Your message dated Thu, 16 Oct 2025 17:50:21 +0000
with message-id <[email protected]>
and subject line Bug#1112610: Removed package(s) from unstable
has caused the Debian Bug report #1078951,
regarding civicrm: include vulnerable sinon without source
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1078951: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078951
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: civicrm
Severity: serious
Tags: security
Justification: security problem
X-Debbugs-Cc: Debian Security Team <[email protected]>
Dear Maintainer,
You include a sinon in installed package and bundle without source (thus
serious bug).
This a duplication of package but moreover a security problem (even if minor
due to being only local and during log reading)
Could you use the packaged node-sinon ?
npm audit [email protected]
# npm audit report
braces <3.0.3
Severity: high
Uncontrolled resource consumption in braces -
https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/braces
elliptic 2.0.0 - 6.5.6
Elliptic's EDDSA missing signature length check -
https://github.com/advisories/GHSA-f7q4-pwc6-w24p
Elliptic's ECDSA missing check for whether leading bit of r and s is zero -
https://github.com/advisories/GHSA-977x-g7h5-7qgw
Elliptic allows BER-encoded signatures -
https://github.com/advisories/GHSA-49q7-c7j4-3p7m
fix available via `npm audit fix`
node_modules/elliptic
ws 8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers -
https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/mochify/node_modules/ws
node_modules/ws
puppeteer 11.0.0 - 22.11.1
Depends on vulnerable versions of puppeteer-core
Depends on vulnerable versions of ws
node_modules/mochify/node_modules/puppeteer
node_modules/puppeteer
mochify >=9.2.0
Depends on vulnerable versions of puppeteer
node_modules/mochify
puppeteer-core 11.0.0 - 22.11.1
Depends on vulnerable versions of ws
node_modules/puppeteer-core
6 vulnerabilities (1 low, 5 high)
*
-- System Information:
Debian Release: trixie/sid
APT prefers testing-debug
APT policy: (900, 'testing-debug'), (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel
Kernel: Linux 6.9.12-rt-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Version: 5.68.1+dfsg1-1+rm
Dear submitter,
as the package civicrm has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/1112610
The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.
Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Thorsten Alteholz (the ftpmaster behind the curtain)
--- End Message ---
