1014845: Bug#1014845: node-moment: CVE-2022-31129
Hi Yadd, On Wed, Jul 13, 2022 at 09:14:56PM +0200, Yadd wrote: > On 13/07/2022 08:38, Salvatore Bonaccorso wrote: > > Source: node-moment > > Version: 2.29.3+ds-1 > > Severity: grave > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > > > Hi, > > > > The following vulnerability was published for node-moment. > > > > CVE-2022-31129[0]: > > | moment is a JavaScript date library for parsing, validating, > > | manipulating, and formatting dates. Affected versions of moment were > > | found to use an inefficient parsing algorithm. Specifically using > > | string-to-date parsing in moment (more specifically rfc2822 parsing, > > | which is tried by default) has quadratic (N^2) complexity on specific > > | inputs. Users may notice a noticeable slowdown is observed with inputs > > | above 10k characters. Users who pass user-provided strings without > > | sanity length checks to moment constructor are vulnerable to (Re)DoS > > | attacks. The problem is patched in 2.29.4, the patch can be applied to > > | all affected versions with minimal tweaking. Users are advised to > > | upgrade. Users unable to upgrade should consider limiting date lengths > > | accepted from user input. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > Hi, > > here is the debdiff Thanks! I think it should be enough IMHO as well in this case to push the fix out via the next bullseye point release (now though a couple of weeks away as the counter restarted). Thank you for your work! Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1014845: node-moment: CVE-2022-31129
Source: node-moment Version: 2.29.3+ds-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-moment. CVE-2022-31129[0]: | moment is a JavaScript date library for parsing, validating, | manipulating, and formatting dates. Affected versions of moment were | found to use an inefficient parsing algorithm. Specifically using | string-to-date parsing in moment (more specifically rfc2822 parsing, | which is tried by default) has quadratic (N^2) complexity on specific | inputs. Users may notice a noticeable slowdown is observed with inputs | above 10k characters. Users who pass user-provided strings without | sanity length checks to moment constructor are vulnerable to (Re)DoS | attacks. The problem is patched in 2.29.4, the patch can be applied to | all affected versions with minimal tweaking. Users are advised to | upgrade. Users unable to upgrade should consider limiting date lengths | accepted from user input. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-31129 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31129 [1] https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g [2] https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1009327: node-moment: CVE-2022-24785: path traversal vulnerability
Source: node-moment Version: 2.29.1+ds-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.29.1+ds-2 Control: found -1 2.24.0+ds-1 Hi, The following vulnerability was published for node-moment. CVE-2022-24785[0]: | Moment.js is a JavaScript date library for parsing, validating, | manipulating, and formatting dates. A path traversal vulnerability | impacts npm (server) users of Moment.js between versions 1.0.1 and | 2.29.1, especially if a user-provided locale string is directly used | to switch moment locale. This problem is patched in 2.29.2, and the | patch can be applied to all affected versions. As a workaround, | sanitize the user-provided locale name before passing it to Moment.js. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-24785 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24785 [1] https://github.com/moment/moment/security/advisories/GHSA-8hfj-j24r-96c4 [2] https://github.com/moment/moment/commit/4211bfc8f15746be4019bba557e29a7ba83d54c5 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] [ftpmas...@ftp-master.debian.org: Accepted nodejs 12.22.9~dfsg-1 (source) into unstable]
Source: nodejs Source-Version: 12.22.9~dfsg-1 This should fix #1004177 and the four open CVEs. - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 27 Jan 2022 13:42:36 +0100 Source: nodejs Architecture: source Version: 12.22.9~dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Jérémy Lal Changes: nodejs (12.22.9~dfsg-1) unstable; urgency=medium . [ Yadd ] * Team upload * Add fix for node-js-yaml ≥ 4 * Clean unneeded versioned dependency contraints . [ Jérémy Lal ] * New upstream version 12.22.9~dfsg * Fix make-doc patch for marked 4 * Depends on libuv >= 1.38.0 * Apply js-yaml compatibility before make-doc patch Checksums-Sha1: dc662f5a0242f5d9153819cad3dad2fbf9669f90 3585 nodejs_12.22.9~dfsg-1.dsc d34ba34e53c3bc8598b2c163e43a9c2e9fb3fa38 86416 nodejs_12.22.9~dfsg.orig-types-node.tar.xz c9cec5626868335ae420881721a35d19f0c83a98 19022540 nodejs_12.22.9~dfsg.orig.tar.xz be46f3b758351924d7a6cc9430e88d67078db225 137232 nodejs_12.22.9~dfsg-1.debian.tar.xz 477f3d797dac59ca91c572e312023c358bb3c765 8769 nodejs_12.22.9~dfsg-1_source.buildinfo Checksums-Sha256: d94dcb28644d30cbd07f225f5374a9364863f70a02a4bdeea45ed653792c9cf7 3585 nodejs_12.22.9~dfsg-1.dsc dd84dca45bae69dc6d8d6064f901ef59eef5394222c1b3218874caf87479085c 86416 nodejs_12.22.9~dfsg.orig-types-node.tar.xz e7980415c9bfc69e707bbe65a889a86e79f884d59f87df3f7d79daf00e6c6cac 19022540 nodejs_12.22.9~dfsg.orig.tar.xz 84a4eabbe63f8d74a475ad899144676348e71c59084ee4fbcb4750e45d928a8b 137232 nodejs_12.22.9~dfsg-1.debian.tar.xz 983126e12043b1f94bcea72371cad3265e0e004b6d3a703e3ad3a5f5a5072927 8769 nodejs_12.22.9~dfsg-1_source.buildinfo Files: 680bb2c159069a0620d16034a7635069 3585 javascript optional nodejs_12.22.9~dfsg-1.dsc 455e1daa2ed80b184330e006f34466f5 86416 javascript optional nodejs_12.22.9~dfsg.orig-types-node.tar.xz abc1fab8d774f87a51cb0c694c8dfbb0 19022540 javascript optional nodejs_12.22.9~dfsg.orig.tar.xz 1175caaa8e3c6a17af50176758d0f4e3 137232 javascript optional nodejs_12.22.9~dfsg-1.debian.tar.xz 6e8181fdba412b539bb86fafdaf29437 8769 javascript optional nodejs_12.22.9~dfsg-1_source.buildinfo -BEGIN PGP SIGNATURE- iQJGBAEBCgAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmHyneQSHGthcG91ZXJA bWVsaXgub3JnAAoJEGYRwF7dOfN0cjkP/0Tmv8krbZG49cbAIABbpKb3a0nxSWqI FQ402BNJO4QMbxHEDwUernRqecOGSd2o50W9Uwd/bKGB6K8kp+ixOlaNVk7yc7ma COK+pZDaJ6V6x/EsaaHi1mDYfqyczLUR+Ig7bYvh92OLTDYjnY/zxQkXkXtWKMwW XaqA/A3fYsHda4X8kIw2/muBCmhUxDtyGicNlr26AwT7q5hg5/2p/ZE+n/uSjnS5 yo+zqMuLQ2epr04I+izHeAkq0jpkNHjOpIqh7jU0XtrcLssF9DviPTF8ofgXGmfV VipjyDjjLZPhjWDET7JbQNNV/JiwiW+ho3UoSyhBg5oO+TVBEE5n9UTgspI+3nYS YlqiWUrtxMUJVKejIeXTji5Ul5c0cynf3HL2i+lxkZAhv7q4GLmSsqS2bU62JdCn 5hvQjusMsthIwwZDiqBzEfC4QmnIOLZnG7R/GR286DWt6VI7pYBJzs6DzjbyBa23 x9dHrZi+xaDIUoY53ov9EZ+QUq8frMO+DCIjESgtJ9rXl4KYI0Dsg5hiNLkaEp+5 eNAzSE7uoG8XGRLv/c3X4+0Ru2EySK3fAr3CWNGMfpHgyr1E4z9OmbW3WTpdGvs6 CNxhIjNOryN5Zvz2sCCGRg0RMTvNp25Rk9x7HOBus/3TcWEocvuw7zOo6qHUygC+ qtyvyrJPZIku =c8VS -END PGP SIGNATURE- - End forwarded message - -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] Fwd: dh-sequence-nodejs improvements
Hi, On Sat, Feb 05, 2022 at 08:23:17AM +0100, Yadd wrote: > On 04/02/2022 17:59, Yadd wrote: > > Hi, > > > > my new pkgjs-audit tool found this 3 vulnerabilities, not found on > > security-tracker: > > > > eslint-config-eslint 5.0.1 > > Severity: critical > > Malicious Package in eslint-scope - > > https://github.com/advisories/GHSA-hxxf-q3w9-4xgw > > False positive, vulnerable version is 5.0.2 which was removed from Internet > > > trim-newlines <3.0.1 > > Severity: high > > Regular Expression Denial of Service in trim-newlines - > > https://github.com/advisories/GHSA-7p7h-4mm5-852v > > CVE-2021-33623 is marked as not-for-us which is bad. Just fixed into > unstable > > > nth-check <2.0.1 > > Severity: moderate > > Inefficient Regular Expression Complexity in nth-check - > > https://github.com/advisories/GHSA-rp65-9cf3-cjxr > > CVE-2021-3803 is marked as not-for-us which is bad. Just fixed into unstable thank you! I have updated the tracking information. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Accepted node-cached-path-relative 1.1.0+~1.0.0-1 (source) into unstable
Source: node-cached-path-relative Source-Version: 1.1.0+~1.0.0-1 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 26 Jan 2022 12:30:15 +0100 Source: node-cached-path-relative Architecture: source Version: 1.1.0+~1.0.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Yadd Changes: node-cached-path-relative (1.1.0+~1.0.0-1) unstable; urgency=medium . * Team upload * Embed typescript declarations and repack * New upstream release 1.1.0 (Closes: CVE-2021-23518) Checksums-Sha1: 45290d4f2b3bc4cf3161d03b54b50bce0667d25f 2653 node-cached-path-relative_1.1.0+~1.0.0-1.dsc fdbf897f9e4d83516f0d27839ea6cee22c9a04e9 1636 node-cached-path-relative_1.1.0+~1.0.0.orig-types-cached-path-relative.tar.gz 865576dfef39c0d6a7defde794d078f5308e3ef3 1990 node-cached-path-relative_1.1.0+~1.0.0.orig.tar.gz 2cf55cf878386e7f0de226cedd7a26b09670d864 3284 node-cached-path-relative_1.1.0+~1.0.0-1.debian.tar.xz Checksums-Sha256: 8dd33c6b21d733584e80133ea21e53b77a6227da76c41172df396acbf8415992 2653 node-cached-path-relative_1.1.0+~1.0.0-1.dsc c1bff990389d021d2e6cd12d58f223cfa30eaf3ee3c4c803d1bf6a7395fcac92 1636 node-cached-path-relative_1.1.0+~1.0.0.orig-types-cached-path-relative.tar.gz e7d2caf69d25de104a9fdacf527c5c4ce9f642e38822c111809589c8b216c365 1990 node-cached-path-relative_1.1.0+~1.0.0.orig.tar.gz 3ad308bd8c9ec263db53fe19fc15badb3dc78d13f1d57941e6d8745565e981ba 3284 node-cached-path-relative_1.1.0+~1.0.0-1.debian.tar.xz Files: bac21c42e6d20f25b33f12b2ceb6500d 2653 javascript optional node-cached-path-relative_1.1.0+~1.0.0-1.dsc a12482814079b561dff8fa7ea61fb0af 1636 javascript optional node-cached-path-relative_1.1.0+~1.0.0.orig-types-cached-path-relative.tar.gz 338c682882ea82b05c1f197d289ebbdc 1990 javascript optional node-cached-path-relative_1.1.0+~1.0.0.orig.tar.gz 4dc9e16d62bfb9262c376cbd308142cb 3284 javascript optional node-cached-path-relative_1.1.0+~1.0.0-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmHxRhQACgkQ9tdMp8mZ 7umJDw//SOH3bQFXG//T3Yx68C/OpjhRJPynp+EY8OmTKfYIaOAYgz1ap3fuUUy5 kAeDfM9WieI1OwJR1Y7bKw12uvH6FzfHOiuCfSmuSS+cz7mDjgXTHAQp0jLfb7y1 hMNJyLziMmoqYT7olh3YKloiQlWwBixBbIOkIbWSiOMze5hsw4vTahGaGpyBsDi5 HcOfjtUxH6VAGnXx7IF6qPOxLzMBKgYcM2m81FFWprIKHyJlfhAdusAdYb8g3BP0 /RW9kfYwGH/kjlT+tylK/dYiKjIrIe0xdPofT4wSts3z0/qpYEgHwfJ7n3PwNcbX 52LuOX3Glo6Dbw5Afz54tfjZDUv+FhoiFhbx/JmlArfwkKE3F1ZACFqc/zQYwGZ3 MmHMyKKI55eBHrOQOQx/4LkrIvtWwbFBC1hzYAtNxWC+NEPktKbipiMbqXmEqkDG +fCxomyI1A6hgcBNYedHH7ZXr5M6FmP2AN4RAGPuhrZid/yGYdR7gg8VuY6GSUDT 0m5uJxa3jBNKS+96O6E/sMkxwTkB23AWeTuK4+oEwBF8oLBoSyR8FQjq7m71XINg fDcVYo6elEZJ13gu/EdIctcmND3OIIbGPTtJ7mnTRqhJyX4ZkSb58JU+V6axpe1j ejCoBzmfAn1nPbI5slVcU/PhBAY3nJogzNnFOPoRiCdq4wz4ECA= =1boK -END PGP SIGNATURE- - End forwarded message - -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#1004177: nodejs: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824
Source: nodejs Version: 12.22.7~dfsg-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 12.22.5~dfsg-2~11u1 Hi, The following vulnerabilities were published for nodejs. CVE-2021-44531[0]: | Improper handling of URI Subject Alternative Names CVE-2021-44532[1]: | Certificate Verification Bypass via String Injection CVE-2021-44533[2]: | Incorrect handling of certificate subject and issuer fields CVE-2022-21824[3]: | Prototype pollution via console.table properties If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-44531 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531 [1] https://security-tracker.debian.org/tracker/CVE-2021-44532 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532 [2] https://security-tracker.debian.org/tracker/CVE-2021-44533 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533 [3] https://security-tracker.debian.org/tracker/CVE-2022-21824 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#998418: [ftpmas...@ftp-master.debian.org: Accepted node-shell-quote 1.7.3+~1.7.1-1 (source) into unstable]
Source: node-shell-quote Source-Version: 1.7.3+~1.7.1-1 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 09 Jan 2022 12:07:45 +0100 Source: node-shell-quote Architecture: source Version: 1.7.3+~1.7.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Yadd Changes: node-shell-quote (1.7.3+~1.7.1-1) unstable; urgency=medium . * Team upload * Bump debhelper compatibility level to 13 * Update standards version to 4.6.0, no changes needed. * Fix GitHub tags regex * Fix filenamemangle * Use dh-sequence-nodejs instead of pkg-js-tools * Embed typescript declarations and repack * New version 1.7.3+~1.7.1 (Closes: CVE-2021-42740) * Don't install example in nodejs dir Checksums-Sha1: 21d5175cef13dd96ac3c332f1eab5c414209fde3 2504 node-shell-quote_1.7.3+~1.7.1-1.dsc 2d059091214a02c29f003f591032172b2aff77e8 2241 node-shell-quote_1.7.3+~1.7.1.orig-types-shell-quote.tar.gz 68cffd0a49b46fed262ae2c3256f2a31be2eb7f9 7448 node-shell-quote_1.7.3+~1.7.1.orig.tar.gz 9abd645499ebfae14f31fc40b3f6628529786a71 3308 node-shell-quote_1.7.3+~1.7.1-1.debian.tar.xz Checksums-Sha256: aac6609a520f28416512038cf3375c93c89c1fa4a7e752747612df4353a77214 2504 node-shell-quote_1.7.3+~1.7.1-1.dsc 732c849a97ba0778c6bd224b09895b95f7ba0bcdeb41658dfbefbd6fcb48c42d 2241 node-shell-quote_1.7.3+~1.7.1.orig-types-shell-quote.tar.gz 81f7b74387eb095f2a6c939857c31e148c0cf53e6a0af89bd24dfaa6717f2eef 7448 node-shell-quote_1.7.3+~1.7.1.orig.tar.gz b772daf1246bb9542544610717cb6447efacd15def7c79d7cbc40fa02c57068a 3308 node-shell-quote_1.7.3+~1.7.1-1.debian.tar.xz Files: be6fee392530c1d7254844fc0c948e46 2504 javascript optional node-shell-quote_1.7.3+~1.7.1-1.dsc c932ae6cdd4e3244131b099713a03457 2241 javascript optional node-shell-quote_1.7.3+~1.7.1.orig-types-shell-quote.tar.gz 718b54ecd08a71f1302470e977ea5145 7448 javascript optional node-shell-quote_1.7.3+~1.7.1.orig.tar.gz 12b7ddff180a9cbf30668d0762f714aa 3308 javascript optional node-shell-quote_1.7.3+~1.7.1-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmHawnoACgkQ9tdMp8mZ 7ulIIBAAjIaLYnwI5m2JVH9ZZiP481sx5mYMOZaQPrOLpBiZhEKkR/Gfy19J0xDM Uenh7fZ7aWfs+QE8SUEejvD1v4vbXBA5q8oX4i6LMIVRzio5yego3HtvIsJfbkbo JMlUvyoN7vbl91XAACwsH65XZCqEoUCnpLl7ah/8Yu2S6eo5TglbMETj3iclRVuh aSTBxPotxInh4D80DySirk0oOI0YnnPclJFHhkQDXlqZwLyegILTVYha8bdt9lJO OBybXUbHBTA7Vh1eg8bS46Q28Roue+oCTH1kxPVD81lutKipNaYzbzF8lugaEax8 f7ChIod848lAVGNmnxjJixW/aud1F9XuxlNwmB4lVNKXMpMWSPVG1Wzd5QvYzNmX pANEAxqNFA/1rqIQvJ7cUlic2JssrhfEMpVHPWqGx3GeH+kcOT7jHY3SuHmDPFCG yMM1qr49+BcCjad/iCN0T17yZBdpUniuXVKb2DZPZhZp/U2eU/vXSExQTIVBRncy xAJOeB1n/BhZ0I7Wo8Ee4tOrRYJ+tA4fPxCAqXpvEGnC/qECjUL9XkHflVlYBuU7 1ZHhclKyLOlSbnySVaLUYJtByex1i5O+gXSrDkxA12uh/YUvkxKSqiSckQFzl+3m htzgox7ZKVX1m/4tchA3s7unyM1m+qoOBZb+1Ag70uKpXPrfI3E= =/twx -END PGP SIGNATURE- - End forwarded message - -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#998418: node-shell-quote: CVE-2021-42740
Source: node-shell-quote
Version: 1.7.2-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for node-shell-quote.
CVE-2021-42740[0]:
| The shell-quote package before 1.7.3 for Node.js allows command
| injection. An attacker can inject unescaped shell metacharacters
| through a regex designed to support Windows drive letters. If the
| output of this package is passed to a real shell as a quoted argument
| to a command with exec(), an attacker can inject arbitrary commands.
| This is because the Windows drive letter regex character class is
| {A-z] instead of the correct {A-Za-z]. Several shell metacharacters
| exist in the space between capital letter Z and lower case letter a,
| such as the backtick character.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-42740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740
[1]
https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe
Regards,
Salvatore
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#994568: node-ansi-regex: CVE-2021-3807
Source: node-ansi-regex Version: 5.0.0-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 5.0.0-1 Hi, The following vulnerability was published for node-ansi-regex. CVE-2021-3807[0]: | ansi-regex is vulnerable to Inefficient Regular Expression Complexity If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3807 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3807 [1] https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994 [2] https://github.com/chalk/ansi-regex/pull/37 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#993981: node-tar: CVE-2021-37712
Source: node-tar Version: 6.1.7+~cs11.3.10-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-tar. CVE-2021-37712[0]: | The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, | and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code | execution vulnerability. node-tar aims to guarantee that any file | whose location would be modified by a symbolic link is not extracted. | This is, in part, achieved by ensuring that extracted directories are | not symlinks. Additionally, in order to prevent unnecessary stat calls | to determine whether a given path is a directory, paths are cached | when directories are created. This logic was insufficient when | extracting tar files that contained both a directory and a symlink | with names containing unicode values that normalized to the same | value. Additionally, on Windows systems, long path portions would | resolve to the same file system entities as their 8.3 "short path" | counterparts. A specially crafted tar archive could thus include a | directory with one form of the path, followed by a symbolic link with | a different string that resolves to the same file system entity, | followed by a file using the first form. By first creating a | directory, and then replacing that directory with a symlink that had a | different apparent name that resolved to the same entry in the | filesystem, it was thus possible to bypass node-tar symlink checks on | directories, essentially allowing an untrusted tar file to symlink | into an arbitrary location and subsequently extracting arbitrary files | into that location, thus allowing arbitrary file creation and | overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and | 6.1.9. The v3 branch of node-tar has been deprecated and did not | receive patches for these issues. If you are still using a v3 release | we recommend you update to a more recent version of node-tar. If this | is not possible, a workaround is available in the referenced GHSA- | qq89-hq3f-393p. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-37712 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37712 [1] https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#993407: npm: CVE-2021-39134
Source: npm Version: 7.5.2+ds-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for npm. CVE-2021-39135[0]: | `@npmcli/arborist`, the library that calculates dependency trees and | manages the node_modules folder hierarchy for the npm command line | interface, aims to guarantee that package dependency contracts will be | met, and the extraction of package contents will always be performed | into the expected folder. This is accomplished by extracting package | contents into a project's `node_modules` folder. If the `node_modules` | folder of the root project or any of its dependencies is somehow | replaced with a symbolic link, it could allow Arborist to write | package dependencies to any arbitrary location on the file system. | Note that symbolic links contained within package artifact contents | are filtered out, so another means of creating a `node_modules` | symbolic link would have to be employed. 1. A `preinstall` script | could replace `node_modules` with a symlink. (This is prevented by | using `--ignore-scripts`.) 2. An attacker could supply the target with | a git repository, instructing them to run `npm install --ignore- | scripts` in the root. This may be successful, because `npm install | --ignore-scripts` is typically not capable of making changes outside | of the project directory, so it may be deemed safe. This is patched in | @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For | more information including workarounds please see the referenced GHSA- | gmw6-94gg-2rc2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-39135 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39135 [1] https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#993405: npm: CVE-2021-39135
Source: npm Version: 7.5.2+ds-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for npm. CVE-2021-39135[0]: | `@npmcli/arborist`, the library that calculates dependency trees and | manages the node_modules folder hierarchy for the npm command line | interface, aims to guarantee that package dependency contracts will be | met, and the extraction of package contents will always be performed | into the expected folder. This is accomplished by extracting package | contents into a project's `node_modules` folder. If the `node_modules` | folder of the root project or any of its dependencies is somehow | replaced with a symbolic link, it could allow Arborist to write | package dependencies to any arbitrary location on the file system. | Note that symbolic links contained within package artifact contents | are filtered out, so another means of creating a `node_modules` | symbolic link would have to be employed. 1. A `preinstall` script | could replace `node_modules` with a symlink. (This is prevented by | using `--ignore-scripts`.) 2. An attacker could supply the target with | a git repository, instructing them to run `npm install --ignore- | scripts` in the root. This may be successful, because `npm install | --ignore-scripts` is typically not capable of making changes outside | of the project directory, so it may be deemed safe. This is patched in | @npmcli/arborist 2.8.2 which is included in npm v7.20.7 and above. For | more information including workarounds please see the referenced GHSA- | gmw6-94gg-2rc2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-39135 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39135 [1] https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#992292: ckeditor: CVE-2021-32808
Source: ckeditor Version: 4.16.0+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for ckeditor. CVE-2021-32808[0]: | ckeditor is an open source WYSIWYG HTML editor with rich content | support. A vulnerability has been discovered in the clipboard Widget | plugin if used alongside the undo feature. The vulnerability allows a | user to abuse undo functionality using malformed widget HTML, which | could result in executing JavaScript code. It affects all users using | the CKEditor 4 plugins listed above at version = 4.13.0. The | problem has been recognized and patched. The fix will be available in | version 4.16.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32808 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32808 [1] https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-6226-h7ff-ch6c Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#992291: ckeditor: CVE-2021-32809
Source: ckeditor Version: 4.16.0+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 4.11.1+dfsg-1 Hi, The following vulnerability was published for ckeditor. CVE-2021-32809[0]: | ckeditor is an open source WYSIWYG HTML editor with rich content | support. A potential vulnerability has been discovered in CKEditor 4 | [Clipboard](https://ckeditor.com/cke4/addon/clipboard) package. The | vulnerability allowed to abuse paste functionality using malformed | HTML, which could result in injecting arbitrary HTML into the editor. | It affects all users using the CKEditor 4 plugins listed above at | version = 4.5.2. The problem has been recognized and patched. The | fix will be available in version 4.16.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32809 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32809 [1] https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-7889-rm5j-hpgg Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#992290: ckeditor: CVE-2021-37695
Source: ckeditor Version: 4.16.0+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 4.11.1+dfsg-1 Hi, The following vulnerability was published for ckeditor. CVE-2021-37695[0]: | ckeditor is an open source WYSIWYG HTML editor with rich content | support. A potential vulnerability has been discovered in CKEditor 4 | [Fake Objects](https://ckeditor.com/cke4/addon/fakeobjects) package. | The vulnerability allowed to inject malformed Fake Objects HTML, which | could result in executing JavaScript code. It affects all users using | the CKEditor 4 plugins listed above at version 4.16.2. The | problem has been recognized and patched. The fix will be available in | version 4.16.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-37695 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37695 [1] https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-m94c-37g6-cjhc Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#992110: node-tar: CVE-2021-32803
Source: node-tar Version: 6.0.5+ds1+~cs11.3.9-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-tar. CVE-2021-32803[0]: | The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, | 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite | vulnerability via insufficient symlink protection. `node-tar` aims to | guarantee that any file whose location would be modified by a symbolic | link is not extracted. This is, in part, achieved by ensuring that | extracted directories are not symlinks. Additionally, in order to | prevent unnecessary `stat` calls to determine whether a given path is | a directory, paths are cached when directories are created. This logic | was insufficient when extracting tar files that contained both a | directory and a symlink with the same name as the directory. This | order of operations resulted in the directory being created and added | to the `node-tar` directory cache. When a directory is present in the | directory cache, subsequent calls to mkdir for that directory are | skipped. However, this is also where `node-tar` checks for symlinks | occur. By first creating a directory, and then replacing that | directory with a symlink, it was thus possible to bypass `node-tar` | symlink checks on directories, essentially allowing an untrusted tar | file to symlink into an arbitrary location and subsequently extracting | arbitrary files into that location, thus allowing arbitrary file | creation and overwrite. This issue was addressed in releases 3.2.3, | 4.4.15, 5.0.7 and 6.1.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32803 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32803 [1] https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#992111: node-tar: CVE-2021-32804
Source: node-tar Version: 6.0.5+ds1+~cs11.3.9-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-tar. CVE-2021-32804[0]: | The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, | 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite | vulnerability due to insufficient absolute path sanitization. node-tar | aims to prevent extraction of absolute file paths by turning absolute | paths into relative paths when the `preservePaths` flag is not set to | `true`. This is achieved by stripping the absolute path root from any | absolute file paths contained in a tar file. For example | `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic | was insufficient when file paths contained repeated path roots such as | `home/user/.bashrc`. `node-tar` would only strip a single path | root from such paths. When given an absolute file path with repeating | path roots, the resulting path (e.g. `///home/user/.bashrc`) would | still resolve to an absolute path, thus allowing arbitrary file | creation and overwrite. This issue was addressed in releases 3.2.2, | 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability | without upgrading by creating a custom `onentry` method which | sanitizes the `entry.path` or a `filter` method which removes entries | with absolute paths. See referenced GitHub Advisory for details. Be | aware of CVE-2021-32803 which fixes a similar bug in later versions of | tar. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32804 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32804 [1] https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#991612: node-xmldom: CVE-2021-32796
Source: node-xmldom Version: 0.5.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-xmldom. CVE-2021-32796[0]: | xmldom is an open source pure JavaScript W3C standard-based (XML DOM | Level 2 Core) DOMParser and XMLSerializer module. xmldom versions | 0.6.0 and older do not correctly escape special characters when | serializing elements removed from their ancestor. This may lead to | unexpected syntactic changes during XML processing in some downstream | applications. This issue has been resolved in version 0.7.0. As a | workaround downstream applications can validate the input and reject | the maliciously crafted documents. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-32796 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32796 [1] https://github.com/xmldom/xmldom/security/advisories/GHSA-5fg8-2547-mr8q [2] https://github.com/xmldom/xmldom/commit/7b4b743917a892d407356e055b296dcd6d107e8b Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#991577: node-url-parse: CVE-2021-3664
Source: node-url-parse Version: 1.5.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-url-parse. CVE-2021-3664[0]: | url-parse is vulnerable to URL Redirection to Untrusted Site If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-3664 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3664 [1] https://huntr.dev/bounties/1625557993985-unshiftio/url-parse/ [2] https://github.com/unshiftio/url-parse/commit/81ab967889b08112d3356e451bf03e6aa0cbb7e0 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#990485: node-nodemailer: CVE-2021-23400
Source: node-nodemailer Version: 6.4.17-2 Severity: important Tags: security upstream Forwarded: https://github.com/nodemailer/nodemailer/issues/1289 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-nodemailer. CVE-2021-23400[0]: | The package nodemailer before 6.6.1 are vulnerable to HTTP Header | Injection if unsanitized user input that may contain newlines and | carriage returns is passed into an address object. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-23400 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23400 [1] https://github.com/nodemailer/nodemailer/issues/1289 [2] https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f [3] https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#990449: node-mermaid: CVE-2021-35513
Source: node-mermaid Version: 8.7.0+ds+~cs27.17.17-2 Severity: important Tags: security upstream Forwarded: https://github.com/mermaid-js/mermaid/issues/2122 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-mermaid. CVE-2021-35513[0]: | Mermaid before 8.11.0 allows XSS when the antiscript feature is used. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-35513 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35513 [1] https://github.com/mermaid-js/mermaid/issues/2122 [2] https://github.com/mermaid-js/mermaid/pull/2123 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
Re: [Pkg-javascript-devel] CVE-2021-33587 too intrusive
Hi Yadd, On Mon, May 31, 2021 at 11:50:56AM +0200, Yadd wrote: > Hi, > > Looking at CVE-2021-33587 patch, it seems too intrusive to be applied > for Bullseye: patch seems not easily usable for version 4 of > node-css-what. Could you tag it ? Sorry for got to confirm: this is done and marked to be ignored for buster and bullseye. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#987792: node-browserslist: CVE-2021-23364
Source: node-browserslist Version: 4.16.3+~cs5.4.72-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-browserslist. CVE-2021-23364[0]: | The package browserslist from 4.0.0 and before 4.16.5 are vulnerable | to Regular Expression Denial of Service (ReDoS) during parsing of | queries. The patch will probably not cleanly apply, but according to the available information at least 4.0.0 onwards until 4.16.5 are affected. Not sure if earlier versions were just not checkd or if they are confirmed to be not affected. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-23364 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364 [1] https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98 [2] https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194 [3] https://github.com/browserslist/browserslist/pull/593 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#986171: underscore: CVE-2021-23358
Source: underscore Version: 1.9.1~dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team ,y...@debian.org Hi, The following vulnerability was published for underscore. CVE-2021-23358[0]: | The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 | and before 1.12.1 are vulnerable to Arbitrary Code Execution via the | template function, particularly when a variable property is passed as | an argument as it is not sanitized. [1] provides a POC to verify the issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-23358 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358 [1] https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#985841: node-ssri: CVE-2021-27290
Source: node-ssri Version: 8.0.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-ssri. CVE-2021-27290[0]: | ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular | expression which is vulnerable to a denial of service. Malicious SRIs | could take an extremely long time to process, leading to denial of | service. This issue only affects consumers using the strict option. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-27290 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290 [1] https://github.com/npm/ssri/commit/76e223317d971 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#985568: node-ua-parser-js: CVE-2021-27292
Source: node-ua-parser-js Version: 0.7.23+ds-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 0.7.14-1 Hi, The following vulnerability was published for node-ua-parser-js. CVE-2021-27292[0]: | ua-parser-js = 0.7.14, fixed in 0.7.24, uses a regular expression | which is vulnerable to denial of service. If an attacker sends a | malicious User-Agent header, ua-parser-js will get stuck processing it | for an extended period of time. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-27292 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27292 [1] https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1940613 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#985110: node-url-parse: CVE-2021-27515
Source: node-url-parse Version: 1.4.7+repack-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-url-parse. CVE-2021-27515[0]: | url-parse before 1.5.0 mishandles certain uses of backslash such as | http:\/ and interprets the URI as a relative path. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-27515 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515 [1] https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#985109: node-prismjs: CVE-2021-23341
Source: node-prismjs Version: 1.11.0+dfsg-4 Severity: important Tags: security upstream Forwarded: https://github.com/PrismJS/prism/issues/2583 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-prismjs. CVE-2021-23341[0]: | The package prismjs before 1.23.0 are vulnerable to Regular Expression | Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism- | tap and prism-eiffel components. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-23341 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23341 [1] https://github.com/PrismJS/prism/issues/2583 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#982587: ckeditor: CVE-2021-26271 CVE-2021-26272
Source: ckeditor Version: 4.12.1+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for ckeditor. CVE-2021-26271[0]: | It was possible to execute a ReDoS-type attack inside CKEditor 4 | before 4.16 by persuading a victim to paste crafted text into the | Styles input of specific dialogs (in the Advanced Tab for Dialogs | plugin). CVE-2021-26272[1]: | It was possible to execute a ReDoS-type attack inside CKEditor 4 | before 4.16 by persuading a victim to paste crafted URL-like text into | the editor, and then press Enter or Space (in the Autolink plugin). If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-26271 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26271 [1] https://security-tracker.debian.org/tracker/CVE-2021-26272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26272 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#977736: iotjs: CVE-2020-29657 : False positive ?
Control: severity -1 minor Hi On Thu, Jan 07, 2021 at 10:58:03PM +0100, Philippe Coval wrote: > Package: iotjs > Followup-For: Bug #977736 > > Dear Maintainer, > > As iotjs's Debian maintainer, > I have forwarded this issue to upstream tracker: > > https://github.com/jerryscript-project/iotjs/issues/1955 > > But, It looks like that "main_print_unhandled_exception" function is in > jerryscript CLI program not in the library that iotjs link with > > It can be easily verified using: > >readelf -Wsa /usr/bin/iotjs | grep print_ > >610: 00020030 1 FUNCGLOBAL DEFAULT 14 print_stacktrace >776: 0006afa016 FUNCGLOBAL DEFAULT 14 > jerry_port_print_char > > So I think this scanner is a false positive. > > I don't know if upstream iotjs plan to jerryscript soon > and IMHO, it is not worthy of backporting the related patch > because it wont be compiled. Okay indeed, while it might affect the source code itself it seems not for th binary package, in particular so as you found for the iotjs use (and it does not compile main-utils.c). I'm doing two things. Downgrade the severity to minor, I think the bug just can be closed once upstream rebased the JerryScripts copy to the version including the fix. Marking it as unimportant in the security-tracker indicating it does not affect at all the iotjs produced binary packages. I do agree that there is no sense in backporting the related patch to iotjs. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#979364: nodejs: CVE-2020-8265 CVE-2020-8287
Source: nodejs Version: 12.19.0~dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 10.21.0~dfsg-1~deb10u1 Control: found -1 14.13.0~dfsg-1 Hi, The following vulnerabilities were published for nodejs. CVE-2020-8265[0]: | nodejs: use-after-free in TLSWrap CVE-2020-8287[1]: | nodejs: HTTP Request Smuggling If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8265 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8265 [1] https://security-tracker.debian.org/tracker/CVE-2020-8287 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8287 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#977736: iotjs: CVE-2020-29657
Source: iotjs Version: 1.0+715-1 Severity: important Tags: security upstream Forwarded: https://github.com/jerryscript-project/jerryscript/issues/4244 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.0-1 Hi, The following vulnerability was published for iotjs. Actually for embedded jerryscript, which seem still affected in up to the version included in 1.0+715-1. CVE-2020-29657[0]: | In JerryScript 2.3.0, there is an out-of-bounds read in | main_print_unhandled_exception in the main-utils.c file. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-29657 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29657 [1] https://github.com/jerryscript-project/jerryscript/issues/4244 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#977718: node-ini: CVE-2020-7788
Source: node-ini Version: 1.3.5-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-ini. CVE-2020-7788[0]: | This affects the package ini before 1.3.6. If an attacker submits a | malicious INI file to an application that parses it with ini.parse, | they will pollute the prototype on the application. This can be | exploited further depending on the context. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7788 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7788 [1] https://snyk.io/vuln/SNYK-JS-INI-1048974 [2] https://github.com/npm/ini/commit/56d2805e07ccd94e2ba0984ac9240ff02d44b6f1 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#976446: highlight.js: CVE-2020-26237
Source: highlight.js Version: 9.18.1+dfsg1-2 Severity: important Tags: security upstream Forwarded: https://github.com/highlightjs/highlight.js/pull/2636 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 9.12.0+dfsg1-4 Hi, The following vulnerability was published for highlight.js. CVE-2020-26237[0]: | Highlight.js is a syntax highlighter written in JavaScript. | Highlight.js versions before 9.18.2 and 10.1.2 are vulnerable to | Prototype Pollution. A malicious HTML code block can be crafted that | will result in prototype pollution of the base object's prototype | during highlighting. If you allow users to insert custom HTML code | blocks into your page/app via parsing Markdown code blocks (or | similar) and do not filter the language names the user can provide you | may be vulnerable. The pollution should just be harmless data but this | can cause problems for applications not expecting these properties to | exist and can result in strange behavior or application crashes, i.e. | a potential DOS vector. If your website or application does not render | user provided data it should be unaffected. Versions 9.18.2 and 10.1.2 | and newer include fixes for this vulnerability. If you are using | version 7 or 8 you are encouraged to upgrade to a newer release. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-26237 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26237 [1] https://github.com/highlightjs/highlight.js/pull/2636 [2] https://github.com/highlightjs/highlight.js/security/advisories/GHSA-vfrc-7r7c-w9mx Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-rc6-amd64 (SMP w/8 CPU threads) Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#976390: node-y18n: CVE-2020-7774
Source: node-y18n
Version: 4.0.0-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/yargs/y18n/issues/96
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for node-y18n.
CVE-2020-7774[0]:
| This affects the package y18n before 5.0.5. PoC by po6ix: const y18n =
| require('y18n')(); y18n.setLocale('__proto__');
| y18n.updateLocale({polluted: true}); console.log(polluted); // true
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-7774
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7774
[1] https://github.com/yargs/y18n/issues/96
[2] https://github.com/yargs/y18n/pull/108
[3] https://snyk.io/vuln/SNYK-JS-Y18N-1021887
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#975305: node-axios: CVE-2020-28168
Source: node-axios Version: 0.21.0+dfsg-1 Severity: important Tags: security upstream Forwarded: https://github.com/axios/axios/issues/3369 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-axios. CVE-2020-28168[0]: | Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) | vulnerability where an attacker is able to bypass a proxy by providing | a URL that responds with a redirect to a restricted host or IP | address. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-28168 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28168 [1] https://github.com/axios/axios/issues/3369 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#972895: node-pathval: CVE-2020-7751
Source: node-pathval Version: 1.1.0-3 Severity: important Tags: security upstream Forwarded: https://github.com/chaijs/pathval/pull/58 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-pathval. * CVE-2020-7751[0] If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7751 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7751 [1] https://github.com/chaijs/pathval/pull/58 [2] https://snyk.io/vuln/SNYK-JS-PATHVAL-596926 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#970173: Bug#970173: node-fetch: CVE-2020-15168
Hi Xavier, On Sun, Sep 13, 2020 at 05:29:56PM +0200, Xavier wrote: > Le 12/09/2020 à 15:33, Salvatore Bonaccorso a écrit : > > Source: node-fetch > > Version: 1.7.3-2 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > > > Control: found -1 1.7.3-1 > > > > Hi, > > > > The following vulnerability was published for node-fetch. > > > > CVE-2020-15168[0]: > > | node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the > > | size option after following a redirect, which means that when a > > | content size was over the limit, a FetchError would never get thrown > > | and the process would end without failure. For most people, this fix > > | will have a little or no impact. However, if you are relying on node- > > | fetch to gate files above a size, the impact could be significant, for > > | example: If you don't double-check the size of the data after fetch() > > | has completed, your JS thread could get tied up doing work on a large > > | file (DoS) and/or cost you money in computing. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2020-15168 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15168 > > [1] > > https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r > > > > Regards > > Salvatore > > Hi, > > the upstream patches > (https://github.com/node-fetch/node-fetch/commit/2358a6c2 or > https://github.com/node-fetch/node-fetch/commit/eaff0094) seem not easy > to backport to 1.7.3 without major changes. I think we should keep this > minor bug unfixed in buster. Sounds sensible (and good once the new version from experimental would move to unstable). Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#970173: node-fetch: CVE-2020-15168
Source: node-fetch Version: 1.7.3-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.7.3-1 Hi, The following vulnerability was published for node-fetch. CVE-2020-15168[0]: | node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the | size option after following a redirect, which means that when a | content size was over the limit, a FetchError would never get thrown | and the process would end without failure. For most people, this fix | will have a little or no impact. However, if you are relying on node- | fetch to gate files above a size, the impact could be significant, for | example: If you don't double-check the size of the data after fetch() | has completed, your JS thread could get tied up doing work on a large | file (DoS) and/or cost you money in computing. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-15168 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15168 [1] https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r Regards Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#970000: dojo: CVE-2020-4051
Source: dojo Version: 1.15.3+dfsg1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for dojo. CVE-2020-4051[0]: | In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 | and less than 1.12.9, and greater than or equal to 1.13.0 and less | than 1.13.8, and greater than or equal to 1.14.0 and less than 1.14.7, | and greater than or equal to 1.15.0 and less than 1.15.4, and greater | than or equal to 1.16.0 and less than 1.16.3, there is a cross-site | scripting vulnerability in the Editor's LinkDialog plugin. This has | been fixed in 1.11.11, 1.12.9, 1.13.8, 1.14.7, 1.15.4, 1.16.3. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-4051 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4051 [1] https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#969669: node-node-forge: CVE-2020-7720
Source: node-node-forge Version: 0.9.1~dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 0.8.1~dfsg-1 Hi, The following vulnerability was published for node-node-forge. CVE-2020-7720[0]: | The package node-forge before 0.10.0 is vulnerable to Prototype | Pollution via the util.setPath function. Note: Version 0.10.0 is a | breaking change removing the vulnerable functions. As noted the fix consists removing the function as whole, so might break users of the module accordingly. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7720 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720 [1] https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677 [2] https://github.com/digitalbazaar/forge/commit/6a1e3ef74f6eb345bcff1b82184201d1e28b6756 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#969668: grunt: CVE-2020-7729
Source: grunt Version: 1.0.4-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.0.1-8 Hi, The following vulnerability was published for grunt. CVE-2020-7729[0]: | The package grunt before 1.3.0 are vulnerable to Arbitrary Code | Execution due to the default usage of the function load() instead of | its secure replacement safeLoad() of the package js-yaml inside | grunt.file.readYAML. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7729 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7729 [1] https://github.com/gruntjs/grunt/commit/e350cea1724eb3476464561a380fb6a64e61e4e7 [2] https://snyk.io/vuln/SNYK-JS-GRUNT-597546 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#969309: node-bl: CVE-2020-8244
Source: node-bl Version: 4.0.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-bl. CVE-2020-8244[0]: | A buffer over-read vulnerability exists in bl 4.0.3, 3.0.1 and | 2.2.1 which could allow an attacker to supply user input (even | typed) that if it ends up in consume() argument and can become | negative, the BufferList state can be corrupted, tricking it into | exposing uninitialized memory via regular .slice() calls. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8244 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8244 [1] https://github.com/rvagg/bl/commit/d3e240e3b8ba4048d3c76ef5fb9dd1f8872d3190 [2] https://hackerone.com/reports/966347 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#968094: node-prismjs: CVE-2020-15138
Source: node-prismjs Version: 1.11.0+dfsg-3 Severity: important Tags: security upstream X-Debbugs-Cc: Debian Security Team Hi, The following vulnerability was published for node-prismjs. CVE-2020-15138[0]: | Prism is vulnerable to Cross-Site Scripting. The easing preview of the | Previewers plugin has an XSS vulnerability that allows attackers to | execute arbitrary code in Safari and Internet Explorer. This impacts | all Safari and Internet Explorer users of Prism =v1.1.0 that use | the _Previewers_ plugin (=v1.10.0) or the _Previewer: Easing_ | plugin (v1.1.0 to v1.9.0). This problem is fixed in version 1.21.0. To | workaround the issue without upgrading, disable the easing preview on | all impacted code blocks. You need Prism v1.10.0 or newer to apply | this workaround. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-15138 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15138 [1] https://github.com/PrismJS/prism/security/advisories/GHSA-wvhm-4hhf-97x9 [2] https://github.com/PrismJS/prism/commit/8bba4880202ef6bd7a1e379fe9aebe69dd75f7be Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#965283: node-lodash: CVE-2020-8203
Source: node-lodash Version: 4.17.15+dfsg-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team Hi, The following vulnerability was published for node-lodash. CVE-2020-8203[0]: | Prototype pollution attack when using _.zipObjectDeep in lodash = | 4.17.15. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8203 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8203 [1] https://hackerone.com/reports/712065 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#964746: npm: CVE-2020-15095
Source: npm Version: 6.14.5+ds-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for npm. CVE-2020-15095[0]: | Versions of the npm CLI prior to 6.14.6 are vulnerable to an | information exposure vulnerability through log files. The CLI supports | URLs like "protocol://[user[:password]@]ho | stname[:port][:][/]path". The password value is | not redacted and is printed to stdout and also to any generated log | files. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-15095 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15095 [1] https://github.com/npm/cli/security/advisories/GHSA-93f3-23rq-pjfp [2] https://github.com/npm/cli/commit/a9857b8f6869451ff058789c4631fadfde5bbcbc Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#963149: node-elliptic: CVE-2020-13822
Source: node-elliptic Version: 6.5.1~dfsg-2 Severity: important Tags: security upstream Forwarded: https://github.com/indutny/elliptic/issues/226 Hi, The following vulnerability was published for node-elliptic. CVE-2020-13822[0]: | The Elliptic package 6.5.2 for Node.js allows ECDSA signature | malleability via variations in encoding, leading '\0' bytes, or | integer overflows. This could conceivably have a security-relevant | impact if an application relied on a single canonical signature. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-13822 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13822 [1] https://github.com/indutny/elliptic/issues/226 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#962145: nodejs: CVE-2020-11080 CVE-2020-8172 CVE-2020-8174 (June 2020 security release)
Source: nodejs Version: 10.20.1~dfsg-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 10.19.0~dfsg1-1 Hi, The following vulnerabilities were published for nodejs. CVE-2020-11080[0]: HTTP/2 Large Settings Frame DoS CVE-2020-8172[1]: TLS session reuse can lead to host certificate verification bypass CVE-2020-8174[2]: napi_get_value_string_*() allows various kinds of memory corruption If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-11080 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11080 [1] https://security-tracker.debian.org/tracker/CVE-2020-8172 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8172 [2] https://security-tracker.debian.org/tracker/CVE-2020-8174 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8174 [3] https://nodejs.org/en/blog/vulnerability/june-2020-security-releases Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#953762: node-minimist: CVE-2020-7598
Source: node-minimist Version: 1.2.0-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for node-minimist. CVE-2020-7598[0]: | minimist before 1.2.2 could be tricked into adding or modifying | properties of Object.prototype using a "constructor" or "__proto__" | payload. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-7598 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7598 [1] https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 [2] https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#953587: dojo: CVE-2020-5259
Source: dojo Version: 1.15.2+dfsg1-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for dojo. CVE-2020-5259[0]: | In affected versions of dojox (NPM package), the jqMix method is | vulnerable to Prototype Pollution. Prototype Pollution refers to the | ability to inject properties into existing JavaScript language | construct prototypes, such as objects. An attacker manipulates these | attributes to overwrite, or pollute, a JavaScript application object | prototype of the base object by injecting other values. This has been | patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-5259 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5259 [1] https://github.com/dojo/dojox/security/advisories/GHSA-3hw5-q855-g6cw [2] https://github.com/dojo/dojox/commit/47d1b302b5b23d94e875b77b9b9a8c4f5622c9da Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#953585: dojo: CVE-2020-5258
Source: dojo Version: 1.15.2+dfsg1-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for dojo. CVE-2020-5258[0]: | In affected versions of dojo (NPM package), the deepCopy method is | vulnerable to Prototype Pollution. Prototype Pollution refers to the | ability to inject properties into existing JavaScript language | construct prototypes, such as objects. An attacker manipulates these | attributes to overwrite, or pollute, a JavaScript application object | prototype of the base object by injecting other values. This has been | patched in versions 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-5258 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5258 [1] https://github.com/dojo/dojo/security/advisories/GHSA-jxfh-8wgv-vfr2 [2] https://github.com/dojo/dojo/commit/20a00afb68f5587946dc76fbeaa68c39bda2171d Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#952912: node-yarnpkg: CVE-2020-8131
Source: node-yarnpkg Version: 1.21.1-1 Severity: important Tags: security upstream Forwarded: https://github.com/yarnpkg/yarn/pull/7831 Hi, The following vulnerability was published for node-yarnpkg. CVE-2020-8131[0]: | Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows | attackers to write to any path on the filesystem and potentially lead | to arbitrary code execution by forcing the user to install a malicious | package. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-8131 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8131 [1] https://github.com/yarnpkg/yarn/pull/7831 [2] https://hackerone.com/reports/730239 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#952771: dojo: CVE-2019-10785
Source: dojo Version: 1.15.0+dfsg1-1 Severity: important Tags: security upstream Control: found -1 1.14.2+dfsg1-1 Hi, The following vulnerability was published for dojo. CVE-2019-10785[0]: | dojox is vulnerable to Cross-site Scripting in all versions before | version 1.16.1, 1.15.2, 1.14.5, 1.13.6, 1.12.7 and 1.11.9. This is due | to dojox.xmpp.util.xmlEncode only encoding the first occurrence of | each character, not all of them. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-10785 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10785 [1] https://github.com/dojo/dojox/security/advisories/GHSA-pg97-ww7h-5mjr [2] https://snyk.io/vuln/SNYK-JS-DOJOX-548257 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#948095: node-kind-of: CVE-2019-20149
Source: node-kind-of
Version: 6.0.2+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/jonschlinkert/kind-of/issues/30
Hi,
The following vulnerability was published for node-kind-of.
CVE-2019-20149[0]:
| ctorName in index.js in kind-of v6.0.2 allows external user input to
| overwrite certain internal attributes via a conflicting name, as
| demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted
| payload can overwrite this builtin attribute to manipulate the type
| detection result.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-20149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20149
[1] https://github.com/jonschlinkert/kind-of/issues/30
[2] https://github.com/jonschlinkert/kind-of/pull/31
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: bullseye/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C.UTF-8
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#947127: npm: CVE-2019-16775 CVE-2019-16776 CVE-2019-16777
Source: npm Version: 5.8.0+ds6-4 Severity: important Tags: security upstream Hi, The following vulnerabilities were published for npm. CVE-2019-16775[0]: | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary | File Write. It is possible for packages to create symlinks to files | outside of thenode_modules folder through the bin field upon | installation. A properly constructed entry in the package.json bin | field would allow a package publisher to create a symlink pointing to | arbitrary files on a user#8217;s system when the package is | installed. This behavior is still possible through install scripts. | This vulnerability bypasses a user using the --ignore-scripts install | option. CVE-2019-16776[1]: | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary | File Write. It fails to prevent access to folders outside of the | intended node_modules folder through the bin field. A properly | constructed entry in the package.json bin field would allow a package | publisher to modify and/or gain access to arbitrary files on a | user#8217;s system when the package is installed. This behavior | is still possible through install scripts. This vulnerability bypasses | a user using the --ignore-scripts install option. CVE-2019-16777[2]: | Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary | File Overwrite. It fails to prevent existing globally-installed | binaries to be overwritten by other package installations. For | example, if a package was installed globally and created a serve | binary, any subsequent installs of packages that also create a serve | binary would overwrite the previous serve binary. This behavior is | still allowed in local installations and also through install scripts. | This vulnerability bypasses a user using the --ignore-scripts install | option. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16775 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16775 [1] https://security-tracker.debian.org/tracker/CVE-2019-16776 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16776 [2] https://security-tracker.debian.org/tracker/CVE-2019-16777 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16777 Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#943560: node-knockout: CVE-2019-14862
Source: node-knockout Version: 3.4.2-2 Severity: important Tags: security upstream Hi, The following vulnerability was published for node-knockout. CVE-2019-14862[0]: |Cross-site Scripting (XSS) attacks due to not escaping the name |attribute. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-14862 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14862 [1] https://github.com/knockout/knockout/issues/1244 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#941354: node-yarnpkg: CVE-2019-5448
Hi Xavier, On Thu, Oct 03, 2019 at 06:27:40PM +0200, Xavier wrote: > Hi, > > I don't know if you want to DSA this bug. Anyway here is the patch. I think we can have this schedule via next point releases as well. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#941354: proposed fix
On Sun, Sep 29, 2019 at 02:43:21PM +0200, Paolo Greppi wrote:
> I have imported the upstream patch in a new version 1.13.0-3:
> https://salsa.debian.org/js-team/node-yarnpkg/commit/6808cd918e8c12182e14666c715bb1d372d82449/pipelines
>
> I have checked that it now uses https even if http links are present in
> yarn.lock as follows:
>
> mkdir /tmp/qw
> cd /tmp/qw
> yarnpkg add string-width
> rm -rf node_modules/
> sed -i 's/https:/http:/g' yarn.lock
> yarnpkg cache clean strip-ansi
> yarnpkg cache clean string-width
> yarnpkg cache clean ansi-regex
> yarnpkg cache clean emoji-regex
> yarnpkg cache clean is-fullwidth-code-point
> yarnpkg cache clean strip-ansi
>
> strace -s 256 yarnpkg install &> q
> ping registry.yarnpkg.com # it's 104.16.22.35
> grep 104.16.22.35 q
>
> I get this:
> connect(21, {sa_family=AF_INET, sin_port=htons(443),
> sin_addr=inet_addr("104.16.22.35")}, 16) = -1 EINPROGRESS (Operazione ora in
> corso)
> connect(22, {sa_family=AF_INET, sin_port=htons(443),
> sin_addr=inet_addr("104.16.22.35")}, 16) = -1 EINPROGRESS (Operazione ora in
> corso)
> connect(26, {sa_family=AF_INET, sin_port=htons(443),
> sin_addr=inet_addr("104.16.22.35")}, 16) = -1 EINPROGRESS (Operazione ora in
> corso)
> connect(27, {sa_family=AF_INET, sin_port=htons(443),
> sin_addr=inet_addr("104.16.22.35")}, 16) = -1 EINPROGRESS (Operazione ora in
> corso)
> connect(28, {sa_family=AF_INET, sin_port=htons(443),
> sin_addr=inet_addr("104.16.22.35")}, 16) = -1 EINPROGRESS (Operazione ora in
> corso)
>
> Should I upload this to unstable ?
Yes, either that or even uploading to the new upstream version fixing
the issue, both will work here as bullseye is a long way away.
> Will it automatically roll to stable ?
No. But we need to decice if the update should go out via a DSA or if
releasing it in a point release is enough.
Regards,
Salvatore
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#941354: node-yarnpkg: CVE-2019-5448
Source: node-yarnpkg Version: 1.13.0-2 Severity: important Tags: security upstream Control: found -1 1.13.0-1 Hi, The following vulnerability was published for node-yarnpkg. CVE-2019-5448[0]: | Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive | Data due to HTTP URLs in lockfile causing unencrypted authentication | data to be sent over the network. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-5448 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5448 [1] https://yarnpkg.com/blog/2019/07/12/recommended-security-update/ [2] https://hackerone.com/reports/640904 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#941189: Bug#941189: node-set-value: CVE-2019-10747
Hi Xavier, On Thu, Sep 26, 2019 at 07:31:21AM +0200, Xavier wrote: > Le 26/09/2019 à 07:12, Salvatore Bonaccorso a écrit : > > Source: node-set-value > > Version: 0.4.0-1 > > Severity: important > > Tags: security upstream > > Control: found -1 3.0.0-1 > > > > Hi, > > > > The following vulnerability was published for node-set-value. > > > > CVE-2019-10747[0]: > > | set-value is vulnerable to Prototype Pollution in versions lower than > > | 3.0.1. The function mixin-deep could be tricked into adding or > > | modifying properties of Object.prototype using any of the constructor, > > | prototype and _proto_ payloads. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2019-10747 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747 > > [1] https://snyk.io/vuln/SNYK-JS-SETVALUE-450213 > > Hi, > > here is a patch for Buster Thanks, you are fast :). I think like other similar cases for node-* modules we can go the buster-pu route here as well. Unless you object, I will mark it as no-dsa (Can be fixed via point release). Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#941189: node-set-value: CVE-2019-10747
Source: node-set-value Version: 0.4.0-1 Severity: important Tags: security upstream Control: found -1 3.0.0-1 Hi, The following vulnerability was published for node-set-value. CVE-2019-10747[0]: | set-value is vulnerable to Prototype Pollution in versions lower than | 3.0.1. The function mixin-deep could be tricked into adding or | modifying properties of Object.prototype using any of the constructor, | prototype and _proto_ payloads. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-10747 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10747 [1] https://snyk.io/vuln/SNYK-JS-SETVALUE-450213 Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
