1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1

    From Bastien =?ISO-8859-1?Q?Roucari=E8s?@21:1/5 to Debian Bug Tracking System on Thu Dec 26 21:38:11 2024
    XPost: linux.debian.devel.release

    This is a multi-part message in MIME format.

    --nextPart9599977.mdMBAEf4zD
    Content-Transfer-Encoding: 7Bit
    Content-Type: text/plain; charset="UTF-8"

    Package: release.debian.org
    Severity: normal
    Tags: bookworm
    X-Debbugs-Cc: node-postcss@packages.debian.org
    Control: affects -1 + src:node-postcss
    User: release.debian.org@packages.debian.org
    Usertags: pu


    [ Reason ]
    Fix CVE-2023-44270 (Closes: #1053282)
    The vulnerability affects linters
    using PostCSS to parse external untrusted CSS.
    An attacker can prepare CSS in such a way that it will
    contains parts parsed by PostCSS as a CSS comment.
    After processing by PostCSS, it will be included in
    the PostCSS output in CSS nodes (rules, properties)
    despite being included in a comment.
    * Fix CVE-2024-55565:
    nanoid (aka Nano ID) a subcomponent of this package
    mishandles non-integer values that could lead to DoS
    by infinite loop.

    [ Impact ]
    Security bug opened

    [ Tests ]
    Testsuite run

    [ Risks ]
    low code is pretty straighforward

    [ Checklist ]
    [X] *all* changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in (old)stable
    [X] the issue is verified as fixed in unstable

    [ Changes ]
    see above

    [ Other info ]
    Team upload

    --nextPart9599977.mdMBAEf4zD
    Content-Disposition: attachment; filename="deb12u1.debdiff" Content-Transfer-Encoding: quoted-printable
    Content-Type: text/x-patch; charset="x-UTF_8J"; name="deb12u1.debdiff"

    diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/changelog node-postcss-8.4.20+~cs8.0.23/debian/changelog
    --- node-postcss-8.4.20+~cs8.0.23/debian/changelog 2022-12-12 16:48:49.000000000 +0000
    +++ node-postcss-8.4.20+~cs8.0.23/debian/changelog 2024-12-26 21:13:18.000000000 +0000
    @@ -1,3 +1,21 @@
    +node-postcss (8.4.20+~cs8.0.23-1+deb12u1) bookworm-security; urgency=medium
    +
    + * Team upload
    + * Fix CVE-2023-44270 (Closes: #1053282)
    + The vulnerability affects linters
    + using PostCSS to parse external untrusted CSS.
    + An attacker can prepare CSS in such a way that it will
    + contains parts parsed by PostCSS as a CSS comment.
    + After processing by PostCSS, it will be included in
    + the PostCSS output in CSS nodes (rules, properties)
    + despite being included in a comment.
    + * Fix CVE-2024-55565:
    + nanoid (aka Nano ID) a subcomponent of this package
    + mishandles non-integer values that could lead to DoS
    + by infinite loop.
    +
    + -- Bastien Roucariès <rouca@debian.org> Thu, 26 Dec 2024 21:13:18 +0000
    +
    node-postcss (8.4.20+~cs8.0.23-1) unstable; urgency=medium