Re: Bug#1021648: buster-pu: package node-xmldom/0.1.27+ds-1+deb10u1

[Yadd <yadd@debian.org>]

On 18/10/2022 13:10, Emilio Pozuelo Monfort wrote:
> On 18/10/2022 10:23, Yadd wrote:
> > On 18/10/2022 09:28, Emilio Pozuelo Monfort wrote:
> > > Hi Yadd,
> > >
> > > On 12/10/2022 18:38, Salvatore Bonaccorso wrote:
> > > > > +node-xmldom (0.1.27+ds-1+deb10u1) buster; urgency=medium
> > > > > +
> > > > > +  * Team upload
> > > > > +  * Fix prototype pollution (Closes: #1021618, CVE-2022-37616)
> > > > > +
> > > > > + -- Yadd <yadd@debian.org>  Wed, 12 Oct 2022 10:07:56 +0200
> > >
> > > Thanks for preparing this. I wonder if a fix for CVE-2021-21366 can 
> > > be applied while we're at it, if it's not too intrusive/risky?
> > >
> > > Can you upload this (with or without the extra fix depending on your 
> > > judgement) to security-master targeting buster-security? I can take 
> > > of the paperwork after that.
> > >
> > > Cheers,
> > > Emilio
> >
> > Hi,
> >
> > no risk here, patch is trivial and just avoid prototype pollution.
>
> I meant [1], which is different than CVE-2022-37616. There's an 
> additional issue, [2], but that may be unsuitable for buster (it's 
> triaged as too intrusive).
>
> [1] https://security-tracker.debian.org/tracker/CVE-2021-21366
> [2] https://security-tracker.debian.org/tracker/CVE-2021-32796
>
> > I just pushed it to security-master.
>
> I don't see any upload yet. Did you target buster-security?
>
> Cheers,
> Emilio

Hi,

sorry, the push was rejected. I just reuploaded it

Cheers,
Yadd