Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker
Commits: c96e2f59 by Bastien Roucariès at 2024-01-04T23:07:26+00:00 CVE-2023-28154 is not present in webpack3 Magic comment are not interpreted by vm.runInNewContext(`(function(){return {${value}};})()`); and use json.parse that is safe - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -45603,7 +45603,7 @@ CVE-2023-28154 (Webpack 5 before 5.76.0 does not avoid cross-realm object access - node-webpack 5.76.1+dfsg1+~cs17.16.16-1 (bug #1032904) [bookworm] - node-webpack 5.75.0+dfsg+~cs17.16.14-1+deb12u1 [bullseye] - node-webpack 4.43.0-6+deb11u1 - [buster] - node-webpack <no-dsa> (Minor issue) + [buster] - node-webpack <not-affected> (vulnerable code vm.runInNewContext(`(function(){return {${value}};})()`); is not present. Introduced latter) NOTE: https://github.com/webpack/webpack/pull/16500 NOTE: Merge commit: https://github.com/webpack/webpack/commit/4b4ca3bb53f36a5b8fc6bc1bd976ed7af161bd80 (v5.76.0) CVE-2023-1363 (A vulnerability, which was classified as problematic, was found in Sou ...) ===================================== data/dla-needed.txt ===================================== @@ -146,10 +146,6 @@ linux-5.10 mariadb-10.3 NOTE: 20231129: Added by Front-Desk (Beuc) -- -node-webpack - NOTE: 20231005: Added by Front-Desk (Beuc) - NOTE: 20231005: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk) --- nova NOTE: 20230302: Re-add, request by maintainer (Beuc) NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c96e2f599fd0e3ef214e427c84232e0b8ce65d5a -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c96e2f599fd0e3ef214e427c84232e0b8ce65d5a You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list debian-security-tracker-commits@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits