Package: node-debug Version: 2.1.0+dfsg Severity: important Tags: security upstream
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 node-debug contain convenience code copy of ms, which is vulnerable to so-called ReDoS (regular expression denial of service) attacks: https://nodesecurity.io/advisories/46 According to above advisory, upgrading to ms 0.7.1 or greater solves the issue. node-debug addressed this as last commit before releasing 2.2.0: https://github.com/visionmedia/debug/commit/0f4fd585befe8ce9287f4407cbcd95c63a6f1cfd I found this issue through a commit message to node-stringprep: https://github.com/astro/node-stringprep/commit/e9d5b40ab3c6a03546309ba84b08b159b5d0db59 I wonder if perhaps the security team might have spotted this far earlier, if the ms code had been properly packaged as a first-class node-ms package rather than hidden as embedded convenience code copy. - Jonas -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJXxusPAAoJECx8MUbBoAEhqQQQAKcrT5xHurYY+lFrI01rLeiQ FY037YgZEUAzyTKEIYRCR46Xw3XEuTv6y670RQsYY7C7/jO2gPzHUACthyaCdak8 SNrSEQYFh52fy9hiSZBtetyrqLh4JN/sPA+/+yGFouFHj+CSILqT7LCPbDfxO0jn 58pN8PTmBeZFaJ0yg8wm1oct/8KlS1loiXoRSLErTBDNJ9fMzooOve1ukMsOYpC2 9gDb0zDogsGf23hvMVfoOJ2jAskCKroVUU9V8/BwiOTJquU9SY/fCtX8+jZXrYVY vnRuMboZPV/ZHDN3ofO1ZzVS9Kt86Ccvi5+XcwtrEDNBqNCRDaDakaPQ8BH2bF+6 VJIU94haukEgQedO8tvGBgdsE775Nls70UBmwsUKdbrkRBAqsOrlTqpK7HFbEZYF mYLgVuoPvyl65A8UXypboYJnNYARbCQfXcOve5QAGYUSVqvOudpXUnZWQJ6yY8Rp vBQB5JgZNJsxNQugbr3yau+/C34/UHSjwDQ2Rlw2EdpXn1bXP7D4EEPtL9RvgVkx tlKWKPuGrzDygN97PykrYFiQQk7KSPJlTX2Mjf2uHOJNgIrWKq5EGXtFyqLr7zWo Qd0ovpQ5nPdSdkDpcSZNRyYcqj+xL1KX7N/E5vuVCyvpPA5kck6//XgO4Mx5OozF pSveE98RXTlWwycgyAtW =4l4T -----END PGP SIGNATURE----- _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
