Your message dated Sun, 13 Apr 2025 17:35:15 +0000
with message-id <e1u41eh-00gzyq...@fasolo.debian.org>
and subject line Bug#1085375: fixed in node-markdown-to-jsx 7.2.0+dfsg-3
has caused the Debian Bug report #1085375,
regarding node-markdown-to-jsx: CVE-2024-21535
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1085375: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085375
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-markdown-to-jsx
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-markdown-to-jsx.
CVE-2024-21535[0]:
| Versions of the package markdown-to-jsx before 7.4.0 are vulnerable
| to Cross-site Scripting (XSS) via the src property due to improper
| input sanitization. An attacker can execute arbitrary code by
| injecting a malicious iframe element in the markdown.
https://security.snyk.io/vuln/SNYK-JS-MARKDOWNTOJSX-6258886
https://github.com/quantizor/markdown-to-jsx/commit/8eb74da825c0d8d2e9508d73c672bcae36ba555a
(v7.4.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-21535
https://www.cve.org/CVERecord?id=CVE-2024-21535
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-markdown-to-jsx
Source-Version: 7.2.0+dfsg-3
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-markdown-to-jsx, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1085...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-markdown-to-jsx package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 13 Apr 2025 18:18:20 +0200
Source: node-markdown-to-jsx
Architecture: source
Version: 7.2.0+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1085375
Changes:
node-markdown-to-jsx (7.2.0+dfsg-3) unstable; urgency=medium
.
* Declare compliance with policy 4.7.2
* Ensure 'src' property is sanitized (Closes: #1085375, CVE-2024-21535)
Checksums-Sha1:
cf71c5f9f465e0f85750f781f6a441f622e4eba4 2286
node-markdown-to-jsx_7.2.0+dfsg-3.dsc
790b7b4d5c086aa70f72b7cc8c905559e851621e 3108
node-markdown-to-jsx_7.2.0+dfsg-3.debian.tar.xz
Checksums-Sha256:
3f4e70d3aa51befc2a8904500e4ba02de74931343fc20a64b048b6c89c85a108 2286
node-markdown-to-jsx_7.2.0+dfsg-3.dsc
5eebf3d68d8d0702354e947d0a3b63d357a64ee00048d3f4fc3a9bc41038c157 3108
node-markdown-to-jsx_7.2.0+dfsg-3.debian.tar.xz
Files:
07a97469751c6d21dcda3819e2347d26 2286 javascript optional
node-markdown-to-jsx_7.2.0+dfsg-3.dsc
f163d062e7e8cdf055c40ccf7fe06670 3108 javascript optional
node-markdown-to-jsx_7.2.0+dfsg-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmf78QUACgkQ9tdMp8mZ
7umuvg//YDwsF2ejWxrjKjll8VOtY+tft6S1JZ7x2e40FTabaXfeqeZwsM9PBGZL
HhJUhrFMQce33Iu1z7j6ATnRJ4R9ZPSKPP56OB7+GUr59Ald08SGp1wYvxaHwXMc
zHnlip2gjEx5z5Jw6IEqYraQaYpL1OxOcIbbMpOJydyF53vuFwNlX2JrED3hl38v
Y8tOFrvPg7VpSnbeKiLGRMJSZ4AEir+5P1EtaQr7ZBrlwpS8UEMu4wGI63Ej0h20
/ZHJwemhFTYas1QYCtzhFMpgaA2iZLTcc6H5Nu7XCZd6mIrDPu3PMHP5270wF7qd
GXmPace0c1g8EUB8lSB3zlNoSSFWlUPbSaQmt/O54ljzlZf0w6j8WyjHkbAXHrw2
m02k/l5/jy+wwtD1waue/24cUC0o3lfXrcSwPx+YJHCn30vkKfftjInrJPhVO5JK
orOKUOO9jrx9A/ed1wk/6xzoZbHqMnMc+XGTPu2xcNDmDHsLU0SpcEtRDM7YdaJE
oqyr0lfh7QS/ZKJwAGEciJ4ROpPz2peFKeNUS+7uXg/ODqOnJKt5RMLDrBXTHIoN
031BuJBv4xmsCeyMVyoEc88wTmJRwvh0C0RcJtRxWtyfF8lI+fHkTRinGGvYLpOW
rGeLjBet0+YP3rRWG8BxlC4evZGI2qOne+nm2OKseSa4IlRcej8=
=quZp
-----END PGP SIGNATURE-----
pgp5i__ZWjG5S.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
