[SECURITY] [DLA 4003-1] node-postcss security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 4003-1] node-postcss security update
From: rouca@debian.org
Date: Thu, 26 Dec 2024 22:44:14 +0000
Message-id: <[🔎] b07ef5048083ca77560e9b4305897fc6@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4003-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                   Bastien RoucariÃ¨s
December 26, 2024                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : node-postcss
Version        : 8.2.1+~cs5.3.23-8+deb11u1
CVE ID         : CVE-2021-23566 CVE-2023-44270 CVE-2024-55565
Debian Bug     : 1053282

Multiple vulnerabilities were fixed in node-postcss a
tool for transforming styles with JS plugins.

CVE-2021-23566

    nanoid package is vulnerable to Information Exposure via the
    valueOf() function which allows to reproduce the last id generated.

CVE-2023-44270

    The vulnerability affects linters using PostCSS to parse external
    untrusted CSS. An attacker can prepare CSS in such a way that it will
    contains parts parsed by PostCSS as a CSS comment. After processing
    by PostCSS, it will be included in the PostCSS output in CSS nodes
    (rules, properties) despite being included in a comment.

CVE-2024-55565

    nanoid package mishandles non-integer values of size parameter.

For Debian 11 bullseye, these problems have been fixed in version
8.2.1+~cs5.3.23-8+deb11u1.

We recommend that you upgrade your node-postcss packages.

For the detailed security status of node-postcss please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-postcss

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmdt3D4ACgkQADoaLapB
CF87fw//QR1FJVntE+DivFgSEDhycPlxrSJQA8vN7i5ThVhoGw2WPgFhgmBnMhNy
iGVOIZ2LQLwzHJkw7fwUFkstTv5TDZqHF+KpNtzv0eDc9E0IFiJCbrbo2E1kQv8y
7QKbpIE8heYz23uujSatHnpbOTf7VFiyivyXsYUl5FFMvY75b9ngrTZlqVAZK5ty
Lr84ANH20UfOXDlvk34hAYS5JwR5ou+lKE+WB74sng2Y8sjv/4sY8Os+737t6nEp
G44NiS17RnzbPoNqHdxpBXIMBfNqaiFb7btN+szi9oKtUlohAaChdA8rkpbCITXH
wfM3WPLr4lN9PaDRvRMohCfWNmBIVDM3a0oLOZPPfjzWav4STsARiSjmC8y/lVhz
uLJ0fyx9/dVBvvnAbOXbdza765+uu9ePNvN5zVrt+hwRpwjCD3wyCGf+50JcVWF2
hbL6Ff3QcvaBlzw15VbJfPx5/RtN5cYuVA/UdBNQlK7q3eEW6g3xuqyzyp3kQkjn
Z1GHx8G0xW/hsSqjyAcaA6WsFQqc+lVIx7pWfMy55re63TU+gR2St38jVQDeB1dG
sIhoUczad0/vQdcOQ6ggJ2JhB9/50042BkCziEO9QkxbCZifXRNJC5LLpnEWbA1w
sOYtDnpSUGqR824sRaQNztn0mFnB4ok0rVVBbMqxVVptfUTCjQY=
=fpnJ
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4002-1] intel-microcode security update
Next by Date: [SECURITY] [DLA 4004-1] opensc security update
Previous by thread: [SECURITY] [DLA 4002-1] intel-microcode security update
Next by thread: [SECURITY] [DLA 4004-1] opensc security update
Index(es):
- Date
- Thread