subject:"Bug#863481\: \[Pkg\-javascript\-devel\] Bug#863481\: \[node\-concat\-stream\] Uninitialized Memory Exposure"

Bug#863481: [Pkg-javascript-devel] Bug#863481: [node-concat-stream] Uninitialized Memory Exposure

2017-05-27 Thread roucaries bastien

I can do it but I do not know that is the best:
- let 1.6 go to unstable
- patch old version

Could you ask release team.

The debdiff between the two version is so small that I have doubt

On Sat, May 27, 2017 at 6:53 PM, Ross Gammon  wrote:
> Hi Bastien,
>
> If you would like me to prepare an upload to unstable for this (& unblock
> request), let me know. I have some time today & tomorrow - but travelling
> with work next week. I have DM upload rights for it.
>
> Only asking in case you are already working on it.
>
> Cheers,
>
> Ross
>
>
> On 05/27/2017 04:51 PM, Bastien ROUCARIÈS wrote:
>
> Package: node-concat-stream
> Version: 1.5.1-1
> Severity: grave
> Tags: patch security fixed-upstream fixed-in-experimental
> X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
> forwarded: https://snyk.io/vuln/npm:concat-stream:20160901
>
> Overview
>
> concat-stream is writable stream that concatenates strings or binary data
> and
> calls a callback with the result. Affected versions of the package are
> vulnerable to Uninitialized Memory Exposure.
>
> A possible memory disclosure vulnerability exists when a value of type
> number
> is provided to the stringConcat() method and results in concatination of
> uninitialized memory to the stream collection.
>
> This is a result of unobstructed use of the Buffer constructor, whose
> insecure
> default constructor increases the odds of memory leakage.
>
>
>
>

Bug#863481: [Pkg-javascript-devel] Bug#863481: [node-concat-stream] Uninitialized Memory Exposure

2017-05-27 Thread Ross Gammon

Hi Bastien,

If you would like me to prepare an upload to unstable for this (&
unblock request), let me know. I have some time today & tomorrow - but
travelling with work next week. I have DM upload rights for it.

Only asking in case you are already working on it.

Cheers,

Ross

On 05/27/2017 04:51 PM, Bastien ROUCARIÈS wrote:
> Package: node-concat-stream
> Version: 1.5.1-1
> Severity: grave
> Tags: patch security fixed-upstream fixed-in-experimental
> X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org
> forwarded: https://snyk.io/vuln/npm:concat-stream:20160901
>
> Overview
>
> concat-stream is writable stream that concatenates strings or binary data and 
> calls a callback with the result. Affected versions of the package are 
> vulnerable to Uninitialized Memory Exposure.
>
> A possible memory disclosure vulnerability exists when a value of type number 
> is provided to the stringConcat() method and results in concatination of 
> uninitialized memory to the stream collection.
>
> This is a result of unobstructed use of the Buffer constructor, whose 
> insecure 
> default constructor increases the odds of memory leakage.
>
>

Bug#863481: [Pkg-javascript-devel] Bug#863481: [node-concat-stream] Uninitialized Memory Exposure

Bug#863481: [Pkg-javascript-devel] Bug#863481: [node-concat-stream] Uninitialized Memory Exposure

2 matches

Site Navigation

Mail list logo

Footer information