Bug#1091460: bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1
Hi Bastian,
Just a small remark below:
On Thu, Dec 26, 2024 at 09:38:26PM +0000, Bastien Roucariès wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> X-Debbugs-Cc: node-postcss@packages.debian.org
> Control: affects -1 + src:node-postcss
> User: release.debian.org@packages.debian.org
> Usertags: pu
>
>
> [ Reason ]
> Fix CVE-2023-44270 (Closes: #1053282)
> The vulnerability affects linters
> using PostCSS to parse external untrusted CSS.
> An attacker can prepare CSS in such a way that it will
> contains parts parsed by PostCSS as a CSS comment.
> After processing by PostCSS, it will be included in
> the PostCSS output in CSS nodes (rules, properties)
> despite being included in a comment.
> * Fix CVE-2024-55565:
> nanoid (aka Nano ID) a subcomponent of this package
> mishandles non-integer values that could lead to DoS
> by infinite loop.
>
> [ Impact ]
> Security bug opened
>
> [ Tests ]
> Testsuite run
>
> [ Risks ]
> low code is pretty straighforward
>
> [ Checklist ]
> [X] *all* changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in (old)stable
> [X] the issue is verified as fixed in unstable
>
> [ Changes ]
> see above
>
> [ Other info ]
> Team upload
> diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/changelog node-postcss-8.4.20+~cs8.0.23/debian/changelog
> --- node-postcss-8.4.20+~cs8.0.23/debian/changelog 2022-12-12 16:48:49.000000000 +0000
> +++ node-postcss-8.4.20+~cs8.0.23/debian/changelog 2024-12-26 21:13:18.000000000 +0000
> @@ -1,3 +1,21 @@
> +node-postcss (8.4.20+~cs8.0.23-1+deb12u1) bookworm-security; urgency=medium
This should actually target bookworm, not bookworm-security for the
point release update.
Regards,
Salvatore
Reply to: