[Pkg-javascript-devel] Bug#1091460: bookworm-pu: package node-postcss/8.4.20+~cs8.0.23-1+deb12u1

[Bastien Roucariès]

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-postcss at packages.debian.org
Control: affects -1 + src:node-postcss
User: release.debian.org at packages.debian.org
Usertags: pu


[ Reason ]
Fix CVE-2023-44270 (Closes: #1053282)
    The vulnerability affects linters
    using PostCSS to parse external untrusted CSS.
    An attacker can prepare CSS in such a way that it will
    contains parts parsed by PostCSS as a CSS comment.
    After processing by PostCSS, it will be included in
    the PostCSS output in CSS nodes (rules, properties)
    despite being included in a comment.
* Fix CVE-2024-55565:
    nanoid (aka Nano ID) a subcomponent of this package
    mishandles non-integer values that could lead to DoS
    by infinite loop.

[ Impact ]
Security bug opened

[ Tests ]
Testsuite run

[ Risks ]
low code is pretty straighforward

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
see above

[ Other info ]
Team upload
-------------- next part --------------
A non-text attachment was scrubbed...
Name: deb12u1.debdiff
Type: text/x-patch
Size: 11304 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20241226/729cafa6/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://alioth-lists.debian.net/pipermail/pkg-javascript-devel/attachments/20241226/729cafa6/attachment.sig>