Your message dated Sun, 29 Mar 2026 16:48:28 +0200
with message-id <[email protected]>
and subject line Re: Accepted node-brace-expansion 2.0.3+~1.1.2-1 (source) into
unstable
has caused the Debian Bug report #1132163,
regarding node-brace-expansion: CVE-2026-33750
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132163: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132163
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-brace-expansion
Version: 2.0.1+~1.1.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-brace-expansion.
CVE-2026-33750[0]:
| The brace-expansion library generates arbitrary strings containing a
| common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and
| 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`)
| causes the sequence generation loop to run indefinitely, making the
| process hang for seconds and allocate heaps of memory. Versions
| 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround,
| sanitize strings passed to `expand()` to ensure a step value of `0`
| is not used.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-33750
https://www.cve.org/CVERecord?id=CVE-2026-33750
[1]
https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
[2]
https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-brace-expansion
Source-Version: 2.0.3+~1.1.2-1
On Sun, Mar 29, 2026 at 09:49:25AM +0000, Debian FTP Masters wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> Format: 1.8
> Date: Sun, 29 Mar 2026 11:36:04 +0200
> Source: node-brace-expansion
> Architecture: source
> Version: 2.0.3+~1.1.2-1
> Distribution: unstable
> Urgency: medium
> Maintainer: Debian Javascript Maintainers
> <[email protected]>
> Changed-By: Xavier Guimard <[email protected]>
> Changes:
> node-brace-expansion (2.0.3+~1.1.2-1) unstable; urgency=medium
> .
> * Team upload
> * Declare compliance with policy 4.7.3
> * Drop "Rules-Requires-Root: no"
> * Drop "Priority: optional"
> * debian/watch version 5
> * New upstream version (Closes: CVE-2026-33750)
> * Drop patch included in upstream
> Checksums-Sha1:
> 9db87df3a24071e0267d64076d6bc1cbb7134271 2578
> node-brace-expansion_2.0.3+~1.1.2-1.dsc
> bb3f1ed53b210d00e38e2b81e2d60a2f76e0153a 1538
> node-brace-expansion_2.0.3+~1.1.2.orig-types-brace-expansion.tar.gz
> 7df706456f74c9df78fa060bdac20eff7ed876b4 16234
> node-brace-expansion_2.0.3+~1.1.2.orig.tar.gz
> a82750bfc49bb255bf85c3ded28fbb635da19835 3316
> node-brace-expansion_2.0.3+~1.1.2-1.debian.tar.xz
> Checksums-Sha256:
> 8284b4a793a5a6585d07ffe79bd555c7a52c67ff0bc2916d8cd1b8e745da5b69 2578
> node-brace-expansion_2.0.3+~1.1.2-1.dsc
> 6306b27f6ad1bde7ed62f417d9bffc9f62ecd1627234cfa2e67cb363f6580aa5 1538
> node-brace-expansion_2.0.3+~1.1.2.orig-types-brace-expansion.tar.gz
> ac482c233459ba51a582fc87a9e8f9778c9ca37490d516cd97c1ad9be5a92556 16234
> node-brace-expansion_2.0.3+~1.1.2.orig.tar.gz
> 7ef9bb22b8ad71f9595bd7acdec66d23b7380f35ef31ce82e6720cbccd2f4a90 3316
> node-brace-expansion_2.0.3+~1.1.2-1.debian.tar.xz
> Files:
> 98e595cd88ec3bda57b7def42e70c483 2578 javascript optional
> node-brace-expansion_2.0.3+~1.1.2-1.dsc
> adb508b32d83eddca9e84f2cee777e5c 1538 javascript optional
> node-brace-expansion_2.0.3+~1.1.2.orig-types-brace-expansion.tar.gz
> 99daaa5aa0211109f04273c2f5a2e7ca 16234 javascript optional
> node-brace-expansion_2.0.3+~1.1.2.orig.tar.gz
> 42941282a8635eb1edc514430455c2f2 3316 javascript optional
> node-brace-expansion_2.0.3+~1.1.2-1.debian.tar.xz
>
> -----BEGIN PGP SIGNATURE-----
>
> iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnI8r4ACgkQ9tdMp8mZ
> 7uniag//QXfDOfIahe5HQCms63n4izGtJkOTe370IEPW7HXXUH3vct8sctlDaxNc
> 71Z0qyFDOOdvj7UcYt4DProU1f2d2CaYbZWwfk8Gzn6mzjuo2TO1aKU4qslp273J
> 6BPWZ4zgB13S0ey+swu/VH36fl/n5CmkXB9uJwAtqMs8MISi7PgPDl6YRC3OZkv7
> wuYNJlDklVVAwWv7ZxKrQVzy/ZrDMz1OAinIU7dSnH5sF5uiVBS1tMM3uU/6O5LL
> 3puGwYGmhXzAX8k1dG7xl3hhhgino7tSpx6AN/HohMe6Nd/BYd8glOWol8oEZESR
> rZMIE1QNBDXV0PqQlFQZpbCTOK/rMmE19yYrKKCvyUfAOw5pIwcN8wDVkHeLA2pR
> V50tagNoAAyd+zEVtjLHxrfxg2kY6bsL+DlsEF/xS+mvbRImRMGkvxeUv1fxMetl
> Nu/++J1IJdIC5eXahKF0DdaqArDOYDzUXiZUWtKC3XDxCn8L9r7fcb9RuvuK9Fdb
> oORSfed49Q2EEjdr6PhItwJ4BUgVMHBOtNCzTY5+2cSwEOAAB+0gUNRfpIBreyiv
> 1QC8DWo6rA/UqHvdkY2vNALviynv/2x4LmpwDYckY4ILUOy4uGz7FtmEfNKLhCnD
> WD5UBsbpQI8174vNrG1JVJD85zZvVpt54k4F1WNDF/sA/8E9ly8=
> =EaXG
> -----END PGP SIGNATURE-----
--- End Message ---
