[SECURITY] [DLA 3618-1] node-babel security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3618-1] node-babel security update
From: Xavier <yadd@debian.org>
Date: Thu, 19 Oct 2023 11:07:43 +0400
Message-id: <[🔎] 20231019070743.6482481C21@m.xnr.fr>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3618-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                                 Yadd
October 14, 2023                              https://wiki.debian.org/LTS
- - - -------------------------------------------------------------------------

Package        : node-babel
Version        : 6.26.0+dfsg-3+deb10u1
CVE ID         : CVE-2023-45133
Debian Bug     : https://bugs.debian.org/1053880

In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all
versions of `babel-traverse`, using Babel to compile code that was
specifically crafted by an attacker can lead to arbitrary code execution
during compilation, when using plugins that rely on the path.evaluate() or
path.evaluateTruthy() internal Babel methods.

For Debian 10 buster, this problem has been fixed in version
6.26.0+dfsg-3+deb10u1.

We recommend that you upgrade your node-babel packages.

For the detailed security status of node-babel please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-babel

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQJGBAEBCgAwFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmUw1WMSHHguZ3VpbWFy
ZEBmcmVlLmZyAAoJEPbXTKfJme7pfl4P/jy4mVcF35YWkX45acstQkXvCq6d099h
B3KlhUmqK6hDAHJqCZCYtr1Gjw82tk+YJbaZACEVnowWo2pP7CyGRH2AAiAapTA7
U6Qexm14EbYOcPZzOQKrYO6Fqqf8WG84U5NjWbUgjP/xvCg9zFZdCutOkAclvYzN
V0yyUZ0kSKQ3KFv9UZJOVsL2laVn9rBvJotBnS1muStbRqPcM1R2Du1fBxQRtTPN
JGbilCXbnLNijy4fXa3VwnQ6J8enK6T7FvMP3lroIKSRaPPFTTCaAihh98D9D5r1
32hC+PxAzJltQzFSwm5LpT0E2qtaQ1uBxJAV7VORSqoF1+tnlG1NJv1Jnl7svJwF
FBBG10pn2uDB0XSJwEdIw13RugGsgda2t5lZ3U6TYmD4J7qeDXvLwFRMwakfcEX9
LJMLq2guAulaC1AGp3NjrO3ZgpR0TnysAHtODaiap4IqYJUDrBEBZttuj5+EJSuj
XIkK9klGfWY4X34m0dg3UI7ez0ik5usfjbGj+8m8ban5dE5otVJ4XNU5cNEbsG3v
0aIOIV1OS5ZNypdbaUNWxKWKR/uhHR+ib7PWohzKzGDYq7zyQYGKGhps78gebPgj
6Tjt9rk4P1R+/4evVEelZURJPbObD7ml5NBeyIcmjTYPvq/GxNTe6Ot5uKcER6C1
YuiloYEXnh5/
=+EU+
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3622-1] axis security update
Next by Date: [SECURITY] [DLA 3623-1] linux-5.10 security update
Previous by thread: [SECURITY] [DLA 3622-1] axis security update
Next by thread: [SECURITY] [DLA 3623-1] linux-5.10 security update
Index(es):
- Date
- Thread