[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#1021648: buster-pu: package node-xmldom/0.1.27+ds-1+deb10u1

Hi,

On Wed, Oct 12, 2022 at 10:12:09AM +0200, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> Tags: buster
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> [ Reason ]
> node-xmldom is vulnerable to prototype pollution
> 
> [ Impact ]
> Medium security issue
> 
> [ Tests ]
> No new test, test passed
> 
> [ Risks ]
> Low risk, patch is trivial
> 
> [ Checklist ]
>   [X] *all* changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in (old)stable
>   [X] the issue is verified as fixed in unstable
> 
> [ Changes ]
> Add checks to avoid prototype pollution
> 
> Cheers,
> Yadd

> diff --git a/debian/changelog b/debian/changelog
> index 51d769b..d16e01b 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,10 @@
> +node-xmldom (0.1.27+ds-1+deb10u1) buster; urgency=medium
> +
> +  * Team upload
> +  * Fix prototype pollution (Closes: #1021618, CVE-2022-37616)
> +
> + -- Yadd <yadd@debian.org>  Wed, 12 Oct 2022 10:07:56 +0200

The last buster point release has happened. But this update could go
via a DLA. I suggest to contact the LTS team (cc'ing the list).

Regards,
Salvatore
Reply to: