Bug#1006215: bullseye-pu: package node-prismjs/1.23.0+dfsg-1+deb11u1
hi,
On Wed, Feb 23, 2022 at 10:27:33PM +0100, Moritz Mühlenhoff wrote:
> Am Mon, Feb 21, 2022 at 01:57:54PM +0100 schrieb Yadd:
> > Package: release.debian.org
> > Severity: normal
> > Tags: bullseye
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> >
> > [ Reason ]
> > node-prismjs has 2 vulnerabilities:
> > * Regex DoS (CVE-2021-40438)
>
> Where did you get that CVE reference from? CVE-2021-40438 is for a
> mod_proxy vulnerability in Apache httpd?
The used changelog entry actually has:
+node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-3801)
+ * Command Line: Escape markup in command line output
+ (Closes: CVE-2022-23647)
+
+ -- Yadd <yadd@debian.org> Mon, 21 Feb 2022 11:57:44 +0100
But this seems odd: CVE-2021-3801 was already fixed in the last
bullseye point rlease with 1.23.0+dfsg-1+deb11u1. So should this
update be only for CVE-2022-23647 and the version be
1.23.0+dfsg-1+deb11u2?
Regards,
Salvatore
Reply to: