Your message dated Sun, 06 Apr 2025 17:19:55 +0000
with message-id <e1u1tf1-00etx7...@fasolo.debian.org>
and subject line Bug#1088331: fixed in node-nunjucks 3.2.4+~cs4.2.7-1
has caused the Debian Bug report #1088331,
regarding node-nunjucks: CVE-2023-2142
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1088331: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088331
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-nunjucks
Version: 3.2.3+dfsg+~cs1.0.1-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-nunjucks.
CVE-2023-2142[0]:
| In Nunjucks versions prior to version 3.2.4, it was possible to
| bypass the restrictions which are provided by the autoescape
| functionality. If there are two user-controlled parameters on the
| same line used in the views, it was possible to inject cross site
| scripting payloads using the backslash \ character.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-2142
https://www.cve.org/CVERecord?id=CVE-2023-2142
[1] https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-nunjucks
Source-Version: 3.2.4+~cs4.2.7-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-nunjucks, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1088...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-nunjucks package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 Apr 2025 19:06:05 +0200
Source: node-nunjucks
Architecture: source
Version: 3.2.4+~cs4.2.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1088331
Changes:
node-nunjucks (3.2.4+~cs4.2.7-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.2
* Embed tyescript declarations
* New upstream version (Closes: #1088331, CVE-2023-2142)
* Fix compatibility fwith commander 9
* Enable upstream test using mocha
Checksums-Sha1:
b958090cf00d543d607c62f2d10116e3f351a394 2941
node-nunjucks_3.2.4+~cs4.2.7-1.dsc
56547eae86e075b41710aeae3963067f489a6405 3220
node-nunjucks_3.2.4+~cs4.2.7.orig-a-sync-waterfall.tar.xz
8923c6d29b12b154ffe4a63d0d9f35643d53a22d 3096
node-nunjucks_3.2.4+~cs4.2.7.orig-types-nunjucks.tar.xz
6c0cd64d60e8223cd66afba9a6e86dac9ececc92 85788
node-nunjucks_3.2.4+~cs4.2.7.orig.tar.xz
8c1610a8c2a3f7342ccdfe520601d5186423cbca 3852
node-nunjucks_3.2.4+~cs4.2.7-1.debian.tar.xz
Checksums-Sha256:
a34797651cefed194c83dea1bbee5fef40697b68bfce995a06e644e94d3f0b2a 2941
node-nunjucks_3.2.4+~cs4.2.7-1.dsc
ce5399ea02ec1aed4be422a0b088ade792a0b2a907f2127e98a27efdf19857fd 3220
node-nunjucks_3.2.4+~cs4.2.7.orig-a-sync-waterfall.tar.xz
19c5bd32558b0318f0faa9b6ebc92f1512548ab56f5028f8b25a33fffef2e017 3096
node-nunjucks_3.2.4+~cs4.2.7.orig-types-nunjucks.tar.xz
30c3f10120a9ef0ade2a17d48d82d8a21e5d0706441625144b07f07b97c0c671 85788
node-nunjucks_3.2.4+~cs4.2.7.orig.tar.xz
527cd8837c3464b672775bbb7e237b0bea6f6a423017c57fda5cf4e80162eb58 3852
node-nunjucks_3.2.4+~cs4.2.7-1.debian.tar.xz
Files:
40a9b363a73bb6d4fb3cac6845aebe40 2941 javascript optional
node-nunjucks_3.2.4+~cs4.2.7-1.dsc
a45b0e76e5fc7c5997e9d2b152feaee3 3220 javascript optional
node-nunjucks_3.2.4+~cs4.2.7.orig-a-sync-waterfall.tar.xz
d78dd8e79b466e18a5868b7510ec6b54 3096 javascript optional
node-nunjucks_3.2.4+~cs4.2.7.orig-types-nunjucks.tar.xz
5278474c8917a3a52f347bfc34f9c9cf 85788 javascript optional
node-nunjucks_3.2.4+~cs4.2.7.orig.tar.xz
2660d05f5f34c425a490c9a01f21d0d6 3852 javascript optional
node-nunjucks_3.2.4+~cs4.2.7-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmfytNAACgkQ9tdMp8mZ
7ukwvQ/7BEI45JkIsqgr0tmxl1Zo5S8CiGeVl1h7omzPQNBQsZRhe7EBCBwDnL15
q9xjLFFjKT7+hI/LJ8OeWitgcJ2ahwbDZgVLriYG7csi1PBx4f1Q4X96Bzuh9HNu
9eyxw5mOvQHEXSOvLh6kNKRj8aDegcNyMA0nI2ESkOe5lBdzDZBMikjv5PE2IVat
FrWF9RhWTzDXq+qy8cuMDtlwLNI7lJ9OJFN2DvsqAdRbIJH8qhlLrgfzfID7lyYg
cMD5KDCyvz/Bt9O53JeMHrcrm/yV5ifYDdsLNOh0I1yjIFNi9//XOJGTZ9eFGIzS
GyY8yoPe+l8UDE8odXCi1X8HMh2pClm/gnrXV1zqgn3Cg07aTIu4fOihqhEEcWP7
wmLKp5KKguX7tc+cwQTwrS5+meSPo0EHLqsTy8HKIoN2vn4UNHFY0JDP1B5SB3OO
gXFyL4+7dlPiy2LdT06Vydh0ib7Z1TSDtdQwFZ053WnQndyCfCVN0ljMQmNO5rGy
d3nFs3zQSjWcPWeFI3Pvha3hk6vntg6qxrqe2yRAX+0AR4758tJ3eKFo7P1VkQ4x
G0KgF+rythsZsLSCa94W34Niua6O17Rds5b3O1RMvJo6ayqVpJBOPck+2Qlju14c
y58971r99Y1cAysS7TOWGdIZ7ieGjhuq6FkKVo9Yxl1FN8EbiyQ=
=VDDs
-----END PGP SIGNATURE-----
pgpJh4Ii_Gnea.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
