[From nobody Sun Jun 21 11:27:05 2026
Received: (at 1139159-done) by bugs.debian.org; 21 Jun 2026 10:26:12 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-115.5 required=4.0 tests=ALL_TRUSTED,BAYES_00,
 BODY_INCLUDES_CONTROL,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,
 DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,FROMDEVELOPER,HAS_BUG_NUMBER,
 SPF_HELO_NONE,SPF_PASS,USER_IN_DKIM_WELCOMELIST autolearn=ham
 autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 17; hammy, 150; neutral, 101; spammy,
 0. spammytokens:
 hammytokens:0.000-+--Hx-spam-relays-external:sk:stravin,
 0.000-+--H*RT:sk:stravin, 0.000-+--Hx-spam-relays-external:311,
 0.000-+--H*RT:311, 0.000-+--H*RT:108
Return-path: &lt;yadd@debian.org&gt;
Received: from stravinsky.debian.org ([2001:41b8:202:deb::311:108]:51050)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;yadd@debian.org&gt;) id 1wbFNU-00CAET-0c
 for 1139159-done@bugs.debian.org; Sun, 21 Jun 2026 10:26:12 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debian.org; 
 s=smtpauto.stravinsky;
 h=X-Debian-User:Content-Transfer-Encoding:Content-Type
 :In-Reply-To:From:References:To:Subject:MIME-Version:Date:Message-ID:Reply-To
 :Cc:Content-ID:Content-Description;
 bh=/tMo6sCPoqddEcJqyhepyrMcRWmzNcRcHYDoSSyN/Hg=; b=HDJpQhRmKk/joFkGPOf52zbs4Z
 oUIvRfxJ3jFJcTlWfrIXKAPqUA0s/lUiVDKYHYNsj2PqiAlNZUdRkBajqKzqDHneZZLUI+YJ4FXks
 HbmN1lukCN+3flX+qUKfBQrejuJJ3ZMaTeGOlBdHZdwFRPblxug74QTHYqSB86wvrO6o5ntnWht2V
 /j4JRiYCjIsnIuSLDQ/pmlBqovOILk0ueBqItQ1wfEwylNci8N3hhHczeor/XPOc5HuwyhfYa5U8F
 ZR9L0ib4fBm2zDM9Lt0XmXX1c3EuzuD4nDN+RKzViB/dH7iDIIZ3xafeNXqSX7XErEeCCilBPy9Mu
 lyk52VyQ==;
Received: from authenticated-user by stravinsky.debian.org with esmtpsa
 (TLS1.3:ECDHE_X25519__RSA_PSS_RSAE_SHA256__AES_128_GCM:128)
 (Exim 4.96) (envelope-from &lt;yadd@debian.org&gt;) id 1wbFNQ-0002LD-1a;
 Sun, 21 Jun 2026 10:26:10 +0000
Message-ID: &lt;71977d3a-e061-47b4-a4d5-deb85094f32d@debian.org&gt;
Date: Sun, 21 Jun 2026 12:26:07 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: [Pkg-javascript-devel] Bug#1139159: npm: CVE-2026-9496
To: Salvatore Bonaccorso &lt;carnil@debian.org&gt;, 1139159-done@bugs.debian.org
References: &lt;178077118415.1053016.4106450183621804686.reportbug@eldamar.lan&gt;
Content-Language: en-US
From: Xavier &lt;yadd@debian.org&gt;
In-Reply-To: &lt;178077118415.1053016.4106450183621804686.reportbug@eldamar.lan&gt;
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Debian-User: yadd

Control: fixed -1 7.6.0+ds-1

Le 06/06/2026 à 20:39, Salvatore Bonaccorso a écrit :
&gt; Source: npm
&gt; Version: 11.16.0+ds2-1
&gt; Severity: important
&gt; Tags: security upstream
&gt; X-Debbugs-Cc: carnil@debian.org, Debian Security Team &lt;team@security.debian.org&gt;
&gt; 
&gt; Hi,
&gt; 
&gt; The following vulnerability was published for npm.
&gt; 
&gt; CVE-2026-9496[0]:
&gt; | Versions of the package pacote from 11.2.7 are vulnerable to Denial
&gt; | of Service (DoS) via the addGitSha function. An attacker can exploit
&gt; | this vulnerability by supplying a specially crafted spec.rawSpec
&gt; | value that triggers the function’s regex replacement and string-
&gt; | manipulation logic,  causing excessive CPU consumption and
&gt; | potentially stalling or crashing the process.
&gt; 
&gt; pacote is embedded/provided via src:npm.
&gt; 
&gt; If you fix the vulnerability please also make sure to include the
&gt; CVE (Common Vulnerabilities &amp; Exposures) id in your changelog entry.
&gt; 
&gt; For further information see:
&gt; 
&gt; [0] https://security-tracker.debian.org/tracker/CVE-2026-9496
&gt;      https://www.cve.org/CVERecord?id=CVE-2026-9496
&gt; [1] https://security.snyk.io/vuln/SNYK-JS-PACOTE-8225084
&gt; 
&gt; Please adjust the affected versions in the BTS as needed.
&gt; 
&gt; Regards,
&gt; Salvatore

Hi,

pacote reach version 11.2.7 in npm 7.6.0.

Best regards,
Xavier]