Your message dated Sun, 28 May 2017 18:18:33 +0000 with message-id <e1df2lt-000g7i...@fasolo.debian.org> and subject line Bug#863481: fixed in node-concat-stream 1.5.1-2 has caused the Debian Bug report #863481, regarding [node-concat-stream] Uninitialized Memory Exposure to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 863481: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863481 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: node-concat-stream Version: 1.5.1-1 Severity: grave Tags: patch security fixed-upstream fixed-in-experimental X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org forwarded: https://snyk.io/vuln/npm:concat-stream:20160901 Overview concat-stream is writable stream that concatenates strings or binary data and calls a callback with the result. Affected versions of the package are vulnerable to Uninitialized Memory Exposure. A possible memory disclosure vulnerability exists when a value of type number is provided to the stringConcat() method and results in concatination of uninitialized memory to the stream collection. This is a result of unobstructed use of the Buffer constructor, whose insecure default constructor increases the odds of memory leakage.
signature.asc
Description: This is a digitally signed message part.
--- End Message ---
--- Begin Message ---Source: node-concat-stream Source-Version: 1.5.1-2 We believe that the bug you reported is fixed in the latest version of node-concat-stream, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 863...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ross Gammon <ros...@ubuntu.com> (supplier of updated node-concat-stream package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 28 May 2017 16:19:49 +0200 Source: node-concat-stream Binary: node-concat-stream Architecture: source Version: 1.5.1-2 Distribution: unstable Urgency: high Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org> Changed-By: Ross Gammon <ros...@ubuntu.com> Description: node-concat-stream - writable stream that concatenates strings Closes: 863481 Changes: node-concat-stream (1.5.1-2) unstable; urgency=high . * Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201 (Closes: #863481) * Use stretch git branch * Use Ubuntu email address Checksums-Sha1: 7f4787bb95c36d6f76ea569a31afd81db798adfb 2086 node-concat-stream_1.5.1-2.dsc f87920b89e12d1c2612f6112ea5b7589e45f8c05 3688 node-concat-stream_1.5.1-2.debian.tar.xz 613ca2b2000d4e010bdc22d60cef4d956a0f2b60 4470 node-concat-stream_1.5.1-2_source.buildinfo Checksums-Sha256: 3e6a7e63ac32de60027497a65fd4381a75a628c6d0ab3850835abcc648f3ad14 2086 node-concat-stream_1.5.1-2.dsc c9e4aee1134fa86470d33cd96f23142856ec97cf66c792aa66845399c9f3f5ec 3688 node-concat-stream_1.5.1-2.debian.tar.xz 6b4269f8e7cf5004a381760d6c13601c78e25480fe85515e3792c7182c60b819 4470 node-concat-stream_1.5.1-2_source.buildinfo Files: 37f094fe1d17acfd9cebf4d100448267 2086 web optional node-concat-stream_1.5.1-2.dsc 998cd9f11f3789a60911885de84acfa2 3688 web optional node-concat-stream_1.5.1-2.debian.tar.xz 2d7cf31b12bebbbf04c740ae22950b31 4470 web optional node-concat-stream_1.5.1-2_source.buildinfo -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJZKw1ZAAoJEHM+a/k86PbZ4bIP/i0wRHAMIDp4VhfDkSp4nEMC onjNF1AuuSB1FH52EgTORIsvbi3FKeZMgXL2fzSp9n/OjZUUFhb7hdEPQSSYSU4N w0rOW15fj4tA1Jw/900cr2zigMkcQF+m+HYp8Zt4yEWTG0tOdvnR8FV7GG+bcERt P16Agka91uHuw+sKuWBnjHXkfipMXi+S33iO1noaWotGa0CY+ftE5yqYcIc1KMet kjZgIrBswjgGYwA+77Rvfw38VbKAxhXtwF2fqAMmz8PSLorK+9dg4GEsl3ATZZmF HNsFmovEr5M7ULn19/bo+zeTRkGG/I8hXohYR1rqTU9hwB9aLSlPJPyLt0kT5E3h m/6MCIq5sl8hs/YYPfRkLAqGh8qOlAJfwkXQdgPY1u39OCEMXcLPStq5vtMJ1gpL PcSH7o/6g3v6CuLKaR1mTFBbeXZdDOjGEup89ByC1xhC/XVTziuYhsWUN0m8xTEM 8FqZrKO9hutGFjhSdfzdD58i2oISewuRxrIDFJ58U0WX6W5zb14zLNfLHFsR3pXK YDZFG8SsDtuFZrLioS4gt9MdTpGyzPleJHn9p0Gt/2mYC/KZJrRNLXvlXHe/2++v ui260xlF9z/lBre16g2Kj3QqkNN0iWSiGefS0cxg4EBDbOAVqqeFhumoqQWoH7j7 dLfPfvURcnumTQ0E8+uz =cL0d -----END PGP SIGNATURE-----
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
