[Git][security-tracker-team/security-tracker][master] 2 commits: Claim node-css-what in dla-needed.txt

Bastien Roucariès (@rouca) rouca at debian.org
Tue Feb 28 22:00:44 GMT 2023 


Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
debca3df by Bastien Roucariès at 2023-02-28T21:59:58+00:00
Claim node-css-what in dla-needed.txt

- - - - -
6eaf207d by Bastien Roucariès at 2023-02-28T22:00:04+00:00
Mark CVE-2022-21222 as unfixed until node-css-what 5.0.1

Typescript rewrite does not fix the ReDoS see for instance https://sources.debian.org/src/node-css-what/4.0.0-3/src/parse.ts/#L84

Only fixed by https://github.com/fb55/css-what/pull/503 by replacing regexp by manual parsing

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -81497,9 +81497,11 @@ CVE-2022-21227 (The package sqlite3 before 5.0.3 are vulnerable to Denial of Ser
 CVE-2022-21223 (The package cocoapods-downloader before 1.6.2 are vulnerable to Comman ...)
 	NOT-FOR-US: cocoapods-downloader
 CVE-2022-21222 (The package css-what before 2.1.3 are vulnerable to Regular Expression ...)
-	- node-css-what 3.0.2-1
+	- node-css-what 5.0.1
 	NOTE: https://security.snyk.io/vuln/SNYK-JS-CSSWHAT-3035488
 	NOTE: ReDoS issue fixed with rewrite of module to TypeScript
+	NOTE: Not fixed in 4.0.0 see https://sources.debian.org/src/node-css-what/4.0.0-3/src/parse.ts/#L84
+	NOTE: Fixed by https://github.com/fb55/css-what/pull/503/commits/46b0dbd6f38fb375da02208426f93f87f7169b7e
 CVE-2022-21221 (The package github.com/valyala/fasthttp before 1.34.0 are vulnerable t ...)
 	NOT-FOR-US: github.com/valyala/fasthttp
 CVE-2022-21213 (This affects all versions of package mout. The deepFillIn function can ...)


=====================================
data/dla-needed.txt
=====================================
@@ -150,7 +150,7 @@ nheko
   NOTE: 20230101: Programming language: C++.
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/nheko.git
 --
-node-css-what
+node-css-what (rouca)
   NOTE: 20221031: Programming language: Javascript.
   NOTE: 20230130: Module has been rewritten in Typescript since Buster released (guilhem).
   NOTE: 20230206: VCS: https://salsa.debian.org/lts-team/packages/node-css-what.git



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/603c96f710ad779e20b168835b1a5554f9c4fb6e...6eaf207d1d0bb4edd1aa73a578994cae822c8e5b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/603c96f710ad779e20b168835b1a5554f9c4fb6e...6eaf207d1d0bb4edd1aa73a578994cae822c8e5b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230228/4ef3ee62/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list