Your message dated Fri, 03 Apr 2026 17:05:17 +0000
with message-id <[email protected]>
and subject line Bug#1132605: fixed in node-serialize-javascript 7.0.5+~5.0.4-1
has caused the Debian Bug report #1132605,
regarding node-serialize-javascript: CVE-2026-34043
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132605: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132605
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-serialize-javascript
Version: 7.0.4+~5.0.4-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-serialize-javascript.
CVE-2026-34043[0]:
| Serialize JavaScript to a superset of JSON that includes regular
| expressions and functions. Prior to version 7.0.5, there is a Denial
| of Service (DoS) vulnerability caused by CPU exhaustion. When
| serializing a specially crafted "array-like" object (an object that
| inherits from Array.prototype but has a very large length property),
| the process enters an intensive loop that consumes 100% CPU and
| hangs indefinitely. This issue has been patched in version 7.0.5.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-34043
https://www.cve.org/CVERecord?id=CVE-2026-34043
[1]
https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v
[2]
https://github.com/yahoo/serialize-javascript/commit/f147e90269b58bb6e539cfdf3d0e20d6ad14204b
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-serialize-javascript
Source-Version: 7.0.5+~5.0.4-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-serialize-javascript, which is due to be installed in the Debian FTP
archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-serialize-javascript
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 03 Apr 2026 18:48:13 +0200
Source: node-serialize-javascript
Architecture: source
Version: 7.0.5+~5.0.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1132605
Changes:
node-serialize-javascript (7.0.5+~5.0.4-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* New upstream version (Closes: #1132605, CVE-2026-34043)
Checksums-Sha1:
7dcfae2b6d7e683c039f321f92e1f58f6685789c 2678
node-serialize-javascript_7.0.5+~5.0.4-1.dsc
7a7c32248e207a0d29afed88e5ee3e921999c73d 2274
node-serialize-javascript_7.0.5+~5.0.4.orig-types-serialize-javascript.tar.gz
3422901717845d78539a1676a1aafee4b94f9df9 12544
node-serialize-javascript_7.0.5+~5.0.4.orig.tar.gz
d3a61e17ffe6e2e6a6a99f7b0a96c5d23c0668ec 4520
node-serialize-javascript_7.0.5+~5.0.4-1.debian.tar.xz
Checksums-Sha256:
8f520f87ca1b32709b100e9eff5ef529c921e9165167cacbf60d85e6c8b9af47 2678
node-serialize-javascript_7.0.5+~5.0.4-1.dsc
3e878aa35290599dc273632e6492407652ba9fb226cc339bf5484f96d998e4d6 2274
node-serialize-javascript_7.0.5+~5.0.4.orig-types-serialize-javascript.tar.gz
2fbefaf34c1fc225812d64996f0067f77e7e6e8b707c892a4db8a7205b24b52b 12544
node-serialize-javascript_7.0.5+~5.0.4.orig.tar.gz
d07d4679ccde332abf7e03e96a0016de4a3d74644eea30df6c7e18d5702b347b 4520
node-serialize-javascript_7.0.5+~5.0.4-1.debian.tar.xz
Files:
4713fce8a7841b944e1585495ee896b8 2678 javascript optional
node-serialize-javascript_7.0.5+~5.0.4-1.dsc
29a6c667929c3c9f358dd5c660dfe20a 2274 javascript optional
node-serialize-javascript_7.0.5+~5.0.4.orig-types-serialize-javascript.tar.gz
5b00b402b00468580c4f092fa43cf267 12544 javascript optional
node-serialize-javascript_7.0.5+~5.0.4.orig.tar.gz
ca30d163ee976de762c7a6a137af1820 4520 javascript optional
node-serialize-javascript_7.0.5+~5.0.4-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnP764ACgkQ9tdMp8mZ
7ul1Ug/9ESj8Wsyxsx7og6yvGFWt4R+EeFn9FzD+pFDTJB5KZv5bvUUCdrbW4J84
r2I2BowziyRh4CNHaDo5S8/kG7FJ62ikDcNxxpjS4q+jxes7ALPqPeK2Y4D+iHEt
Ad4fUk+S+FvervQi05xLgU9M9tbBd9bY4jOVJzkCW1S/CMDEannBoYHhiiXJYY9i
ozTRw7N72Vs/DEDpVyKqgOX1g+6tPrR6kR5/AkvcvCn/84iHQNXH2EGM95Q7O6tc
FmAdyTrx9up2lnMe80VRS2uFAsnFNPDjJ1c30JsxKWGSML4ecLe5TAgNuZzOGSzi
PxdvcMJvCKBobh2cPMDNx+BVTZnG4MmINJhOjWMNeVLqdgd/Zu5RuMHfUabY4ZxY
uIxKvopwd1IerfCK3lCy6zRD/Q0sNgTtRoQbh31zzlvVz4qok/IlWePJRwu0GT5S
SfUBWZDjVqovDmDfxAu+58jG7gKKs+//ddHMO1ncXPVOnCLgXD6QLEJ2t4hHsZlc
9pkbu82T5jfmFNR39gfXa7yd6rkUFJpVyDXjYmg70CUkBXSd+1nTRA89B3z6ah2H
zz/Y1L1+cktLk7lEaMnmuy6anYDoWmpA1HmP/UZcPBwrvQm99yBKlxp7xYqQm2MO
AlSAmOsqwjERlrgY5DfOOMwjM0WAS65+hU/fV2x3HGlBRThi9lU=
=v5LZ
-----END PGP SIGNATURE-----
pgpfGPF6r9DyB.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
