Your message dated Thu, 12 Jun 2025 10:53:57 +0000
with message-id <e1upfzf-0065ne...@fasolo.debian.org>
and subject line Bug#1107695: fixed in node-brace-expansion 2.0.1+~1.1.0-2
has caused the Debian Bug report #1107695,
regarding node-brace-expansion: CVE-2025-5889
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1107695: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107695
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-brace-expansion
Version: 2.0.1+~1.1.0-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/juliangruber/brace-expansion/pull/65
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-brace-expansion.
CVE-2025-5889[0]:
| A vulnerability was found in juliangruber brace-expansion up to
| 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected
| by this issue is the function expand of the file index.js. The
| manipulation leads to inefficient regular expression complexity. The
| attack may be launched remotely. The complexity of an attack is
| rather high. The exploitation is known to be difficult. The exploit
| has been disclosed to the public and may be used. Upgrading to
| version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this
| issue. The name of the patch is
| a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to
| upgrade the affected component.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-5889
https://www.cve.org/CVERecord?id=CVE-2025-5889
[1] https://github.com/juliangruber/brace-expansion/pull/65
[2]
https://github.com/juliangruber/brace-expansion/commit/0b6a9781e18e9d2769bb2931f4856d1360243ed2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-brace-expansion
Source-Version: 2.0.1+~1.1.0-2
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-brace-expansion, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1107...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-brace-expansion package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 12 Jun 2025 11:55:12 +0200
Source: node-brace-expansion
Architecture: source
Version: 2.0.1+~1.1.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1107695
Changes:
node-brace-expansion (2.0.1+~1.1.0-2) unstable; urgency=medium
.
* Declare compliance with policy 4.7.2
* Fix potential ReDoS vulnerability or inefficient regular expression
(Closes: #1107695, CVE-2025-5889)
Checksums-Sha1:
0babe77122efb5d70dd12e70c93b9cbcc2296ed3 2578
node-brace-expansion_2.0.1+~1.1.0-2.dsc
a6e4db12b50c5e335c9b1d246ea9e66ef778db3f 3948
node-brace-expansion_2.0.1+~1.1.0-2.debian.tar.xz
Checksums-Sha256:
28cfc7eb03f58eff8bd197945f3cc06fd379fc9e2642a74a50b7d7ee3d77d9b2 2578
node-brace-expansion_2.0.1+~1.1.0-2.dsc
b1af64846423fa2f488e9664c6618000b65846b0cb937beea481d7de8d9c01f3 3948
node-brace-expansion_2.0.1+~1.1.0-2.debian.tar.xz
Files:
65e51bc4b5076189fd7600a0376a8fe8 2578 javascript optional
node-brace-expansion_2.0.1+~1.1.0-2.dsc
ab1619368c8a14fee2ec65e7cd19f73a 3948 javascript optional
node-brace-expansion_2.0.1+~1.1.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmhKpUYACgkQ9tdMp8mZ
7umncw//YPbxKMb7tbG95ifseCWTrhXzNRGjr9jdxwwtFE5eWbfgV2N8eTK1EWVK
MwhpS5uy2YlVNYYgqbi2d9XD5f9f0qhp0uqeby8q+TXAYK/TBQkrj7uflbFD/Q1W
+uQw1QU9XGDbMb3LVX1q718jKk4x49d+IDXAdhSU6QMghrfJ0oK7HLvxnMeiMIgX
Ohqklq6Ka21+CQyvEXhbalj0z49BNr5itC6E7r9/AXU41k7i40tDCbjXb0UM0X26
epjyPU4IZGSFfBFxNrK/+I8c4mbEAQhZew5EYLfHSLQZ6xmEd7PJRinhVTIFl4ht
hYyO0Cl/uQpkT2PmYAdXlVoqDc7EA9oxCpaGjQL5ok/qKPDPfSL+L5RRSghzpKIv
hC0eHKKL/Yz6NgMq669nmrmBxgBviMJxUCEoP8ofZyLaMpcZTZg45blcqZ9B/ph9
EZN1AuCksmrtrykMvTgfDB7bRMnyY3NmH4IILTFpRfEpF8hUahV7LPsHh2NOTN/E
qKYcwHExD1YNR6SE7lyRuLigaX47GxPtfUyyMCwWFT4NpEATxR6y7oYT0m/H8z8I
ZMa1+eB8weq1Foy4l9GyOR10fSe1xuDbK9AhSjagOVlup5p3G/LYa63HIBq2nwu1
AfgzftGNtomrKzYlzs0eZxG4VKD7uv8TZN8L1CCMugiBvUP7s8k=
=1kTL
-----END PGP SIGNATURE-----
pgpW4Ry5j5Pxp.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
