[Pkg-javascript-devel] Bug#1032904: marked as done (node-webpack: CVE-2023-28154)

Debian Bug Tracking System Mon, 13 Mar 2023 20:24:11 -0700

Your message dated Tue, 14 Mar 2023 03:20:01 +0000
with message-id <[email protected]>
and subject line Bug#1032904: fixed in node-webpack 5.76.1+dfsg1+~cs17.16.16-1
has caused the Debian Bug report #1032904,
regarding node-webpack: CVE-2023-28154
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1032904: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032904
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: node-webpack
Version: 5.75.0+dfsg+~cs17.16.14-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/webpack/webpack/pull/16500
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for node-webpack.

CVE-2023-28154[0]:
| Webpack 5 before 5.76.0 does not avoid cross-realm object access.
| ImportParserPlugin.js mishandles the magic comment feature. An
| attacker who controls a property of an untrusted object can obtain
| access to the real global object.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-28154
    https://www.cve.org/CVERecord?id=CVE-2023-28154
[1] https://github.com/webpack/webpack/pull/16500

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: node-webpack
Source-Version: 5.76.1+dfsg1+~cs17.16.16-1
Done: Yadd <[email protected]>

We believe that the bug you reported is fixed in the latest version of
node-webpack, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-webpack package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 14 Mar 2023 06:48:56 +0400
Source: node-webpack
Architecture: source
Version: 5.76.1+dfsg1+~cs17.16.16-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1032904
Changes:
 node-webpack (5.76.1+dfsg1+~cs17.16.16-1) unstable; urgency=medium
 .
   * Team upload
   * Install webpack-cli
   * Update lintian override info format in d/source/lintian-overrides
     on line 5-8, 14, 17-22.
   * Update standards version to 4.6.2, no changes needed.
   * Exclude discoveryjs-json-ext/benchmarks from import
   * New upstream version (Closes: #1032904, CVE-2023-28154), updates:
     +webpack from 5.75.0 to 5.76.1
     + envinfo from 7.8.0 to 7.8.1
     + terser-webpack-plugin from 5.3.6 to 5.3.7
     + @webpack-cli/configtest from 2.0.0 to 2.0.1
Checksums-Sha1: 
 7a4663757d787bb2b5f4f581d120386df50e4a0d 4711 
node-webpack_5.76.1+dfsg1+~cs17.16.16-1.dsc
 8102f9d1de74ed486ac9816bb30a0af9e06b98ee 47128 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-discoveryjs-json-ext.tar.xz
 c60dfa594fc741d8d4a87f271a5c161d4c7c0886 155252 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-envinfo.tar.xz
 188f0e8d30b533b600eccd258f937bd34ba97991 177508 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-terser-webpack-plugin.tar.xz
 df7e3764daf976005f376d56c05aa01984f3feec 313996 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-webpack-cli.tar.xz
 6a5b2a04a561d7d3ccb509bc27989842cf811ddc 1591844 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig.tar.xz
 e6a4b6a41357c97c0de590916bce49d44a903b42 32336 
node-webpack_5.76.1+dfsg1+~cs17.16.16-1.debian.tar.xz
Checksums-Sha256: 
 c887f82f28086a5355e7a912a6cfeba62369ba453d162470b07e49e9b3295fae 4711 
node-webpack_5.76.1+dfsg1+~cs17.16.16-1.dsc
 21b14fc01b19af8a3d9587815c5b2a84ba419d38b413790cd9aa7036c7011b9e 47128 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-discoveryjs-json-ext.tar.xz
 c9a515c9de8e1147efabc159a4f0b62aebb5868311a1e135e7ad70479610fd30 155252 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-envinfo.tar.xz
 dfad5aecfc33a640dbd1cd1be3adb36343a916982bcf90dc15279afc3fdee4c0 177508 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-terser-webpack-plugin.tar.xz
 f045a667bc0006d217eafc8643396ddd890b179e6a4110f573548dae7f618dd1 313996 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-webpack-cli.tar.xz
 e50e509b9b12cde798bff2cb4ba893e32765e815b1e7d304a923e0f4c462de06 1591844 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig.tar.xz
 331e4d935f49cfb6963ba8e1f8620db679b19daaf752b628a37ca01806dee697 32336 
node-webpack_5.76.1+dfsg1+~cs17.16.16-1.debian.tar.xz
Files: 
 11eccc929332a575819c4de556b27a2b 4711 javascript optional 
node-webpack_5.76.1+dfsg1+~cs17.16.16-1.dsc
 8eef74ec5b611d703f36b8b3a923cfc9 47128 javascript optional 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-discoveryjs-json-ext.tar.xz
 16ec4fda202ebbbaa100599e66c3eae6 155252 javascript optional 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-envinfo.tar.xz
 74a3db801734ab693c2f878834f5537d 177508 javascript optional 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-terser-webpack-plugin.tar.xz
 e9a7bf7208997eb230b00ced9d1277f5 313996 javascript optional 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig-webpack-cli.tar.xz
 69c9ae587e8e3c00004b34fa410703e8 1591844 javascript optional 
node-webpack_5.76.1+dfsg1+~cs17.16.16.orig.tar.xz
 dfae59338b0fbb2ef71cf35c166a6050 32336 javascript optional 
node-webpack_5.76.1+dfsg1+~cs17.16.16-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmQP4rMACgkQ9tdMp8mZ
7ulMxw/+NSIHJBRFM3sgAMfMpBdB/5rabEh2f7L4JETf3tzM+HtfxfUUqDweoupj
10xdhuDzNlwrWE9UEuhIRshrrhSc5x8vW7zEF8I6XRY3ZgnNNMevPiTVXj6vLvv0
2gQEiUfEyWdwNkiatzFYjxlc4c89ezp9WpBpvqMOH9wxqvGpd5FmfxQNcjLlhoTe
zxlLc0wxFBC5S2HoDe0/ryDvqUd5C3RCrKgG7M5aa7bG8eNKqhm87DV/5k8uU0OV
0V38RF+ACA7QUAYccGGCYPeidylxm3dKWs/dhyn+oJCtffXl6i2XSW979x1RYkWL
YL4CJGEb4i8nX6UgCDGGnrKRPQYlBy8Hr5KgpF5nH4aqFfO9NPjBTrlddrzNd+ir
K3H4OJe0fqK4Tbc9pBYhnK/5nJJ0khgiDAfoB26esOmPFxYtIin5ELoPd33i7frF
T1/luA3NzN72OcIUbBZwcngX0uNss5Xdn5dM32+m3wWaVmMNAAPF1+25MIFfw+6q
RU2FDMJNpYBgOyWd4gvtWIF+edc9MbdOS01JRgRpKuXMnuHGm9BLEUoZ1HaYSJlz
237zCgvdj+TcecbfMQxpncRDAY13igo7g5YqFiS6+IC6aSYEkayyLX/MGgbh5p5d
H1pQe+3ZwjGfNVksxoB9ul5nQYhNTbAAVCxpOjyyV8vZ0anXExA=
=Ih+O
-----END PGP SIGNATURE-----

--- End Message ---

-- 
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1032904: marked as done (node-webpack: CVE-2023-28154)

Reply via email to