Your message dated Fri, 22 Aug 2025 15:32:09 +0000
with message-id <e1uptkp-00hkif...@fasolo.debian.org>
and subject line Bug#1110532: fixed in node-tmp 0.2.2+dfsg+~0.2.3-1.1~deb13u1
has caused the Debian Bug report #1110532,
regarding node-tmp: CVE-2025-54798
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1110532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110532
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-tmp
Version: 0.2.2+dfsg+~0.2.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/raszi/node-tmp/issues/207
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-tmp.
CVE-2025-54798[0]:
| tmp is a temporary file and directory creator for node.js. In
| versions 0.2.3 and below, tmp is vulnerable to an arbitrary
| temporary file / directory write via symbolic link dir parameter.
| This is fixed in version 0.2.4.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-54798
https://www.cve.org/CVERecord?id=CVE-2025-54798
[1] https://github.com/raszi/node-tmp/issues/207
[2] https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6
[3]
https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-tmp
Source-Version: 0.2.2+dfsg+~0.2.3-1.1~deb13u1
Done: Adrian Bunk <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-tmp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1110...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated node-tmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 Aug 2025 19:11:35 +0300
Source: node-tmp
Architecture: source
Version: 0.2.2+dfsg+~0.2.3-1.1~deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1110532
Changes:
node-tmp (0.2.2+dfsg+~0.2.3-1.1~deb13u1) trixie; urgency=medium
.
* Non-maintainer upload.
* Rebuild for trixie.
.
node-tmp (0.2.2+dfsg+~0.2.3-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-54798: Arbitrary file write (Closes: #1110532)
Checksums-Sha1:
a3a4c71b0ac15e57e33b6822c4fa5f29c09a7a56 2446
node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb13u1.dsc
318af326f4f2f8c54cacea40e1b0f89a97ffa6ad 9036
node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb13u1.debian.tar.xz
Checksums-Sha256:
9de3789ba13a0aafcffd3b997174ef6f47b5b460fee79d807dcfd4359ba0733e 2446
node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb13u1.dsc
a9956fcebc86c0eb3ff8a13965ed8474700c791f4f4d950f187bde8ac5b48c67 9036
node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb13u1.debian.tar.xz
Files:
e84fc52b469c1d4d06abc9cec78c34f9 2446 javascript optional
node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb13u1.dsc
ad777a1ee8c65dedbb8aac63a5e14c3b 9036 javascript optional
node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmiiTKIACgkQiNJCh6LY
mLGS2hAAxv1fulJMoKqfcSDC6dlMs/bF9mgK3P8Yt9DgEbo+y+H4aEngUFyAH3IO
gLMsmu7y0SXf4KZlu0+MIZ2qCRlQLlrhJ9J5h1U6ERm06nqZP/gwOwuBwoE59YQP
mV7Xcff/djc6GqJoV1e4sIWWMn2gvYNJy1UDdolZj7gLnRvfitqT4gE4g5YxhIdO
RHflUHY8uJiAgM8G82qxzZi91+/rFGqhul9F/Jt5SsGvWVCP45dh5yaPc17FQdyS
XGeyeSa5xh7CBsL2DmWw7Um6zdJYlG9OO2kNMMNnEviWCe//HWUHUUfFi5wIFlIM
ILRpBE54a8dfhfmpZj3vrrn8SWMlk/pzuQWJxEuqjdpdmECnoW0x2cuvfoNk96As
2tIgvMKWlvy2cMiXzXCXd4Yejo+bZNiHKR0bMXeSoIJPpb4/OUt4u+Vx1jL8Ofnf
VRL+Y+qhwn/AxT/TDtCANue8ScL53qdtkD5IWFYa789FDkVtU8IDtPEajVEkQKVU
ubXLxSadGSGE2ZJyOSQTQTe6GpLxsVeYv+AjNWDXBn4iBCNCOZZDXku1T6VfO5Yt
m6bhtnXSrBGK+HP0GrcyjDmEuKsdYIRDmtS3VxEv8cQVVd3zIUvbS3DHc+B4vyXo
cRkUwdouQ5SGDdAbKBfD3GVJ6130A5EyfrQbsEnqv2mn7sfxaLU=
=utEX
-----END PGP SIGNATURE-----
pgpHN2eTNwhnf.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
