Your message dated Tue, 12 Aug 2025 15:21:27 +0000
with message-id <e1ulqoz-004kya...@fasolo.debian.org>
and subject line Bug#1110532: fixed in node-tmp 0.2.2+dfsg+~0.2.3-1.1
has caused the Debian Bug report #1110532,
regarding node-tmp: CVE-2025-54798
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1110532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110532
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-tmp
Version: 0.2.2+dfsg+~0.2.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/raszi/node-tmp/issues/207
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-tmp.
CVE-2025-54798[0]:
| tmp is a temporary file and directory creator for node.js. In
| versions 0.2.3 and below, tmp is vulnerable to an arbitrary
| temporary file / directory write via symbolic link dir parameter.
| This is fixed in version 0.2.4.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-54798
https://www.cve.org/CVERecord?id=CVE-2025-54798
[1] https://github.com/raszi/node-tmp/issues/207
[2] https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6
[3]
https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-tmp
Source-Version: 0.2.2+dfsg+~0.2.3-1.1
Done: Adrian Bunk <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-tmp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1110...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated node-tmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 10 Aug 2025 22:14:13 +0300
Source: node-tmp
Architecture: source
Version: 0.2.2+dfsg+~0.2.3-1.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1110532
Changes:
node-tmp (0.2.2+dfsg+~0.2.3-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-54798: Arbitrary file write (Closes: #1110532)
Checksums-Sha1:
2241160e8fa339e867405c8960567b928898ea79 2414
node-tmp_0.2.2+dfsg+~0.2.3-1.1.dsc
72dce586955aff2e73c249fcac335c07089ee75b 9008
node-tmp_0.2.2+dfsg+~0.2.3-1.1.debian.tar.xz
Checksums-Sha256:
e4e5db435a9c84538d047b4586b2ff5343b908e8745c24ac7fac08955de4693e 2414
node-tmp_0.2.2+dfsg+~0.2.3-1.1.dsc
88277bbc9241c1f0b0b6ccf41f14fa744cbd4aacd2893f25cf87960646086bb4 9008
node-tmp_0.2.2+dfsg+~0.2.3-1.1.debian.tar.xz
Files:
8ca29f45d21ea0c4a73555a6052a79fc 2414 javascript optional
node-tmp_0.2.2+dfsg+~0.2.3-1.1.dsc
f2484f6e801d815b4db8dcb98534960f 9008 javascript optional
node-tmp_0.2.2+dfsg+~0.2.3-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmiY80YACgkQiNJCh6LY
mLEGug/5AWp5dp1I7zKP401enpYHKjuHtYaAucvTPkUkN3pHPtFhBOBpM+orrfFv
puilAqrlsji8j8K2P6JWXBk3j1p0/5LIyVUNI4deUc/zzkuE+9hZMbFsOA43iJui
ywtZFn4o4lPpBGb21IhChK+j+AUyvzg9BNcRT+h3xeH7YkN81yfPRuowKf7A4zw+
bQe+fLUyMEmnnSRLl1wFHcc7D7B5wQZvuxIXO25mZq0LU8yS1KOtnKI9MV6+wsPH
R11cFyXIKxVH7w0XqOEIAjn/56d/aiyE0hL+je49i6M5Fo/pOSmTeRFSYEw9rwnv
IfU/nSukvHW/gnvdZvhrpZwDkdnXAq5JTYqWCxpUHrwDdKFTcyna3mK/7ZulwGw6
fSgz7Jd+dr1KqLF7qlr31KfG+PanpwdsZ+Xvbj/NCFeN5de8dLKqhBofr/ZgC4L3
/f3Q+jOrteJBVApv5ALcMQd9tXLgEHFElZhzAwbXdDcStlhYOvwX7kdrBDubO7Hq
ej2J6J0gTGjE3H+QMaOrDIZONLoGXG7FpDcQnIwSM7OKK1e0rDr99wjBAwXmp7Lk
uoXmuuiKIo3kmv16m9s6qLvgfuzItTmiZd8iAgS+VDcDLDjwXb2cGYNj1xINHvrz
MeZo1Ab1S6y4CdGfk2JTHIOeQMSNInGGmchjCsX6J006WicF96o=
=P6pK
-----END PGP SIGNATURE-----
pgpuxNQgwP2uC.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
