Bug#1091460: bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1
Control: tags -1 + confirmed
On Thu, 2024-12-26 at 21:38 +0000, Bastien Roucariès wrote:
> Fix CVE-2023-44270 (Closes: #1053282)
> The vulnerability affects linters
> using PostCSS to parse external untrusted CSS.
> An attacker can prepare CSS in such a way that it will
> contains parts parsed by PostCSS as a CSS comment.
> After processing by PostCSS, it will be included in
> the PostCSS output in CSS nodes (rules, properties)
> despite being included in a comment.
> * Fix CVE-2024-55565:
> nanoid (aka Nano ID) a subcomponent of this package
> mishandles non-integer values that could lead to DoS
> by infinite loop.
Please go ahead.
Regards,
Adam
Reply to: