[Git][security-tracker-team/security-tracker][master] CVE-2023-28154 is not present in webpack3

Bastien Roucariès (@rouca) rouca at debian.org
Thu Jan 4 23:13:56 GMT 2024 


Bastien Roucariès pushed to branch master at Debian Security Tracker / security-tracker


Commits:
c96e2f59 by Bastien Roucariès at 2024-01-04T23:07:26+00:00
CVE-2023-28154 is not present in webpack3

Magic comment are not interpreted by vm.runInNewContext(`(function(){return {${value}};})()`); and use json.parse that is safe

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -45603,7 +45603,7 @@ CVE-2023-28154 (Webpack 5 before 5.76.0 does not avoid cross-realm object access
 	- node-webpack 5.76.1+dfsg1+~cs17.16.16-1 (bug #1032904)
 	[bookworm] - node-webpack 5.75.0+dfsg+~cs17.16.14-1+deb12u1
 	[bullseye] - node-webpack 4.43.0-6+deb11u1
-	[buster] - node-webpack <no-dsa> (Minor issue)
+	[buster] - node-webpack <not-affected> (vulnerable code vm.runInNewContext(`(function(){return {${value}};})()`); is not present. Introduced latter)
 	NOTE: https://github.com/webpack/webpack/pull/16500
 	NOTE: Merge commit: https://github.com/webpack/webpack/commit/4b4ca3bb53f36a5b8fc6bc1bd976ed7af161bd80 (v5.76.0)
 CVE-2023-1363 (A vulnerability, which was classified as problematic, was found in Sou ...)


=====================================
data/dla-needed.txt
=====================================
@@ -146,10 +146,6 @@ linux-5.10
 mariadb-10.3
   NOTE: 20231129: Added by Front-Desk (Beuc)
 --
-node-webpack
-  NOTE: 20231005: Added by Front-Desk (Beuc)
-  NOTE: 20231005: Follow fixes from bullseye 11.7 (1 CVE) (Beuc/front-desk)
---
 nova
   NOTE: 20230302: Re-add, request by maintainer (Beuc)
   NOTE: 20230302: zigo says that DLA 3302-1 ships a buster-specific CVE-2022-47951 backport that introduces regression



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c96e2f599fd0e3ef214e427c84232e0b8ce65d5a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/c96e2f599fd0e3ef214e427c84232e0b8ce65d5a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240104/d776c309/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list