[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#987767: unblock: node-postcss/8.2.1+~cs5.3.23-8

Le 29/04/2021 à 10:50, Yadd a écrit :
> Le 29/04/2021 à 10:32, Yadd a écrit :
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian.org@packages.debian.org
>> Usertags: unblock
>> X-Debbugs-Cc: pkg-javascript-devel@lists.alioth.debian.org
>>
>> Please unblock package node-postcss
>>
>> [ Reason ]
>> node-postcss is vulnerable to a Regex Denial of Service (ReDoS)
>>
>> [ Impact ]
>> Medium vulnerability
>>
>> [ Tests ]
>> I added tests for CVE-2021-23368 and CVE-2021-23382 inspired from CVE
>> prove of concepts
>>
>> [ Risks ]
>> No risk, this is just a regex improvement.
>>
>> [ Checklist ]
>>   [X] all changes are documented in the d/changelog
>>   [X] I reviewed all changes and I approve them
>>   [X] attach debdiff against the package in testing
>>
>> Cheers,
>> Yadd
>>
>> unblock node-postcss/8.2.1+~cs5.3.23-7
> 
> I added a missing `set -e` in security test. autopkgtest works fine with
> my patch and fail without.
> 
> Cheers,
> Yadd
> 
> unblock node-postcss/8.2.1+~cs5.3.23-8

Note: this fix is an improvement of previous fix
(node-postcss/8.2.1+~cs5.3.23-6): patch fixes the same regular expressions.
Reply to: