Your message dated Thu, 21 Dec 2023 17:20:14 +0000
with message-id <[email protected]>
and subject line Bug#1053262: fixed in node-get-func-name 2.0.2-1
has caused the Debian Bug report #1053262,
regarding node-get-func-name: CVE-2023-43646
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1053262: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053262
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-get-func-name
Version: 2.0.0+dfsg-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-get-func-name.
CVE-2023-43646[0]:
| get-func-name is a module to retrieve a function's name securely and
| consistently both in NodeJS and the browser. Versions prior to 2.0.1
| are subject to a regular expression denial of service (redos)
| vulnerability which may lead to a denial of service when parsing
| malicious input. This vulnerability can be exploited when there is
| an imbalance in parentheses, which results in excessive backtracking
| and subsequently increases the CPU load and processing time
| significantly. This vulnerability can be triggered using the
| following input: '\t'.repeat(54773) + '\t/function/i'. This issue
| has been addressed in commit `f934b228b` which has been included in
| releases from 2.0.1. Users are advised to upgrade. There are no
| known workarounds for this vulnerability.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-43646
https://www.cve.org/CVERecord?id=CVE-2023-43646
[1]
https://github.com/chaijs/get-func-name/security/advisories/GHSA-4q6p-r6v2-jvc5
[2]
https://github.com/chaijs/get-func-name/commit/f934b228b5e2cb94d6c8576d3aac05493f667c69
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-get-func-name
Source-Version: 2.0.2-1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-get-func-name, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-get-func-name package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 21 Dec 2023 20:56:35 +0400
Source: node-get-func-name
Architecture: source
Version: 2.0.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1053262
Changes:
node-get-func-name (2.0.2-1) unstable; urgency=medium
.
* Team upload
* Update standards version to 4.6.2, no changes needed.
* Use GitHub tages, not npm registry
* New upstream version (Closes: #1053262, CVE-2023-43646)
* Build with browserify like upstream
* Enable test (mocha)
Checksums-Sha1:
60cdf4248572d3c0e89dc78ef21b7c69531b5c95 2166 node-get-func-name_2.0.2-1.dsc
b0aae4f7cfe09e2f80b024f2364486e2a9edc804 112194
node-get-func-name_2.0.2.orig.tar.gz
0a09bba95de7820872d1e2c3a33980c9d94dc986 3636
node-get-func-name_2.0.2-1.debian.tar.xz
Checksums-Sha256:
25c61e41a5458d4cd6c18b2f75a0a00c9dc9050fa29391e1c1f8bc5fff02fad8 2166
node-get-func-name_2.0.2-1.dsc
a3f96ecb8fd54271d38e2843dad3ce3e50c8e41718d601b950ea7eab60f35d14 112194
node-get-func-name_2.0.2.orig.tar.gz
578f8c4de2ebd07259ffd7e846aecd06848d7ddbf402be513d20d7d9d8d80a00 3636
node-get-func-name_2.0.2-1.debian.tar.xz
Files:
e4172248b622c2100834d1477f578418 2166 javascript optional
node-get-func-name_2.0.2-1.dsc
77765eff53d45b61e9f4df3ef7098183 112194 javascript optional
node-get-func-name_2.0.2.orig.tar.gz
514d201096822bf2fa88fbb682c0fcbb 3636 javascript optional
node-get-func-name_2.0.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmWEbpMACgkQ9tdMp8mZ
7unxZQ/6A6B9l0k+PfD2JymGLjbOMaIkEpHQG11AcDans671ADFmfEG28r3Oz4Vs
F6GLSskjszs2bFIhVoGer4z2BRGwEPS7vggAZiR6vyJHm7LfE+BCLyvLAoqqGzrA
ccW/Us8Zomn1v0/tyggMvaFHRpbm4GHrdzevvO5LlsrEmSxP07BtEpNU3xhG7aNQ
ZymfSTNN/MwH5HPVf6X3B9cmYSId8qsxETlSY0zs/ryT8ocO3k18TJSVNINBiROG
+vGAtUv0fEfHifzFP/EmThnVAcBzqtkAbfAGWMoQDahGI1Q7teoJwdrf3XA4tJn5
OB3KnHF9SOZOQxMuVowBGuUmJ+jcYHTPv6J0ActtzwLIRvUNx85kIDq6CoT9Iaux
AXmt0qmSLtL39NUNHc7Kcg6SUNp+OWvasTTfRI/h19zgRRKnp6+2JAOOLedfh7bk
pwHBUZ20eJ0TWDo3xkbErS9dd/RpPQBR4ccNuMlhwCDSzwDOqi60XCfjkkRYlBYN
NA8H6282BAMord1Zer0yW2RDXq/D2emsWYQFaUkvYCkGxWbXs27p2To5hvrM1dcm
pb1B2hTMTJaVCzGpp/KmMes50J00lH3IkWkalKgGrdVKOwbKvnaRO3iAdZnrucDR
T4CBz+0+ecSwIPVQVM8z67A0ecJf22vS8Sbx6/xG9BA794Oop+Y=
=yq6D
-----END PGP SIGNATURE-----
--- End Message ---
