Your message dated Sat, 09 Dec 2017 19:00:10 +0000 with message-id <e1enkm6-0005rw...@fasolo.debian.org> and subject line Bug#836205: fixed in node-debug 3.1.0-1 has caused the Debian Bug report #836205, regarding node-debug: CVE-2015-8315: Vulnerable to ReDoS attacks to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 836205: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836205 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: node-debug Version: 2.1.0+dfsg Severity: important Tags: security upstream -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 node-debug contain convenience code copy of ms, which is vulnerable to so-called ReDoS (regular expression denial of service) attacks: https://nodesecurity.io/advisories/46 According to above advisory, upgrading to ms 0.7.1 or greater solves the issue. node-debug addressed this as last commit before releasing 2.2.0: https://github.com/visionmedia/debug/commit/0f4fd585befe8ce9287f4407cbcd95c63a6f1cfd I found this issue through a commit message to node-stringprep: https://github.com/astro/node-stringprep/commit/e9d5b40ab3c6a03546309ba84b08b159b5d0db59 I wonder if perhaps the security team might have spotted this far earlier, if the ms code had been properly packaged as a first-class node-ms package rather than hidden as embedded convenience code copy. - Jonas -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJXxusPAAoJECx8MUbBoAEhqQQQAKcrT5xHurYY+lFrI01rLeiQ FY037YgZEUAzyTKEIYRCR46Xw3XEuTv6y670RQsYY7C7/jO2gPzHUACthyaCdak8 SNrSEQYFh52fy9hiSZBtetyrqLh4JN/sPA+/+yGFouFHj+CSILqT7LCPbDfxO0jn 58pN8PTmBeZFaJ0yg8wm1oct/8KlS1loiXoRSLErTBDNJ9fMzooOve1ukMsOYpC2 9gDb0zDogsGf23hvMVfoOJ2jAskCKroVUU9V8/BwiOTJquU9SY/fCtX8+jZXrYVY vnRuMboZPV/ZHDN3ofO1ZzVS9Kt86Ccvi5+XcwtrEDNBqNCRDaDakaPQ8BH2bF+6 VJIU94haukEgQedO8tvGBgdsE775Nls70UBmwsUKdbrkRBAqsOrlTqpK7HFbEZYF mYLgVuoPvyl65A8UXypboYJnNYARbCQfXcOve5QAGYUSVqvOudpXUnZWQJ6yY8Rp vBQB5JgZNJsxNQugbr3yau+/C34/UHSjwDQ2Rlw2EdpXn1bXP7D4EEPtL9RvgVkx tlKWKPuGrzDygN97PykrYFiQQk7KSPJlTX2Mjf2uHOJNgIrWKq5EGXtFyqLr7zWo Qd0ovpQ5nPdSdkDpcSZNRyYcqj+xL1KX7N/E5vuVCyvpPA5kck6//XgO4Mx5OozF pSveE98RXTlWwycgyAtW =4l4T -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---Source: node-debug Source-Version: 3.1.0-1 We believe that the bug you reported is fixed in the latest version of node-debug, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 836...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Paolo Greppi <paolo.gre...@libpf.com> (supplier of updated node-debug package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Mon, 27 Nov 2017 13:32:52 +0100 Source: node-debug Binary: node-debug libjs-debug Architecture: source all Version: 3.1.0-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org> Changed-By: Paolo Greppi <paolo.gre...@libpf.com> Description: libjs-debug - small debugging utility node-debug - small debugging utility for Node.js Closes: 836205 Changes: node-debug (3.1.0-1) unstable; urgency=medium . * New upstream release. * Bump standards versions * Unbundle node-ms and depend on it (Closes: #836205) * No need to patch away the build-dependency on sinon-chai since node-sinon-chai is now in the archive * Also produce a libjs-debug binary * Patch the provided browser example to use library from /usr/share/javascript * Provide another example for using this library in the browser Checksums-Sha1: 98ce68a75f7ee234375d21b97b434cb9b4c3e58d 2259 node-debug_3.1.0-1.dsc dff34422f63685b21083b2063a8749dafeef46f9 18808 node-debug_3.1.0.orig.tar.gz 88643881fb1f34bb52db35ec37c707e8f43ffe15 4320 node-debug_3.1.0-1.debian.tar.xz 28ea1e6ffa100c8eb6f9b45bcd64586efe17896f 18196 libjs-debug_3.1.0-1_all.deb cd076daa05bd0b8410eb6585853e0519a82bcdaa 20228 node-debug_3.1.0-1_all.deb 51602b1eccc5c47b51d14286633ad686aa270d95 9189 node-debug_3.1.0-1_amd64.buildinfo Checksums-Sha256: 528bba7635a3a36f38f594452a2826ff7137a5042fb258029bea344b9bafb98b 2259 node-debug_3.1.0-1.dsc ae2abd04f64a33f847ee1e480da234d4c985511584b86025f27e42eb691cd1f0 18808 node-debug_3.1.0.orig.tar.gz b27a6f73cdc771f7c97af6f4d44b5047c1d90e819bc5db2827ee8ebfefc37ef3 4320 node-debug_3.1.0-1.debian.tar.xz 1fc9291b9d17eec9dbbd681fc8a57e7a7b24c48e27f1474f8cf8b3d52971cd78 18196 libjs-debug_3.1.0-1_all.deb dbc1c4e644d7f2a87f2da278051bb59d0f0c20127e767e63772e5b1c76cb237c 20228 node-debug_3.1.0-1_all.deb b330aea02d68cf42af63aa7427a27398f4d78c0487088aee34e2af66010e9a1c 9189 node-debug_3.1.0-1_amd64.buildinfo Files: c3d0ddd343b0035f12e16b29aa08a12b 2259 javascript optional node-debug_3.1.0-1.dsc 6725fdd60d3c6cfc9ce6e837550b22c0 18808 javascript optional node-debug_3.1.0.orig.tar.gz c3d9da00f8181d96db240ba0f0e99c9b 4320 javascript optional node-debug_3.1.0-1.debian.tar.xz 8133876ee7484e54e1b3ee8147d4f9f2 18196 javascript optional libjs-debug_3.1.0-1_all.deb 44dfed4251e415361b5d3f75bbc7fc20 20228 javascript optional node-debug_3.1.0-1_all.deb dfb4218b44a508ccd7e9ec0f3d3548ad 9189 javascript optional node-debug_3.1.0-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEKnl0ri/BUtd4Z9pKzh+cZ0USwioFAlod9skACgkQzh+cZ0US wioTMw//buS96HFxaXtBhPo/l3bq9nXbj0sCmio6w6ByM88xrSEtJzb8zTB50aMn KHurERBg/NJNDNEPUxbEPDQVH0ZOXeMDj4dpNuWkIWJnNdWvNK2m8z8nL/p7euCz TLDH1iRN2eRRjud0iOsPxfTP0aISTEFf/ltQ9f/yYSixEg54NF7WXKHFRk+92/5K esY7DTvGfTuPgo+siMwbnp90+pi5ABNJqL/130X3AKV9KNcLx8q+3yQ7vMrQ0R42 XazjoA9CcJG6ImAXuCqaScyG9z0512jIFo5+Fkj5Mtn4mUSPGWyHjf3fSYAnkMqK R9QWNNjR8BM94CaKB28avY/BcgoI6Gr7lS5gNoC+thgJML930N5kv8Z074/xDCLk Lhn0qnrftzPM2qlMZE9wYI1Gytk6Yi4/cVooTV8rKLS7EwqZm3eGMjbFrfpGPcMx 60xDXI2gnIjeUV/ErhEOh97CIaufDBUVvP78fIhWIO+lEAFsxaCRG+/ho9tsKucb 3Jr8WSaJW8/pyHFAHb+KXXXog8g6VyANAxtw2ZNWsKt+uCiSd2Hug0j6GWqE/qjv faLQTnhQVKjFBc7MsOQ9XotiC3S7KqPMtUQviVSQTn6vTNX/B0lbw4Pez91LFDZk 1Hb4R+TJ9MrV5sLOi8UICVOoss+Vjd8uKWpE3p/LugD0ztYP/Iw= =otk7 -----END PGP SIGNATURE-----
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
