Bug#986439: [pre-approval] unblock: node-xmldom/0.5.0-1
Control: tags -1 confirmed moreinfo
Hi,
On Tue, Apr 06, 2021 at 12:48:59AM +0200, Yadd wrote:
> [ Reason ]
> node-xmldom ≤ 0.4 do not correctly preserve system identifiers, FPIs or
> namespaces when repeatedly parsing and serializing maliciously crafted
> documents. This may lead to unexpected syntactic changes during XML
> processing in some downstream applications (CVE-2021-21366).
>
> [ Impact ]
> Medium vulnerability
>
> [ Tests ]
> Upstream provides new test for this vulnerability. Tested during build
> and autopkgtest. I verified also that node-jsonld autopkgtest is OK with
> this new version.
> Upstream test are not trivial tests but real ones.
>
> [ Risks ]
> Upstream changed lib/dom-parser.js lib/dom.js and lib/sax.js to have a
> better XML doc check. Other changes have no impact.
> Note that license is changed, reported in debian/copyright
The diff is rather bug. A filtered diff with only the relevant changes would
have made things easier to review.
> [ Checklist ]
> [X] all changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in testing
Please go ahead with the upload and remove the moreinfo tag from this bug once
the package is ready to migrate to testing.
Thanks,
Ivo
Reply to: