Your message dated Thu, 09 Jul 2020 12:34:07 +0000 with message-id <e1jtvkd-000fc0...@fasolo.debian.org> and subject line Bug#963764: fixed in node-node-sass 4.14.1+git20200512.e1fc158+dfsg-1 has caused the Debian Bug report #963764, regarding node-node-sass: uses embedded old security-buggy libsass to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 963764: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963764 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: node-node-sass Version: 4.13.1-2 Severity: serious Tags: security -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 node-node-sass ships with an old release of libsass. Since Debian release 4.13.1-2 this is explicitly used (uncertain if previously it might alos accidentally be used). Libsass has a series of known security flaws: https://security-tracker.debian.org/tracker/source-package/libsass The Debian package libsass is itself badly maintained regarding these seciruty issues, but at least it is kept up-to-date with upstream, meaning that _maybe_ they fixed all the issues: https://bugs.debian.org/921952 Knowingly using older releases of libsass is unacceptable, and should not be included in a stable release of Debian. - Jonas -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl72LQAACgkQLHwxRsGg ASG/fQ//WyKH6E3fW9fAndVJxR/2OcmE30JdTQpk69558VM8Qs/Vdr9JqLDVKuw0 I+K8LSQmsL4d39WsSGrWkZeqGFGOeIyAJ2y9GZi1uskRpNnA8/gJs3ZmIUY7yEWe NloVaQE2KPUq4EdJnPWtDNDkObmZgtk0H8WtSfr7IHL/CctTBYZ3VImEz2NDoLjn 5i2SjZV2ypdYzlMWDvG6tksDKu6Ttcmy6PH78ibTFPHcMMBtD6mZ8e8TQjPb50WI +lt8slQIRN791iM6f+6FoFtPRPAN+kAA6QqM0XJr7jO3qIqPAXtJpQLaRPEHozMu 8UTosXk1tRfkqhixB7JBmwRpCvmC90FPCIeAyYKIEoHO6Q0qdQW7RbHfzoEQIRwz kDzI6E3eUgxsk9UsIQ2xqHnxL+iun5qQC3jnwWQvZiqU4KUwxVB/kYk5FPSlOTmC Jb1UpgO1g3rFc8xYTB1ZHCbkGKTru3GsrdmmUJiweMhpo1SRheRdLNiMy90T3AdA tZ2EZA6+W69LHdKmBDbDT4aHhx7PzKYjHhZAhzUvCStqoH44HKbvf2voAP7AFppp bf8JmZ0ACbIhlQxjHSsav9SeYc28/tj4B7CFIPHZ+dbX6USn/DSSkvWjGxH93huq cSqeo8ssV8beQLpeBtwLqf5IVJ0Kp6iW9e2I3MsUyDN2k76ttxw= =yvR9 -----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---Source: node-node-sass Source-Version: 4.14.1+git20200512.e1fc158+dfsg-1 Done: Andrius Merkys <mer...@debian.org> We believe that the bug you reported is fixed in the latest version of node-node-sass, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 963...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Andrius Merkys <mer...@debian.org> (supplier of updated node-node-sass package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 09 Jul 2020 08:14:41 -0400 Source: node-node-sass Architecture: source Version: 4.14.1+git20200512.e1fc158+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Andrius Merkys <mer...@debian.org> Closes: 963764 Changes: node-node-sass (4.14.1+git20200512.e1fc158+dfsg-1) unstable; urgency=medium . * Team upload. . [ Andrius Merkys ] * New upstream version 4.14.1+git20200512.e1fc158+dfsg * Excluding src/libsass, linking against system-provided libsass (Closes: #963764) * Ignoring failing test case . [ Nilesh Patra ] * Add compression parameter Checksums-Sha1: abcf2558ac9f077cb6c5e6b71aff678b9993e2c0 6081 node-node-sass_4.14.1+git20200512.e1fc158+dfsg-1.dsc f553376304548d0d0fa22b499db45b05a2a4a02c 4456 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-async-foreach.tar.xz 77600796d1d4c7f7ee5d4b8a2e3d0581c0a2345b 8416 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-gaze.tar.xz 39d50fddd9fd95e87c863bf931c67586c8a73e48 1020 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-get-stdin.tar.xz 1e304ec59d888eb1a4adbdc0d60b4fd641a632f4 34868 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-js-base64.tar.xz ed9607fc2564da144b4f49d8544bbc873fcb3123 4992 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-sass-graph.tar.xz 1098ece6a9cc1c3740e5fcd9b0234ba5d65e9af8 884032 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-sass-spec.tar.xz 4ab0170821bed4a0f1e0cc3feb23481dd2e4b034 5920 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-scss-tokenizer.tar.xz d49d514f186bc1cca52731e8faa0c5e259730823 2368 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-stdout-stream.tar.xz eae030705341fff7fba2934f0ce893cda7d34346 5676 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-true-case-path.tar.xz a0eebce467b9ca50225f089ff4fe1ba9cc66d708 70856 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig.tar.xz 9dd75732be4c575deb221d70592b45205f5a3d57 19440 node-node-sass_4.14.1+git20200512.e1fc158+dfsg-1.debian.tar.xz 6f412452baccdd95b800a1573f4f5f1662c09789 15692 node-node-sass_4.14.1+git20200512.e1fc158+dfsg-1_source.buildinfo Checksums-Sha256: 4eed97e258f9f0f0f31c58d31b82b72864770104f481d729f1147aec6eb8962c 6081 node-node-sass_4.14.1+git20200512.e1fc158+dfsg-1.dsc 220d3e959da7701400e301d133f56a9d5966bacf68f3cf4eb80bbd6ad7c942da 4456 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-async-foreach.tar.xz 7a8a716023e0b48883a2f85b6c4801d2334cde9301595c7806a5de03f633bd36 8416 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-gaze.tar.xz 970a5b1cb35cdb682f3468dbcdfb202a12f2ffdf294d5798da510550116442eb 1020 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-get-stdin.tar.xz c262fe06b014acdba58b215fbe0f263927931f6dffd147a1962731d044889c37 34868 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-js-base64.tar.xz 05942bd4d1229459607a3398ce3cdd915510c7edd5a962ebcab6abcca6376149 4992 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-sass-graph.tar.xz c04ef7b2f9bbd907336dc31fd89a1f8112d790041fd4ea8322091e25cc128fae 884032 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-sass-spec.tar.xz 331fb9973bc67ba52d2ec5e8774f3694e0c08650394650cfadbdcc7de0d1200e 5920 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-scss-tokenizer.tar.xz 6a02e2af19bcc15854e5fe674bb12f9a5785838b3b5f6486d1057b02ac26227f 2368 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-stdout-stream.tar.xz 133b22f63a91cf76e3718f2c1c785082b8528b200575550615cd68dd34131f5f 5676 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-true-case-path.tar.xz 13ff289c7b401f4c0889f914d4f9daa6ea40a77312474cdd3dfcf87b96fea459 70856 node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig.tar.xz 63645faf9cd33f7e9ab36a788634e08c78da88271244492a7435308df8936157 19440 node-node-sass_4.14.1+git20200512.e1fc158+dfsg-1.debian.tar.xz d86f25663e6b38cf40225d3ab0cf8769f1a15a05cbb283ff53c58de0a2e98e17 15692 node-node-sass_4.14.1+git20200512.e1fc158+dfsg-1_source.buildinfo Files: 3e64e0f3675d320b8d57332d0da53f7b 6081 javascript optional node-node-sass_4.14.1+git20200512.e1fc158+dfsg-1.dsc 3b89280bb0007928ec7391ee946a7377 4456 javascript optional node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-async-foreach.tar.xz 5d0ff937807adb7c91133711e24de638 8416 javascript optional node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-gaze.tar.xz fce2807320bb5f455121d32ad5a0065d 1020 javascript optional node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-get-stdin.tar.xz 2da0d961d47996f57a18dee7bbba7617 34868 javascript optional node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-js-base64.tar.xz 3b887d80cf9514bfef6ce49e1997aa7e 4992 javascript optional node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-sass-graph.tar.xz 0fa834da00140f4b68d9f4b03effa1e6 884032 javascript optional node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-sass-spec.tar.xz 0d3041623a2f103b698d182745f4bf43 5920 javascript optional node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-scss-tokenizer.tar.xz 25d91b0da5d272c42a18a6103b23aa71 2368 javascript optional node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-stdout-stream.tar.xz 47789f7d05b620c17d1f23055ef2308c 5676 javascript optional node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig-true-case-path.tar.xz 9807c4dd19dcb23635cc8fcd97e7417e 70856 javascript optional node-node-sass_4.14.1+git20200512.e1fc158+dfsg.orig.tar.xz 81dc222e48fbd7e3e452ecaa7d2cba29 19440 javascript optional node-node-sass_4.14.1+git20200512.e1fc158+dfsg-1.debian.tar.xz 67913ee8751fa5a5af7198aec1b7a0dd 15692 javascript optional node-node-sass_4.14.1+git20200512.e1fc158+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCgAwFiEEdyKS9veshfrgQdQe5fQ/nCc08ocFAl8HC8ISHG1lcmt5c0Bk ZWJpYW4ub3JnAAoJEOX0P5wnNPKHsGIP/1JKkT6l1Cf86LKqQmaSJtiAGjS2gYBS Oda9t3iPUZhIoJoI4x5l/fF16jpLntRxs4yhGMKmxlLq+s7gVZ+fH06MPyAz+pxY 8AqPktITWzqXJnT5MqllvZPN/hcLjEbHZEYRNoeJACnxktHWeV9qcocqIZU7FnxY CGmj1f53TOqzLZy/Op/d5qd1uDyWG/fn0A8AxVQ3ADnKaqGQq1hgSJaWFS2+668N HMbfB84TWUeYn/04EEB6KIsBD8H+O3kTffwDNGmg/eCdoKSawaSA3+fQyC3OysQo DA8UF9s05DJ1bPFkzXLhzlPzE9EQT1T5UZZ4ltmoXp8sdAjZH8Pcgwk1tbIqM8Cm PUXuqg1o6z8iMPpXF2oHvhmlvQkHnzElSK1Gdl4mOvwyScvXTrHsRGefxQDPFUfW ikWZRdiE5zTqdb5P7fyeqnj6maEzafoanq9m/joFxs/jOK0nGoI4aMUwVG/q3Qe7 hxi6kuLoaQ+zXLJvy34UfKSkWULGNG0X+fs4Cvn6kIXeH6mUDDUhsMvfzGzXRu6f t4GGPDcEqbTHjIX7WwQiVEfzNfBYX0cN5bUNs3BgdbWtYNzrkj9iEFMjCw8/yBXF FZ+U6Ay4SjAjuusVg+lQMM6ELiU79L/GqOElj3eIhAOm157DNWWpk/mdaiLSVfKK n58TNMwWLDaV =Lo2Q -----END PGP SIGNATURE-----
--- End Message ---
