Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1

To: Paul Gevers <elbrus@debian.org>, 1032994@bugs.debian.org
Cc: Yadd <yadd@debian.org>
Subject: Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 29 Apr 2023 14:00:17 +0200
Message-id: <[🔎] ZE0G0SA7mpz+3SIx@eldamar.lan>
Reply-to: Salvatore Bonaccorso <carnil@debian.org>, 1032994@bugs.debian.org
In-reply-to: <bb425d63-d388-94cf-5343-cb1b2191d1ac@debian.org>
References: <167888392271.1801856.1546557073263234240.reportbug@debian007.xnr.fr> <167888392271.1801856.1546557073263234240.reportbug@debian007.xnr.fr> <bb425d63-d388-94cf-5343-cb1b2191d1ac@debian.org> <167888392271.1801856.1546557073263234240.reportbug@debian007.xnr.fr>

Control: severity 1032904 serious

Hi Yadd,

On Wed, Mar 15, 2023 at 09:11:46PM +0100, Paul Gevers wrote:
> Control: tags -1 moreinfo
> 
> Hi Yadd,
> 
> On 15-03-2023 13:38, Yadd wrote:
> > [ Reason ]
> > node-webpack is vulnerable to cross-realm object access
> > (#1032904, CVE-2023-28154).
> 
> This doesn't look like a targeted fix, but rather seems to include much
> more.
> 
> How about reverting and providing a fix only for that CVE please?

have you seen Paul's comment/question above? We have now a somehow
unfortunate situation that the CVE is fixed in unstable, and it is
fixed with the last point release as well in bullseye. But it is still
open in bookworm.

I will bump for this reason the severity of #1032904 to RC as it is a
regression on this regards.

Regards,
Salvatore

Reply to:

Prev by Date: Bug#1035087: unblock: debian-archive-keyring/2023.3
Next by Date: Bug#1035028: unblock: iso-codes/4.15.0-1
Previous by thread: Bug#1035087: marked as done (unblock: debian-archive-keyring/2023.3)
Next by thread: Re: dash: remove unnecessary diversion of /bin/sh
Index(es):
- Date
- Thread