Bug#1139161: marked as done (node-css-loader: CVE-2026-9358)

Debian Bug Tracking System Wed, 24 Jun 2026 01:35:23 -0700

Your message dated Wed, 24 Jun 2026 08:33:56 +0000
with message-id <[email protected]>
and subject line Bug#1139161: fixed in node-css-loader 6.8.1+~cs14.1.4-1
has caused the Debian Bug report #1139161,
regarding node-css-loader: CVE-2026-9358
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1139161: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1139161
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: node-css-loader
Version: 6.8.1+~cs14.0.17-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for node-css-loader.

CVE-2026-9358[0]:
| A vulnerability was determined in postcss up to 7.1.1. Affected is
| the function toString of the file src/selectors/container.js of the
| component AST Serialization. Executing a manipulation can lead to
| uncontrolled recursion. It is possible to launch the attack
| remotely. The exploit has been publicly disclosed and may be
| utilized. The vendor explains, that according to his definition "DoS
| on server-side on user-generated CSS is low risk for us (since most
| users compile own CSS with PostCSS)."


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-9358
    https://www.cve.org/CVERecord?id=CVE-2026-9358
[1] https://gist.github.com/bx33661/581e3a38134601c04e19b4dfc9b459b9

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: node-css-loader
Source-Version: 6.8.1+~cs14.1.4-1
Done: Xavier Guimard <[email protected]>

We believe that the bug you reported is fixed in the latest version of
node-css-loader, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-css-loader package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 24 Jun 2026 10:22:50 +0200
Source: node-css-loader
Architecture: source
Version: 6.8.1+~cs14.1.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1139161
Changes:
 node-css-loader (6.8.1+~cs14.1.4-1) unstable; urgency=medium
 .
   * Team upload
   * Declare compliance with policy 4.7.4
   * debian/watch version 5
   * New upstream vrsion (Closes: #1139161, CVE-2026-9358)
   * Build postcss-selector-parser with tsc
Checksums-Sha1: 
 bf41c6f13049d945de8d4f58a9591db3a7fd4202 3890 
node-css-loader_6.8.1+~cs14.1.4-1.dsc
 f30f716c8e2bd346c7b67d3df3915566a7c05607 1579 
node-css-loader_6.8.1+~cs14.1.4.orig-indexes-of.tar.gz
 cb23092a4013eed363de9b567b4db4d0e07c8949 97013 
node-css-loader_6.8.1+~cs14.1.4.orig-postcss-modules-local-by-default.tar.gz
 207f3b571ae1c0622b7c2609d2c55bbc08d15107 82836 
node-css-loader_6.8.1+~cs14.1.4.orig-postcss-modules-scope.tar.gz
 14a4eaf14c1fb809547fb09ed7b1de4b2688ff44 70080 
node-css-loader_6.8.1+~cs14.1.4.orig-postcss-selector-parser.tar.gz
 47bcbab5d126e2c31d961ce29d8279a6c70931a0 12946847 
node-css-loader_6.8.1+~cs14.1.4.orig.tar.gz
 51d3d8becd1193511c68149fbba2054fcc399993 5328 
node-css-loader_6.8.1+~cs14.1.4-1.debian.tar.xz
Checksums-Sha256: 
 17801eb9506868a73c033a4c01d7d93b556cc90812c99c4a833f2da307bc697f 3890 
node-css-loader_6.8.1+~cs14.1.4-1.dsc
 08bb4baab18402b90895eab57e721b94839fb799572f66ff5a1fd1a6b8425862 1579 
node-css-loader_6.8.1+~cs14.1.4.orig-indexes-of.tar.gz
 750db826c6acd7e430b292282e0e3d750e6d5dadfc405004ca688f72d0f8bdab 97013 
node-css-loader_6.8.1+~cs14.1.4.orig-postcss-modules-local-by-default.tar.gz
 37bf7bc1555cb90fcfeee7df3d2c7e9c731ab216af40347ae3f1d00d70d40e1b 82836 
node-css-loader_6.8.1+~cs14.1.4.orig-postcss-modules-scope.tar.gz
 18c560b47b3e4c6cce9b0acdafa9662526d30b827563688db274c9c39498b4e3 70080 
node-css-loader_6.8.1+~cs14.1.4.orig-postcss-selector-parser.tar.gz
 bd96f1363de935bb849bae64d5a8b5dc851118786d8fae04a6a70344ccdc55e9 12946847 
node-css-loader_6.8.1+~cs14.1.4.orig.tar.gz
 af96ce0330fbee96421bed095028405a32e74276c757f69991fcbc8435e21080 5328 
node-css-loader_6.8.1+~cs14.1.4-1.debian.tar.xz
Files: 
 47ada4e5505e530f4b0797dabc58bfdc 3890 javascript optional 
node-css-loader_6.8.1+~cs14.1.4-1.dsc
 ba5e468621d739de554443bcf1d804a6 1579 javascript optional 
node-css-loader_6.8.1+~cs14.1.4.orig-indexes-of.tar.gz
 318e2ea8a105eba5ed5b1c3bd80d293a 97013 javascript optional 
node-css-loader_6.8.1+~cs14.1.4.orig-postcss-modules-local-by-default.tar.gz
 88cdd009c64ac226cd9997b9919aca18 82836 javascript optional 
node-css-loader_6.8.1+~cs14.1.4.orig-postcss-modules-scope.tar.gz
 ef60d5a7d7b1159a45e4b8f321f7b133 70080 javascript optional 
node-css-loader_6.8.1+~cs14.1.4.orig-postcss-selector-parser.tar.gz
 58f32d62d9e6a11dd6c0fa24173c2524 12946847 javascript optional 
node-css-loader_6.8.1+~cs14.1.4.orig.tar.gz
 5e38705b004faa2472861c9307381d0f 5328 javascript optional 
node-css-loader_6.8.1+~cs14.1.4-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmo7lCUACgkQ9tdMp8mZ
7umSxg/9EasNV9rTEogUx35LHGFZ4UDSx559ZwxgYqH8V0Uo3VBJ6UOafcENCCr9
YmlsgENnue9AIBMe9ztkfpYEg1P+rtYJAS+X7NaoJ4eJCgAWW+VHCiQfoAYe7dCJ
Mg9HKgEfpaDB9zpCCRhX35+c6hFTWW4FCSw9/zv6rrCN4GaGcWGEGvTkUW1Z2+Sm
fx4HzbFg1vQnqc78BssBRdaWnLvR0fqWoCtWCWBGT4BkOs98lJwBvS5GiN1SyD5/
x2sNBxSeJwv0lGQIvIo7tHwTTJdpSSAV8NIGprnNU4Ciu6aDHNhmzl7A69Pv8IrJ
uJwzyDhOsPRRoE4wOro1dcw+gLaJGtLQ0VCki+BpzJlOKRZ5Bh/H5ArRB8QfTkr+
GDIZ5b2lSTnw5CgJVAdsO7PDQ9iJ0++WdbUea/Jm7lItmDL9FWrysD/MKejN030r
amfVkNBqIoLm0faWZxucuu3JTalrx7rpNtPayaEp0+LzxRAmQPoxyZDN2u0s7In6
sXMi+dWKA9U6xi9SLlEYqQmpxdHpUdnWtERTqCUVeWH6IR2z4DAfC2M2MuCVNXsq
OTjtX13pmVvAwOZYfudT9KDdKAtEA9igKK8ZweOlvD52Sn49Eh5VIZ+OYVmE3VLW
/x9Gnq41f+GlmF8MCOuJMH2IW2Usq+k1Ze8PB2iHrFyh0V1FMmU=
=u8a9
-----END PGP SIGNATURE-----

pgp9oF0SCSVXf.pgp
Description: PGP signature

--- End Message ---

Bug#1139161: marked as done (node-css-loader: CVE-2026-9358)

Reply via email to