Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker
Commits: debca3df by Bastien Roucariès at 2023-02-28T21:59:58+00:00 Claim node-css-what in dla-needed.txt - - - - - 6eaf207d by Bastien Roucariès at 2023-02-28T22:00:04+00:00 Mark CVE-2022-21222 as unfixed until node-css-what 5.0.1 Typescript rewrite does not fix the ReDoS see for instance https://sources.debian.org/src/node-css-what/4.0.0-3/src/parse.ts/#L84 Only fixed by https://github.com/fb55/css-what/pull/503 by replacing regexp by manual parsing - - - - - 2 changed files: - data/CVE/list - data/dla-needed.txt Changes: ===================================== data/CVE/list ===================================== @@ -81497,9 +81497,11 @@ CVE-2022-21227 (The package sqlite3 before 5.0.3 are vulnerable to Denial of Ser CVE-2022-21223 (The package cocoapods-downloader before 1.6.2 are vulnerable to Comman ...) NOT-FOR-US: cocoapods-downloader CVE-2022-21222 (The package css-what before 2.1.3 are vulnerable to Regular Expression ...) - - node-css-what 3.0.2-1 + - node-css-what 5.0.1 NOTE: https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488 NOTE: ReDoS issue fixed with rewrite of module to TypeScript + NOTE: Not fixed in 4.0.0 see https://sources.debian.org/src/node-css-what/4.0.0-3/src/parse.ts/#L84 + NOTE: Fixed by https://github.com/fb55/css-what/pull/503/commits/46b0dbd6f38fb375da02208426f93f87f7169b7e CVE-2022-21221 (The package github.com/valyala/fasthttp before 1.34.0 are vulnerable t ...) NOT-FOR-US: github.com/valyala/fasthttp CVE-2022-21213 (This affects all versions of package mout. The deepFillIn function can ...) ===================================== data/dla-needed.txt ===================================== @@ -150,7 +150,7 @@ nheko NOTE: 20230101: Programming language: C++. NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/nheko.git -- -node-css-what +node-css-what (rouca) NOTE: 20221031: Programming language: Javascript. NOTE: 20230130: Module has been rewritten in Typescript since Buster released (guilhem). NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-css-what.git View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/603c96f710ad779e20b168835b1a5554f9c4fb6e...6eaf207d1d0bb4edd1aa73a578994cae822c8e5b -- View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/603c96f710ad779e20b168835b1a5554f9c4fb6e...6eaf207d1d0bb4edd1aa73a578994cae822c8e5b You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ debian-security-tracker-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
