Your message dated Sat, 25 Oct 2025 20:49:44 +0000
with message-id <[email protected]>
and subject line Bug#1118283: fixed in node-turndown 7.2.2+~2.2.0~git20240406-1
has caused the Debian Bug report #1118283,
regarding node-turndown: CVE-2025-9670
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1118283: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1118283
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-turndown
Version: 7.1.1-3
Severity: important
Tags: security upstream
Forwarded: https://github.com/mixmark-io/turndown/issues/501
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-turndown.
CVE-2025-9670[0]:
| A security flaw has been discovered in mixmark-io turndown up to
| 7.2.1. This affects an unknown function of the file src/commonmark-
| rules.js. Performing manipulation results in inefficient regular
| expression complexity. It is possible to initiate the attack
| remotely. The exploit has been released to the public and may be
| exploited.
There is a proposed fix in the corresponding pull request at [2], but
it has not yet been merged.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-9670
https://www.cve.org/CVERecord?id=CVE-2025-9670
[1] https://github.com/mixmark-io/turndown/issues/501
[2] https://github.com/mixmark-io/turndown/pull/504
Regards,
Salvtore
--- End Message ---
--- Begin Message ---
Source: node-turndown
Source-Version: 7.2.2+~2.2.0~git20240406-1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-turndown, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-turndown package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 25 Oct 2025 21:40:49 +0200
Source: node-turndown
Architecture: source
Version: 7.2.2+~2.2.0~git20240406-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1118283
Changes:
node-turndown (7.2.2+~2.2.0~git20240406-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.2
* Drop "Rules-Requires-Root: no"
* debian/watch version 5
* Embed @mixmark-io/domino
* New upstream release (Closes: #1118283, CVE-2025-9670)
* Unfuzz patches
* Test with tape
* Add test-dependency to node-jsdom
* Update lintian overrides
* Update copyright
Checksums-Sha1:
934773037bda6a8d8c0f449d235bb9e75750abb4 2681
node-turndown_7.2.2+~2.2.0~git20240406-1.dsc
642b5e6913c8a10ea930f61789d055c6aa0a9a88 161979
node-turndown_7.2.2+~2.2.0~git20240406.orig-mixmark-io-domino.tar.gz
ccead7410d867fc38e94ba669eeefe73f62c90ce 83744
node-turndown_7.2.2+~2.2.0~git20240406.orig.tar.gz
6e67de5288aeb3f6fd318bc16efc9ee1addd6778 6976
node-turndown_7.2.2+~2.2.0~git20240406-1.debian.tar.xz
Checksums-Sha256:
c2135febae69e5e30e0a9b09fc7769576651239c15c5c642bdaea29cfe414a5f 2681
node-turndown_7.2.2+~2.2.0~git20240406-1.dsc
ea9db053b203194d7dc7f31479a7d13af04b372d78d534a24501caf9e978816a 161979
node-turndown_7.2.2+~2.2.0~git20240406.orig-mixmark-io-domino.tar.gz
68fe46c3eba6095871cdb32b5d9c9d17e31d9c1d99abb27c00deb4af68f5f777 83744
node-turndown_7.2.2+~2.2.0~git20240406.orig.tar.gz
bf913ef1cd316eec1dcd2ec95574c9160835eeb8acc9c3798d9edf5c6ff80786 6976
node-turndown_7.2.2+~2.2.0~git20240406-1.debian.tar.xz
Files:
215f04bc3e12b3d561d3a7546241217d 2681 javascript optional
node-turndown_7.2.2+~2.2.0~git20240406-1.dsc
eb9acf649625e10c4253c3c841358c51 161979 javascript optional
node-turndown_7.2.2+~2.2.0~git20240406.orig-mixmark-io-domino.tar.gz
4ad5665ba6afe4e17d5d1b9e7af9bf53 83744 javascript optional
node-turndown_7.2.2+~2.2.0~git20240406.orig.tar.gz
99fe8f3ff1de694521feb496466d5077 6976 javascript optional
node-turndown_7.2.2+~2.2.0~git20240406-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmj9J/4ACgkQ9tdMp8mZ
7umdXg//VIPBkp2RfBU8cR5+yI1miiyMo8kEnTIPBEbd03lesruL6e9Y/10SZVyA
ZPuWZxul1s+232pLqjLqxW3z+8VRY/rQppZTQmQToBpyF8Mv/aeG8udDyBdjodpn
2Bbp790KN4wOijBVUU8dMPEFgHUmDfKVPI3Dyie9+tVx2ELEjRrsANE5Oiy1t/XY
RBX9RgucqPa7q/UPaGeRdKLstWF7bCxzDtjyXDKP06ysjzini2XIkW/VjZOlJW4f
Vvv6Piv+J5e6aL5UjuCdRINSXUnSdZ3lo1j9q+ezB0qE7bamHGgpKxi3zJH6p7Wg
j61QffEk4e+KWFqOYyY+0aFdONK+YoNRYrEEnpx2A56kFm+kjPXdHFLSrqSqgElg
KRmRiYS2DWyrIpsnJX66ja7lHVm7kUNG1gUAOUCvlsDrwwe86p8G3VGpRzgSI2ah
s6E+xcAUUDSJL5lANnrh1q93CI1lCOMAUIVRQCidQFpDs5n1xuI9ZLFaADpOcwfu
B55VB8ReDEC9rZk7GPMkJi6/NCLyb8/2kB0Lg7f8keZdKgqZJv7IlSgz1s1V2hGS
he0hDzrda0xYLCNX56YZEe1IE79rmGqft+GpPD2A3fgpynBuWF0vf4eBWmpZAcBt
w9g990UbWRR5zRh9tOp0jbvQB9HQZX85HeWoHazPCNVN9kJLvJ8=
=IGwf
-----END PGP SIGNATURE-----
pgpacBVFGSkn8.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
