[Pkg-javascript-devel] Bug#987792: Bug#987792: node-browserslist: CVE-2021-23364
Yadd
yadd at debian.org
Thu Apr 29 19:45:08 BST 2021
Control fixed -1 4.16.3+~cs5.4.72-2
Le 29/04/2021 à 20:38, Salvatore Bonaccorso a écrit :
> Source: node-browserslist
> Version: 4.16.3+~cs5.4.72-1
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
>
> Hi,
>
> The following vulnerability was published for node-browserslist.
>
> CVE-2021-23364[0]:
> | The package browserslist from 4.0.0 and before 4.16.5 are vulnerable
> | to Regular Expression Denial of Service (ReDoS) during parsing of
> | queries.
>
> The patch will probably not cleanly apply, but according to the
> available information at least 4.0.0 onwards until 4.16.5 are
> affected. Not sure if earlier versions were just not checkd or if they
> are confirmed to be not affected.
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2021-23364
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23364
> [1] https://github.com/browserslist/browserslist/commit/c091916910dfe0b5fd61caad96083c6709b02d98
> [2] https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194
> [3] https://github.com/browserslist/browserslist/pull/593
>
> Please adjust the affected versions in the BTS as needed.
>
> Regards,
> Salvatore
Already pushed ;-)
More information about the Pkg-javascript-devel
mailing list