Bug#1032299: bullseye-pu: package node-css-what/4.0.0-3
Control: tags -1 + confirmed
On Fri, 2023-03-03 at 08:57 +0000, Bastien Roucariès wrote:
> CVE-2022-21222/CVE-2021-33587 The package css-what before 2.1.3 are
> vulnerable
> to Regular Expression Denial of Service (ReDoS) due to the usage of
> insecure
> regular expression in the re_attr variable of index.js. The
> exploitation of
> this vulnerability could be triggered via the parse function.
>
+node-css-what (4.0.0-3+deb11u1) bullseye-security; urgency=medium
The distribution needs to simply be "bullseye" for a stable upload.
With that change, please go ahead.
Regards,
Adam
Reply to: