Le 29/04/2021 à 10:50, Yadd a écrit : > Le 29/04/2021 à 10:32, Yadd a écrit : >> Package: release.debian.org >> Severity: normal >> User: [email protected] >> Usertags: unblock >> X-Debbugs-Cc: [email protected] >> >> Please unblock package node-postcss >> >> [ Reason ] >> node-postcss is vulnerable to a Regex Denial of Service (ReDoS) >> >> [ Impact ] >> Medium vulnerability >> >> [ Tests ] >> I added tests for CVE-2021-23368 and CVE-2021-23382 inspired from CVE >> prove of concepts >> >> [ Risks ] >> No risk, this is just a regex improvement. >> >> [ Checklist ] >> [X] all changes are documented in the d/changelog >> [X] I reviewed all changes and I approve them >> [X] attach debdiff against the package in testing >> >> Cheers, >> Yadd >> >> unblock node-postcss/8.2.1+~cs5.3.23-7 > > I added a missing `set -e` in security test. autopkgtest works fine with > my patch and fail without. > > Cheers, > Yadd > > unblock node-postcss/8.2.1+~cs5.3.23-8
Note: this fix is an improvement of previous fix (node-postcss/8.2.1+~cs5.3.23-6): patch fixes the same regular expressions.
