Your message dated Fri, 22 Aug 2025 15:32:32 +0000
with message-id <e1uptkm-00hkr3...@fasolo.debian.org>
and subject line Bug#1110532: fixed in node-tmp 0.2.2+dfsg+~0.2.3-1.1~deb12u1
has caused the Debian Bug report #1110532,
regarding node-tmp: CVE-2025-54798
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1110532: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110532
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-tmp
Version: 0.2.2+dfsg+~0.2.3-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/raszi/node-tmp/issues/207
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-tmp.
CVE-2025-54798[0]:
| tmp is a temporary file and directory creator for node.js. In
| versions 0.2.3 and below, tmp is vulnerable to an arbitrary
| temporary file / directory write via symbolic link dir parameter.
| This is fixed in version 0.2.4.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-54798
https://www.cve.org/CVERecord?id=CVE-2025-54798
[1] https://github.com/raszi/node-tmp/issues/207
[2] https://github.com/raszi/node-tmp/security/advisories/GHSA-52f5-9888-hmc6
[3]
https://github.com/raszi/node-tmp/commit/188b25e529496e37adaf1a1d9dccb40019a08b1b
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-tmp
Source-Version: 0.2.2+dfsg+~0.2.3-1.1~deb12u1
Done: Adrian Bunk <b...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-tmp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1110...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Adrian Bunk <b...@debian.org> (supplier of updated node-tmp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 17 Aug 2025 19:42:55 +0300
Source: node-tmp
Architecture: source
Version: 0.2.2+dfsg+~0.2.3-1.1~deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Adrian Bunk <b...@debian.org>
Closes: 1110532
Changes:
node-tmp (0.2.2+dfsg+~0.2.3-1.1~deb12u1) bookworm; urgency=medium
.
* Non-maintainer upload.
* Rebuild for bookworm.
.
node-tmp (0.2.2+dfsg+~0.2.3-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2025-54798: Arbitrary file write (Closes: #1110532)
Checksums-Sha1:
e1fc22ab7974f3e4caa113391e14b4345146e357 2446
node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb12u1.dsc
04a0a38e3e66412e2d2597779a0741c0f9b5586f 3340
node-tmp_0.2.2+dfsg+~0.2.3.orig-types-tmp.tar.xz
cbd39100731b4ee9f6b87f9666f41cbb681e3c7a 56028
node-tmp_0.2.2+dfsg+~0.2.3.orig.tar.xz
d4dd42fc93693a1eab66aeb2159e06ef09f84763 9044
node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb12u1.debian.tar.xz
Checksums-Sha256:
f843ca46b246aa1dacc28c29cd91b45f96ce9d04e6f0b31e585d5289411d60ec 2446
node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb12u1.dsc
d5da11cfa81344a4021c3f135bdeb8c54f3c20ea83fda511e310f8e7c00a3c56 3340
node-tmp_0.2.2+dfsg+~0.2.3.orig-types-tmp.tar.xz
713ad9829bdd33288fd8029e24395a2d6855ae9847a120ba45c255724a33218d 56028
node-tmp_0.2.2+dfsg+~0.2.3.orig.tar.xz
7fe4ba5623d8a8583d148a3f17b2790ed1910ea480e94f671492fc683ca1060c 9044
node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb12u1.debian.tar.xz
Files:
092546bc2200c9b65eb71e56586489ba 2446 javascript optional
node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb12u1.dsc
53f19c1dd5fda7ee030a090e2b3b85ac 3340 javascript optional
node-tmp_0.2.2+dfsg+~0.2.3.orig-types-tmp.tar.xz
93d9fcd9746709e5f674b05baa767e9c 56028 javascript optional
node-tmp_0.2.2+dfsg+~0.2.3.orig.tar.xz
6958a5f3e63e36bc5806ffcf57becdd3 9044 javascript optional
node-tmp_0.2.2+dfsg+~0.2.3-1.1~deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAmiiUr0ACgkQiNJCh6LY
mLGJaw/8DY6o3ZroLNSs9nNL4e7KtrdptrvdCY9J/bCTztNwr9pH1AtvKmbT/aLr
QG8GSXjyJS/B+X2r/aE6bwac56U61idHpVHzDTrgO6vOMKb5ctEul+761DlB0ts3
mcXRhmW/ircatXumhvlP645YIPQ6r+vzit620axwDc3JnP0NX6Sa7BbxChZV6uQt
ewORPeFiRGjJUHbuciYxh19J/zHkCHr4OBnOxTRP/eBQkE7GRC7Wqxuoyq5zN8eV
QhU7G8u87BrAqK0abOFxSPhO4mGUirOoeg4VJ+vaLAQI9Xsv7VkOuniFPX0eLDOG
NPuCWOrleILFakisJi9iOH9qY9onXegV7BrhLoLNSjNyi9tHLH43GD8FFmbNCq+f
eQ1SWI3TQ3+OQ5ZeB639AWruTVJ0gdfEJEScmkzRQDZCrh9ckgfvPxyRbkFvcBsb
R1MJhWWbqLJ/t0mU4L5DNSNApVPubZapKriqPUwWllnHb2m1s1OzS+k9BFkyIXPw
UKkmEPzR10VCIG0V2Asg9ktkZtm2wrAi6t6pSr8SpXsyjaBAQIEyY48pD+puYcxA
vwjt96dXcD5qIRa4sdrwqDwCRJbxPLDRCE35KNdtXtXlkG+8Iz+Jo8Lmm1osb6os
pbkVdOTNwe2nksuOJlGyIkOU3Qj60wDwLJxZoN/cwMgVvRhCH4U=
=NbDY
-----END PGP SIGNATURE-----
pgp728e_wKGl5.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
