Your message dated Sun, 06 Apr 2025 17:45:17 +0000
with message-id <e1u1u3z-00exvt...@fasolo.debian.org>
and subject line Bug#1095767: fixed in node-serialize-javascript 6.0.2-1
has caused the Debian Bug report #1095767,
regarding node-serialize-javascript: CVE-2024-11831
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1095767: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095767
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-serialize-javascript
Version: 6.0.1-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/yahoo/serialize-javascript/pull/173
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-serialize-javascript.
CVE-2024-11831[0]:
| A flaw was found in npm-serialize-javascript. The vulnerability
| occurs because the serialize-javascript module does not properly
| sanitize certain inputs, such as regex or other JavaScript object
| types, allowing an attacker to inject malicious code. This code
| could be executed when deserialized by a web browser, causing Cross-
| site scripting (XSS) attacks. This issue is critical in environments
| where serialized data is sent to web clients, potentially
| compromising the security of the website or web application using
| this package.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-11831
https://www.cve.org/CVERecord?id=CVE-2024-11831
[1] https://github.com/yahoo/serialize-javascript/pull/173
[2]
https://github.com/yahoo/serialize-javascript/commit/f27d65d3de42affe2aac14607066c293891cec4e
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-serialize-javascript
Source-Version: 6.0.2-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-serialize-javascript, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1095...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-serialize-javascript package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 Apr 2025 19:11:35 +0200
Source: node-serialize-javascript
Architecture: source
Version: 6.0.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1095767
Changes:
node-serialize-javascript (6.0.2-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.2
* New upstream release (Closes: #1095767, CVE-2024-11831)
Checksums-Sha1:
c7b63b9f0f4502475fc136a27961356dda5e60e2 2246
node-serialize-javascript_6.0.2-1.dsc
1296d60fdf85085d844f8d253032eca0167bba81 34353
node-serialize-javascript_6.0.2.orig.tar.gz
20745cce5257c7f3d9acae19c7c5169f6d250e31 4060
node-serialize-javascript_6.0.2-1.debian.tar.xz
Checksums-Sha256:
ba6bdbac0944ea9ca3f2352955f8dea9f26654fd5fe0df78e3853b1529f7b072 2246
node-serialize-javascript_6.0.2-1.dsc
8b42e82f60016007170ace557f2d72066d979e3b864d802c8835e6ffb2f58572 34353
node-serialize-javascript_6.0.2.orig.tar.gz
128dcc85dea701c0c92cbc10575eb8e61130a3623a0461b6f67a4bcd2818ae7e 4060
node-serialize-javascript_6.0.2-1.debian.tar.xz
Files:
334a6837867db9325970b62a20e5edf0 2246 javascript optional
node-serialize-javascript_6.0.2-1.dsc
3ef742a098728705e7720e6d603d3947 34353 javascript optional
node-serialize-javascript_6.0.2.orig.tar.gz
88e2694e90369c1ee5d3e5f016a0d8b9 4060 javascript optional
node-serialize-javascript_6.0.2-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmfytgwACgkQ9tdMp8mZ
7umndA/7B5qHvDbjU0J4q3J7lPYZASqKw+Ku8VcEF7YZNYWIowUoLLA9HKSNXZLh
mgbrJgftMU2Q4AM7WzWy1o+YFcJ+fExKR27n93CekjkkWSMM6ER04f2sjvAn6G9j
f+/HaoCIsmzJbEUH7HD5sn0Q6+2PKpvXGiq/QuqD6+UnB6Dn9AlXbNeX4hOh0EMq
40MTO+FaXN2hXeynJAlTp+PxL/GVZPt0ueHnF9GQhkNrhCZ4jksS2M1b2GVfdQx2
GzjDzDMqT8LbCMVX2QgghJ2oR3/ujWNBFkUn8RhgACerQpiEZLzpx2ZpRG2VVvwH
r0qBdXShXFa2tyZuMTdRuCU8s2B14rt/c0lK9tpgpIdI66wPMvVn14dP8IRbt1BR
Gca0KD806hQTEjWQKq2JIQrD/8DVOXJnOAiLPqiPQCG7k/uN7kPLgGSk9OIyrHy+
v9T0off1JHTJgIq2QmasrM56+q7qgBK0VLsKeVh3dUjY6AG+QeIr2xrh5Kj+6DLG
sFCBmJVhVkxjQDnn09ZAQBVur/tn0y5JI++/RNGAYI3cGb9TJkYRXAluMcz1TWBK
fVGZ0DvOJikRTn4DN1I/VjCI+vV11uJe0mBj3jUAKLthsqM6yDk4PpBIlawCDI8Q
XPmstWjpL1dv2QkFO8au7b16FzT8JIZdmfTUE09wDQzf8yq+N80=
=ykJ5
-----END PGP SIGNATURE-----
pgpMmeeTMBUeG.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
