[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1091460: bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1



Control: tags -1 + confirmed

On Thu, 2024-12-26 at 21:38 +0000, Bastien Roucariès wrote:
> Fix CVE-2023-44270 (Closes: #1053282)
>     The vulnerability affects linters
>     using PostCSS to parse external untrusted CSS.
>     An attacker can prepare CSS in such a way that it will
>     contains parts parsed by PostCSS as a CSS comment.
>     After processing by PostCSS, it will be included in
>     the PostCSS output in CSS nodes (rules, properties)
>     despite being included in a comment.
> * Fix CVE-2024-55565:
>     nanoid (aka Nano ID) a subcomponent of this package
>     mishandles non-integer values that could lead to DoS
>     by infinite loop.

Please go ahead.

Regards,

Adam


Reply to: