Bug#1032299: bullseye-pu: package node-css-what/4.0.0-3

To: Bastien Roucariès <rouca@debian.org>, 1032299@bugs.debian.org
Subject: Bug#1032299: bullseye-pu: package node-css-what/4.0.0-3
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 01 Apr 2023 20:03:25 +0100
Message-id: <[🔎] b447dfca11367954f5d6d0286d72cdff8b265305.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1032299@bugs.debian.org
In-reply-to: <167783383589.1196906.4181466237595345429.reportbug@portable-bastien.local.roucaries.eu>
References: <167783383589.1196906.4181466237595345429.reportbug@portable-bastien.local.roucaries.eu> <167783383589.1196906.4181466237595345429.reportbug@portable-bastien.local.roucaries.eu>

Control: tags -1 + confirmed

On Fri, 2023-03-03 at 08:57 +0000, Bastien Roucariès wrote:
> CVE-2022-21222/CVE-2021-33587 The package css-what before 2.1.3 are
> vulnerable
> to Regular Expression Denial of Service (ReDoS) due to the usage of
> insecure
> regular expression in the re_attr variable of index.js. The
> exploitation of
> this vulnerability could be triggered via the parse function.
> 

+node-css-what (4.0.0-3+deb11u1) bullseye-security; urgency=medium

The distribution needs to simply be "bullseye" for a stable upload.

With that change, please go ahead.

Regards,

Adam

Reply to:

Prev by Date: Processed: Re: Bug#1033160: bullseye-pu: package flatpak/1.10.8-0+deb11u1
Next by Date: Processed: Re: Bug#1032299: bullseye-pu: package node-css-what/4.0.0-3
Previous by thread: Bug#1033160: bullseye-pu: package flatpak/1.10.8-0+deb11u1
Next by thread: Processed: Re: Bug#1032299: bullseye-pu: package node-css-what/4.0.0-3
Index(es):
- Date
- Thread