Your message dated Tue, 10 Mar 2026 08:36:04 +0000
with message-id <[email protected]>
and subject line Bug#1129260: fixed in node-rollup 3.30.0-1
has caused the Debian Bug report #1129260,
regarding node-rollup: CVE-2026-27606
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129260: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129260
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-rollup
Version: 3.29.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-rollup.
CVE-2026-27606[0]:
| Rollup is a module bundler for JavaScript. Versions prior to 2.80.0,
| 3.30.0, and 4.59.0 of the Rollup module bundler (specifically v4.x
| and present in current source) is vulnerable to an Arbitrary File
| Write via Path Traversal. Insecure file name sanitization in the
| core engine allows an attacker to control output filenames (e.g.,
| via CLI named inputs, manual chunk aliases, or malicious plugins)
| and use traversal sequences (`../`) to overwrite files anywhere on
| the host filesystem that the build process has permissions for. This
| can lead to persistent Remote Code Execution (RCE) by overwriting
| critical system or user configuration files. Versions 2.80.0,
| 3.30.0, and 4.59.0 contain a patch for the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27606
https://www.cve.org/CVERecord?id=CVE-2026-27606
[1] https://github.com/rollup/rollup/security/advisories/GHSA-mw96-cpmx-2vgc
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-rollup
Source-Version: 3.30.0-1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-rollup, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-rollup package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 10 Mar 2026 08:57:47 +0100
Source: node-rollup
Architecture: source
Version: 3.30.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1129260
Changes:
node-rollup (3.30.0-1) unstable; urgency=medium
.
* Team upload
* Drop "Rules-Requires-Root: no"
* debian/watch version 5
* New upstream version (Closes: #1129260, CVE-2026-27606)
* Unfuzz patches
Checksums-Sha1:
9b3dfe4560e259efa830b94eb2a4664a41b6da29 3370 node-rollup_3.30.0-1.dsc
0b27a4d5bd00ffa7476e93251393589b16c724d3 1593918 node-rollup_3.30.0.orig.tar.gz
76960f65a5c5fcee7850410697187ad4834d14b0 61772
node-rollup_3.30.0-1.debian.tar.xz
Checksums-Sha256:
66d924b3519d1809d9341ad62bd4d2caf3337f4b33f5b3ad53169cbc9e2fbb6f 3370
node-rollup_3.30.0-1.dsc
48c6c407f4340d998003251d0fa68d4080cb35118f975affce3b39e235390380 1593918
node-rollup_3.30.0.orig.tar.gz
712dfeae4519ec5684f309b0e137f9380471dbc62b8aac1d85c2d552fa26b580 61772
node-rollup_3.30.0-1.debian.tar.xz
Files:
d327450c10abe1c0c2cbdfae90abbab6 3370 javascript optional
node-rollup_3.30.0-1.dsc
daefc541fcabad72206aa52241ed6110 1593918 javascript optional
node-rollup_3.30.0.orig.tar.gz
d0958cd7cef1c4d2949175bdeaab38ea 61772 javascript optional
node-rollup_3.30.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmmvz1MACgkQ9tdMp8mZ
7ulYhw/9GYqqlt71pj6SxbOe3vBQ6uMmKiS7jP/Fc7SG8OSW3FjxPr/0Bj2/TWQf
AeGkIMpcxr76wD0VZCFgfdvO/9xZwn6pCp617zDKZX64SLq6v9xzO/Ojxi0OqGNt
LKhVsrDgdrOAp6e0JWSTyyrBd5/RoWcHnMjP/UeHXrPhYXSf1e2IsRP4X+tW6tuW
bbojVVGHCMNYwvB+WZ+Wg95k85waynmWkNHkbXcUEwYqT29EU6D/yobYsAGsDd90
KCwG0zPtOM8+M02z1un5s1jVXkrGKYQ8xnXzxRUOne7KDIxFLwlqWxmcPXw+RLiT
748vJCfjT6MT7WngLCauU5V1u/W3bhfpCrsE9PcDXrNENTArNc3yLNttqogvyGiI
cbgSWYwB1vXs2X/3TS8cdOVmWRyQi8QC1QfDjkfrmmJoOiY8zzedAl5SNY2K48bX
T6Jpg2VdTF7OtvENG3GIcdXtyYvHpcY9aepzuFbMBH5zIEg36Jy6TR8pvzkgP+99
iB47K44ntY5he/UVvo6MTWedxZI18mLlNYzO+keefeuaEqVdZvRWQK7ui2KOeeGW
xE5bzzrXxKVPoS8p4KJo2m54ouU0dFaK/l+1hGWcst9wAO/XYuN+MuAIdJnPBaG4
JyD88+qoh8oFMgvzy6XuzQSc6ncuXevoVBHLxv6EzTOQmRS7dio=
=+4gb
-----END PGP SIGNATURE-----
pgpS4TLsNcA9V.pgp
Description: PGP signature
--- End Message ---
