[Pkg-javascript-devel] Bug#987792: node-browserslist: CVE-2021-23364
Salvatore Bonaccorso
carnil at debian.org
Thu Apr 29 19:38:04 BST 2021
Source: node-browserslist
Version: 4.16.3+~cs5.4.72-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for node-browserslist.
CVE-2021-23364[0]:
| The package browserslist from 4.0.0 and before 4.16.5 are vulnerable
| to Regular Expression Denial of Service (ReDoS) during parsing of
| queries.
The patch will probably not cleanly apply, but according to the
available information at least 4.0.0 onwards until 4.16.5 are
affected. Not sure if earlier versions were just not checkd or if they
are confirmed to be not affected.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-23364
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
[1] https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98
[2] https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194
[3] https://github.com/browserslist/browserslist/pull/593
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list