Bug#994861: bullseye-pu: package node-ansi-regex/5.0.1-1~deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#994861: bullseye-pu: package node-ansi-regex/5.0.1-1~deb11u1
From: Yadd <yadd@debian.org>
Date: Wed, 22 Sep 2021 09:05:10 +0200
Message-id: <[🔎] 163229431031.1178911.18393570696070769550.reportbug@deb007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 994861@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-ansi-regex is vulnerable to a ReDoS (CVE-2021-3807)

[ Impact ]
Little vulnerability

[ Tests ]
Test passed (no change)

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Regex update.

[ Other info ]
I prefered to import new upstream release since change is exactly CVE
fix.

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 56d7a9c..c57aa87 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-ansi-regex (5.0.1-1~deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * New upstream version 5.0.1 (Closes: CVE-2021-3807)
+
+ -- Yadd <yadd@debian.org>  Wed, 22 Sep 2021 09:00:21 +0200
+
 node-ansi-regex (5.0.0-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/gbp.conf b/debian/gbp.conf
index b713356..638e285 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,6 @@
 [DEFAULT]
 pristine-tar = True
+debian-branch=bullseye
 
 [import-orig]
 filter = [ '.gitignore', '.travis.yml', '.git*' ]
diff --git a/index.js b/index.js
index 35054aa..616ff83 100644
--- a/index.js
+++ b/index.js
@@ -2,7 +2,7 @@
 
 module.exports = ({onlyFirst = false} = {}) => {
 	const pattern = [
-		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+		'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
 		'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
 	].join('|');
 
diff --git a/package.json b/package.json
index 7af801f..017f531 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
 	"name": "ansi-regex",
-	"version": "5.0.0",
+	"version": "5.0.1",
 	"description": "Regular expression for matching ANSI escape codes",
 	"license": "MIT",
 	"repository": "chalk/ansi-regex",
diff --git a/readme.md b/readme.md
index 3c2b77c..4d848bc 100644
--- a/readme.md
+++ b/readme.md
@@ -1,4 +1,4 @@
-# ansi-regex [![Build Status](https://travis-ci.org/chalk/ansi-regex.svg?branch=master)](https://travis-ci.org/chalk/ansi-regex)
+# ansi-regex
 
 > Regular expression for matching [ANSI escape codes](https://en.wikipedia.org/wiki/ANSI_escape_code)

Reply to:

Follow-Ups:
- Bug#994861: bullseye-pu: package node-ansi-regex/5.0.1-1~deb11u1
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#994861: bullseye-pu: package node-ansi-regex/5.0.1-1~deb11u1
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#993573: marked as done (transition: libdav1d)
Next by Date: Bug#992616: marked as done (transition: botan)
Previous by thread: Bug#993052: marked as done (transition: tracker)
Next by thread: Bug#994861: bullseye-pu: package node-ansi-regex/5.0.1-1~deb11u1
Index(es):
- Date
- Thread