[Pkg-javascript-devel] Bug#963764: node-node-sass: uses embedded old security-buggy libsass

Fri Jun 26 18:14:42 BST 2020

Package: node-node-sass
Version: 4.13.1-2
Severity: serious
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

node-node-sass ships with an old release of libsass.

Since Debian release 4.13.1-2 this is explicitly used
(uncertain if previously it might alos accidentally be used).

Libsass has a series of known security flaws:
https://security-tracker.debian.org/tracker/source-package/libsass

The Debian package libsass is itself badly maintained regarding these
seciruty issues, but at least it is kept up-to-date with upstream,
meaning that _maybe_ they fixed all the issues:
https://bugs.debian.org/921952

Knowingly using older releases of libsass is unacceptable, and should
not be included in a stable release of Debian.

 - Jonas

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEn+Ppw2aRpp/1PMaELHwxRsGgASEFAl72LQAACgkQLHwxRsGg
ASG/fQ//WyKH6E3fW9fAndVJxR/2OcmE30JdTQpk69558VM8Qs/Vdr9JqLDVKuw0
I+K8LSQmsL4d39WsSGrWkZeqGFGOeIyAJ2y9GZi1uskRpNnA8/gJs3ZmIUY7yEWe
NloVaQE2KPUq4EdJnPWtDNDkObmZgtk0H8WtSfr7IHL/CctTBYZ3VImEz2NDoLjn
5i2SjZV2ypdYzlMWDvG6tksDKu6Ttcmy6PH78ibTFPHcMMBtD6mZ8e8TQjPb50WI
+lt8slQIRN791iM6f+6FoFtPRPAN+kAA6QqM0XJr7jO3qIqPAXtJpQLaRPEHozMu
8UTosXk1tRfkqhixB7JBmwRpCvmC90FPCIeAyYKIEoHO6Q0qdQW7RbHfzoEQIRwz
kDzI6E3eUgxsk9UsIQ2xqHnxL+iun5qQC3jnwWQvZiqU4KUwxVB/kYk5FPSlOTmC
Jb1UpgO1g3rFc8xYTB1ZHCbkGKTru3GsrdmmUJiweMhpo1SRheRdLNiMy90T3AdA
tZ2EZA6+W69LHdKmBDbDT4aHhx7PzKYjHhZAhzUvCStqoH44HKbvf2voAP7AFppp
bf8JmZ0ACbIhlQxjHSsav9SeYc28/tj4B7CFIPHZ+dbX6USn/DSSkvWjGxH93huq
cSqeo8ssV8beQLpeBtwLqf5IVJ0Kp6iW9e2I3MsUyDN2k76ttxw=
=yvR9
-----END PGP SIGNATURE-----