[SECURITY] [DLA 4003-1] node-postcss security update
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4003-1 debian-lts@lists.debian.org
https://www.debian.org/lts/security/ Bastien Roucariès
December 26, 2024 https://wiki.debian.org/LTS
- -------------------------------------------------------------------------
Package : node-postcss
Version : 8.2.1+~cs5.3.23-8+deb11u1
CVE ID : CVE-2021-23566 CVE-2023-44270 CVE-2024-55565
Debian Bug : 1053282
Multiple vulnerabilities were fixed in node-postcss a
tool for transforming styles with JS plugins.
CVE-2021-23566
nanoid package is vulnerable to Information Exposure via the
valueOf() function which allows to reproduce the last id generated.
CVE-2023-44270
The vulnerability affects linters using PostCSS to parse external
untrusted CSS. An attacker can prepare CSS in such a way that it will
contains parts parsed by PostCSS as a CSS comment. After processing
by PostCSS, it will be included in the PostCSS output in CSS nodes
(rules, properties) despite being included in a comment.
CVE-2024-55565
nanoid package mishandles non-integer values of size parameter.
For Debian 11 bullseye, these problems have been fixed in version
8.2.1+~cs5.3.23-8+deb11u1.
We recommend that you upgrade your node-postcss packages.
For the detailed security status of node-postcss please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-postcss
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmdt3D4ACgkQADoaLapB
CF87fw//QR1FJVntE+DivFgSEDhycPlxrSJQA8vN7i5ThVhoGw2WPgFhgmBnMhNy
iGVOIZ2LQLwzHJkw7fwUFkstTv5TDZqHF+KpNtzv0eDc9E0IFiJCbrbo2E1kQv8y
7QKbpIE8heYz23uujSatHnpbOTf7VFiyivyXsYUl5FFMvY75b9ngrTZlqVAZK5ty
Lr84ANH20UfOXDlvk34hAYS5JwR5ou+lKE+WB74sng2Y8sjv/4sY8Os+737t6nEp
G44NiS17RnzbPoNqHdxpBXIMBfNqaiFb7btN+szi9oKtUlohAaChdA8rkpbCITXH
wfM3WPLr4lN9PaDRvRMohCfWNmBIVDM3a0oLOZPPfjzWav4STsARiSjmC8y/lVhz
uLJ0fyx9/dVBvvnAbOXbdza765+uu9ePNvN5zVrt+hwRpwjCD3wyCGf+50JcVWF2
hbL6Ff3QcvaBlzw15VbJfPx5/RtN5cYuVA/UdBNQlK7q3eEW6g3xuqyzyp3kQkjn
Z1GHx8G0xW/hsSqjyAcaA6WsFQqc+lVIx7pWfMy55re63TU+gR2St38jVQDeB1dG
sIhoUczad0/vQdcOQ6ggJ2JhB9/50042BkCziEO9QkxbCZifXRNJC5LLpnEWbA1w
sOYtDnpSUGqR824sRaQNztn0mFnB4ok0rVVBbMqxVVptfUTCjQY=
=fpnJ
-----END PGP SIGNATURE-----
Reply to: