Control fixed -1 4.16.3+~cs5.4.72-2 Le 29/04/2021 à 20:38, Salvatore Bonaccorso a écrit : > Source: node-browserslist > Version: 4.16.3+~cs5.4.72-1 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > > Hi, > > The following vulnerability was published for node-browserslist. > > CVE-2021-23364[0]: > | The package browserslist from 4.0.0 and before 4.16.5 are vulnerable > | to Regular Expression Denial of Service (ReDoS) during parsing of > | queries. > > The patch will probably not cleanly apply, but according to the > available information at least 4.0.0 onwards until 4.16.5 are > affected. Not sure if earlier versions were just not checkd or if they > are confirmed to be not affected. > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2021-23364 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364 > [1] > https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98 > [2] https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194 > [3] https://github.com/browserslist/browserslist/pull/593 > > Please adjust the affected versions in the BTS as needed. > > Regards, > Salvatore
Already pushed ;-)