Your message dated Fri, 07 Apr 2023 10:02:21 +0000
with message-id <[email protected]>
and subject line Bug#1032904: fixed in node-webpack 4.43.0-6+deb11u1
has caused the Debian Bug report #1032904,
regarding node-webpack: CVE-2023-28154
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1032904: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032904
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-webpack
Version: 5.75.0+dfsg+~cs17.16.14-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/webpack/webpack/pull/16500
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-webpack.
CVE-2023-28154[0]:
| Webpack 5 before 5.76.0 does not avoid cross-realm object access.
| ImportParserPlugin.js mishandles the magic comment feature. An
| attacker who controls a property of an untrusted object can obtain
| access to the real global object.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-28154
https://www.cve.org/CVERecord?id=CVE-2023-28154
[1] https://github.com/webpack/webpack/pull/16500
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-webpack
Source-Version: 4.43.0-6+deb11u1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-webpack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-webpack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 14 Mar 2023 07:43:57 +0400
Source: node-webpack
Architecture: source
Version: 4.43.0-6+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1032904
Changes:
node-webpack (4.43.0-6+deb11u1) bullseye; urgency=medium
.
* Team upload
* Avoid cross-realm object access (Closes: #1032904, CVE-2023-28154)
Checksums-Sha1:
6dec31a8c9223b861943e2e92ca3af73c2272790 4058 node-webpack_4.43.0-6+deb11u1.dsc
8cf11ff1c0edf44c9849f21a725bb9ef07d2b743 12064
node-webpack_4.43.0-6+deb11u1.debian.tar.xz
Checksums-Sha256:
0c3385fc4c55008cd04a94e73d10ed8d9b0bb3e86c14be3c29773d2fad3e2970 4058
node-webpack_4.43.0-6+deb11u1.dsc
eb6f10351a26653a88c0c13b490d74739a99eef3062fe7c1abaf5e73005534ed 12064
node-webpack_4.43.0-6+deb11u1.debian.tar.xz
Files:
32151dfef3f2f8f12a4b11eabd4ca986 4058 javascript optional
node-webpack_4.43.0-6+deb11u1.dsc
7446ebbcd00b9acf80dbd781203c0244 12064 javascript optional
node-webpack_4.43.0-6+deb11u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmQo9C8ACgkQ9tdMp8mZ
7ukQ6g//VtJ9QJTIO2YuIH2HG/4CRG2z+gc7fgcIhfDdCuXQt8isMAOKUfXXDVaQ
dLfFgXomOMR56I3wWPsCbccIuyIeOTsBo7ac775PSlx8QnzyOaWHJ1xEWtrwg1qt
hgwS95+aHLh6LLlIyII9vgZ99Lu6jBS+EqgTKmgJvc8HMjEtT6UwSXs8a06Vhqka
11af+05Gi0LBeOoAlUkx37zp9UVgG23R0op70LuyqJSWpGHRkH6CnZrqz4sbUn72
qum6X9D9EpwIkPZv0ifEVlERRQJn2lzVPmmT0wXqCUm5Ef2g+6evbsBdk2WFsJwh
Tc20hGqqZA0n0Leeg33bMFVLpZQDc8mju2O0adnlGVi1wTbjuWMkuYQmBzD8xIVn
Zz0lDmoAD9YJxUslDtKsQmDYZTkVyL7a2A9s1Q67/fZnHJ9x9QFXBuVTJjva29I1
D3sGGH4ugUOSiasZGEsccBXzVmGBrvru7h3MTx6I5F7O77fXIVHZMqvWoLIMWmGv
kAWBIcCXJoFQILgH1MLCi3+kUQAwpUwGcclh4npRJK57G6anpnnvbOnP6Rk25Ste
/3bFd25cC92Dk2kU9B73JG9WduzclWS0dvscZdkfKJPrON3dmxWdgdxz0+S0eZs9
A7JenS8KyoukrR1AXZzeY/JFAMDwUcZSrrXvRI96X5WeCfK824M=
=be8I
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
