Package: node-debug
Version: 2.1.0+dfsg
Severity: important
Tags: security upstream

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

node-debug contain convenience code copy of ms, which is vulnerable to
so-called ReDoS (regular expression denial of service) attacks:
https://nodesecurity.io/advisories/46

According to above advisory, upgrading to ms 0.7.1 or greater solves the
issue.

node-debug addressed this as last commit before releasing 2.2.0:
https://github.com/visionmedia/debug/commit/0f4fd585befe8ce9287f4407cbcd95c63a6f1cfd

I found this issue through a commit message to node-stringprep:
https://github.com/astro/node-stringprep/commit/e9d5b40ab3c6a03546309ba84b08b159b5d0db59

I wonder if perhaps the security team might have spotted this far
earlier, if the ms code had been properly packaged as a first-class
node-ms package rather than hidden as embedded convenience code copy.


 - Jonas

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJXxusPAAoJECx8MUbBoAEhqQQQAKcrT5xHurYY+lFrI01rLeiQ
FY037YgZEUAzyTKEIYRCR46Xw3XEuTv6y670RQsYY7C7/jO2gPzHUACthyaCdak8
SNrSEQYFh52fy9hiSZBtetyrqLh4JN/sPA+/+yGFouFHj+CSILqT7LCPbDfxO0jn
58pN8PTmBeZFaJ0yg8wm1oct/8KlS1loiXoRSLErTBDNJ9fMzooOve1ukMsOYpC2
9gDb0zDogsGf23hvMVfoOJ2jAskCKroVUU9V8/BwiOTJquU9SY/fCtX8+jZXrYVY
vnRuMboZPV/ZHDN3ofO1ZzVS9Kt86Ccvi5+XcwtrEDNBqNCRDaDakaPQ8BH2bF+6
VJIU94haukEgQedO8tvGBgdsE775Nls70UBmwsUKdbrkRBAqsOrlTqpK7HFbEZYF
mYLgVuoPvyl65A8UXypboYJnNYARbCQfXcOve5QAGYUSVqvOudpXUnZWQJ6yY8Rp
vBQB5JgZNJsxNQugbr3yau+/C34/UHSjwDQ2Rlw2EdpXn1bXP7D4EEPtL9RvgVkx
tlKWKPuGrzDygN97PykrYFiQQk7KSPJlTX2Mjf2uHOJNgIrWKq5EGXtFyqLr7zWo
Qd0ovpQ5nPdSdkDpcSZNRyYcqj+xL1KX7N/E5vuVCyvpPA5kck6//XgO4Mx5OozF
pSveE98RXTlWwycgyAtW
=4l4T
-----END PGP SIGNATURE-----

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to