Your message dated Sun, 4 Jul 2021 22:23:37 +0200 with message-id <YOIYyRreA92QJMxw@ramacher.at> and subject line Re: Bug#990688: unblock: node-mermaid/8.7.0+ds+~cs27.17.17-3 has caused the Debian Bug report #990688, regarding unblock: node-mermaid/8.7.0+ds+~cs27.17.17-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 990688: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990688 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: node-mermaid/8.7.0+ds+~cs27.17.17-3
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 04 Jul 2021 22:14:49 +0200
- Message-id: <[🔎] 162542968901.12831.13415311668246670494.reportbug@eldamar.lan>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: carnil@debian.org,yadd@debian.org Hi Release team, Please unblock package node-mermaid Yadd fixed CVE-2021-35513 affecting node-mermaid in unstable with a targetted fix from upstream. Can you please unlbock the package and make sure it lands in testing and so bullseye in time before the release? I'm attaching the debdiff as generated by the upload from Yadd. Regards, Salvatorediff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog 2020-10-19 14:00:00.000000000 +0200 +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog 2021-06-29 14:46:20.000000000 +0200 @@ -1,3 +1,10 @@ +node-mermaid (8.7.0+ds+~cs27.17.17-3) unstable; urgency=medium + + * Team upload + * Fix XSS vulnerability when antiscript is used (Closes: CVE-2021-35513) + + -- Yadd <yadd@debian.org> Tue, 29 Jun 2021 14:46:20 +0200 + node-mermaid (8.7.0+ds+~cs27.17.17-2) unstable; urgency=medium * Source-only-upload diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch 1970-01-01 01:00:00.000000000 +0100 +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch 2021-06-29 14:44:46.000000000 +0200 @@ -0,0 +1,33 @@ +Description: Small positoining fix for parallell processes and nested +Author: Knut Sveidqvist <knut.sveidqvist@ipiccolo.com> +Origin: upstream, https://github.com/mermaid-js/mermaid/pull/2123/files +Bug: https://github.com/mermaid-js/mermaid/issues/2122 +Bug-Debian: https://bugs.debian.org/990449 +Forwarded: not-needed +Reviewed-By: Yadd <yadd@debian.org> +Last-Update: 2021-06-29 + +--- a/src/dagre-wrapper/clusters.js ++++ b/src/dagre-wrapper/clusters.js +@@ -194,7 +194,7 @@ + const rectBox = rect.node().getBBox(); + node.width = rectBox.width; + node.height = rectBox.height; +- ++ node.diff = -node.padding / 2; + node.intersect = function(point) { + return intersectRect(node, point); + }; +--- a/src/diagrams/common/common.js ++++ b/src/diagrams/common/common.js +@@ -26,6 +26,10 @@ + break; + } + } ++ ++ rs = rs.replace('javascript:', '#'); ++ rs = rs.replace('<iframe', ''); ++ + return rs; + }; + diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series 2020-10-19 14:00:00.000000000 +0200 +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series 2021-06-29 14:41:58.000000000 +0200 @@ -1,2 +1,3 @@ 0002-Fix-unsupported-syntax.patch 0003-Replace-moment-mini-with-moment.patch +CVE-2021-35513.patch
--- End Message ---
--- Begin Message ---
- To: Salvatore Bonaccorso <carnil@debian.org>, 990688-done@bugs.debian.org
- Subject: Re: Bug#990688: unblock: node-mermaid/8.7.0+ds+~cs27.17.17-3
- From: Sebastian Ramacher <sramacher@debian.org>
- Date: Sun, 4 Jul 2021 22:23:37 +0200
- Message-id: <YOIYyRreA92QJMxw@ramacher.at>
- In-reply-to: <[🔎] 162542968901.12831.13415311668246670494.reportbug@eldamar.lan>
- References: <[🔎] 162542968901.12831.13415311668246670494.reportbug@eldamar.lan>
On 2021-07-04 22:14:49 +0200, Salvatore Bonaccorso wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: carnil@debian.org,yadd@debian.org > > Hi Release team, > > Please unblock package node-mermaid > > Yadd fixed CVE-2021-35513 affecting node-mermaid in unstable with a > targetted fix from upstream. Can you please unlbock the package and > make sure it lands in testing and so bullseye in time before the > release? > > I'm attaching the debdiff as generated by the upload from Yadd. Aged to 5 days. Cheers > > Regards, > Salvatore > diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog > --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog 2020-10-19 14:00:00.000000000 +0200 > +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/changelog 2021-06-29 14:46:20.000000000 +0200 > @@ -1,3 +1,10 @@ > +node-mermaid (8.7.0+ds+~cs27.17.17-3) unstable; urgency=medium > + > + * Team upload > + * Fix XSS vulnerability when antiscript is used (Closes: CVE-2021-35513) > + > + -- Yadd <yadd@debian.org> Tue, 29 Jun 2021 14:46:20 +0200 > + > node-mermaid (8.7.0+ds+~cs27.17.17-2) unstable; urgency=medium > > * Source-only-upload > diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch > --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch 1970-01-01 01:00:00.000000000 +0100 > +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/CVE-2021-35513.patch 2021-06-29 14:44:46.000000000 +0200 > @@ -0,0 +1,33 @@ > +Description: Small positoining fix for parallell processes and nested > +Author: Knut Sveidqvist <knut.sveidqvist@ipiccolo.com> > +Origin: upstream, https://github.com/mermaid-js/mermaid/pull/2123/files > +Bug: https://github.com/mermaid-js/mermaid/issues/2122 > +Bug-Debian: https://bugs.debian.org/990449 > +Forwarded: not-needed > +Reviewed-By: Yadd <yadd@debian.org> > +Last-Update: 2021-06-29 > + > +--- a/src/dagre-wrapper/clusters.js > ++++ b/src/dagre-wrapper/clusters.js > +@@ -194,7 +194,7 @@ > + const rectBox = rect.node().getBBox(); > + node.width = rectBox.width; > + node.height = rectBox.height; > +- > ++ node.diff = -node.padding / 2; > + node.intersect = function(point) { > + return intersectRect(node, point); > + }; > +--- a/src/diagrams/common/common.js > ++++ b/src/diagrams/common/common.js > +@@ -26,6 +26,10 @@ > + break; > + } > + } > ++ > ++ rs = rs.replace('javascript:', '#'); > ++ rs = rs.replace('<iframe', ''); > ++ > + return rs; > + }; > + > diff -Nru node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series > --- node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series 2020-10-19 14:00:00.000000000 +0200 > +++ node-mermaid-8.7.0+ds+~cs27.17.17/debian/patches/series 2021-06-29 14:41:58.000000000 +0200 > @@ -1,2 +1,3 @@ > 0002-Fix-unsupported-syntax.patch > 0003-Replace-moment-mini-with-moment.patch > +CVE-2021-35513.patch -- Sebastian RamacherAttachment: signature.asc
Description: PGP signature
--- End Message ---