Control: notfound 927716 2.0.2-2 Hi Xavier,
On Fri, Apr 26, 2019 at 07:52:55PM +0200, Xavier wrote: > Le 26/04/2019 à 19:40, Xavier a écrit : > > [...] > > Hello, > > > > The regex that causes CVE-2018-1109 was introduced in upstream version > > 2.2.0, commit dcc1acab [1]. So Buster node-braces seems not concerned by > > this CVE. > > > > https://snyk.io/vuln/npm:braces:20180219 extract : > > > >> braces is a Bash-like brace expansion, implemented in JavaScript. > >> > >> Affected versions of this package are vulnerable to Regular Expression > >> Denial of Service (ReDoS) attacks. It used a regular expression > >> (^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}) in order to detects empty > >> braces. This can cause an impact of about 10 seconds matching time for > >> data 50K characters long. > > > > [...] > > > > No regexp in 2.0.2 contains such expression. > > > > Time to close this issue ? > > > > Cheers, > > Xavier > > > > [1]: > > https://github.com/micromatch/braces/commit/dcc1acab4de9a43e86ab4be4acde209ff1dca113 > > [2]: > > https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451 > > Confirmed by https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1109 Thanks for the troughfully analysis of the issue! Agreed then we can close the bugreport. I have updated the security-tracker accordingly in https://salsa.debian.org/security-tracker-team/security-tracker/commit/02a96c8eab5fc8f7bb8ddcdfed28fb8cf3d03d4f . Regards, Salvatore
