Bug#1091460: bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1

To: Bastien Roucariès <rouca@debian.org>, 1091460@bugs.debian.org
Subject: Bug#1091460: bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Thu, 02 Jan 2025 20:43:30 +0000
Message-id: <[🔎] 9d74d7112342421a82f24e3d75b3722fc53986b6.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 1091460@bugs.debian.org
In-reply-to: <2994493.Tc5OWPbECp@portable-bastien>
References: <2994493.Tc5OWPbECp@portable-bastien> <2994493.Tc5OWPbECp@portable-bastien>

Control: tags -1 + confirmed

On Thu, 2024-12-26 at 21:38 +0000, Bastien Roucariès wrote:
> Fix CVE-2023-44270 (Closes: #1053282)
>     The vulnerability affects linters
>     using PostCSS to parse external untrusted CSS.
>     An attacker can prepare CSS in such a way that it will
>     contains parts parsed by PostCSS as a CSS comment.
>     After processing by PostCSS, it will be included in
>     the PostCSS output in CSS nodes (rules, properties)
>     despite being included in a comment.
> * Fix CVE-2024-55565:
>     nanoid (aka Nano ID) a subcomponent of this package
>     mishandles non-integer values that could lead to DoS
>     by infinite loop.

Please go ahead.

Regards,

Adam

Reply to:

Prev by Date: Processed: Re: Bug#1091207: bookworm-pu: package opensc/0.23.0-0.3+deb12u2
Next by Date: Processed: Re: Bug#1091460: bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1
Previous by thread: Processed: Re: Bug#1091207: bookworm-pu: package opensc/0.23.0-0.3+deb12u2
Next by thread: Processed: Re: Bug#1091460: bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1
Index(es):
- Date
- Thread