Your message dated Wed, 13 Jul 2022 19:20:22 +0000
with message-id <e1obhui-000ike...@fasolo.debian.org>
and subject line Bug#1014845: fixed in node-moment 2.29.4+ds-1
has caused the Debian Bug report #1014845,
regarding node-moment: CVE-2022-31129
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1014845: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1014845
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-moment
Version: 2.29.3+ds-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-moment.
CVE-2022-31129[0]:
| moment is a JavaScript date library for parsing, validating,
| manipulating, and formatting dates. Affected versions of moment were
| found to use an inefficient parsing algorithm. Specifically using
| string-to-date parsing in moment (more specifically rfc2822 parsing,
| which is tried by default) has quadratic (N^2) complexity on specific
| inputs. Users may notice a noticeable slowdown is observed with inputs
| above 10k characters. Users who pass user-provided strings without
| sanity length checks to moment constructor are vulnerable to (Re)DoS
| attacks. The problem is patched in 2.29.4, the patch can be applied to
| all affected versions with minimal tweaking. Users are advised to
| upgrade. Users unable to upgrade should consider limiting date lengths
| accepted from user input.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-31129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31129
[1] https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g
[2]
https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-moment
Source-Version: 2.29.4+ds-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-moment, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1014...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-moment package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 13 Jul 2022 21:02:55 +0200
Source: node-moment
Built-For-Profiles: nocheck
Architecture: source
Version: 2.29.4+ds-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1014845
Changes:
node-moment (2.29.4+ds-1) unstable; urgency=medium
.
* Team upload
* Exclude more files from import
* Declare compliance with policy 4.6.1
* New upstream version 2.29.4 (Closes: #1014845, CVE-2022-31129)
* Add lintian overrides
Checksums-Sha1:
0da927851f44672d1045ef886ff17ee1f64b9b15 2100 node-moment_2.29.4+ds-1.dsc
4689181e0cc13f32bf939b344be735edbc23e3ba 473712
node-moment_2.29.4+ds.orig.tar.xz
229a62d482b4d64fa1f8cc909999aa45874ccb90 3972
node-moment_2.29.4+ds-1.debian.tar.xz
Checksums-Sha256:
514f35a9e09a38adbddd0a073f0bddc354edc8eaf1c685469702b9d59fe5f3f7 2100
node-moment_2.29.4+ds-1.dsc
a2555f673a41f313dbe338fd695ce385444a42a91d59e9f19e432c2823e805e4 473712
node-moment_2.29.4+ds.orig.tar.xz
f6f1333a9b61a595362523fdfd0bffd888682673e66cdfc570596cc95f7523ad 3972
node-moment_2.29.4+ds-1.debian.tar.xz
Files:
d3061fdb22385e72e678dab7ce3e95d8 2100 javascript optional
node-moment_2.29.4+ds-1.dsc
15568d3613eae991e236513900dfe755 473712 javascript optional
node-moment_2.29.4+ds.orig.tar.xz
0e01f9b21367ed115b6b396b341b49fe 3972 javascript optional
node-moment_2.29.4+ds-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmLPFyoACgkQ9tdMp8mZ
7ukOKw//Vw6keCRzMQS3IMJkp+l7Q0hbq3dDflQk1vHErcm3f2G65taJ2UeJSerp
LKEHe1DuQCJ3gwmNtmkrwyG8ImNnJzc/t8s1A4AAtbiQlxWf6epvcBASk4MeyHOu
9b3X2k2RG6oNCH4PIwdkq6O0d3TF7ooPmHl/p/yfx5ieS8vC04GFLDpkHtorlpdf
p/N54lSd/2HiFygJsQ8jPcHHaFGSm0dvJaN8x94RHfiWub+JtrztPgl+ELQg3g42
UWS3qvyzCrDT/so9J185PZeUpy1Ve5VM1y18CV2bvsx8mTi5jaBlStWoXN58zL7P
L55LyriQcm5+6r8t9q6FVEx5Tj05uBnDqnxyZx8ZrZg85kwdtDCObXVvbf8bKZjz
G3HjuAyvrjgI7OOkuopJ/BXh629m/kEAqjqlMLcbvkfaAiOc41ZkYRH2P5u4tZ5i
Eb0JIrMGpCxbwYVfZ5r6VMTZOPJcYf4QaVFwoY8LHr75Odpuqx9sXYkAcOBTdkmV
j76p1CB7Yb0q4wqPm/QOfH+F2nVlFtexcc7rbkIEOwRkiVAS/hIS37rVYh7HHp8m
guNmJ0NGgjcjxc4ww1mpWZ1RaoFyPlNkyo9IdS9MMgEjLDoUy70zzwVk7PBZsg90
VBeIUDF+HVFq/Y50jamqWzD3ECLjfyZEJvM+IaZzhpWE5lyHseg=
=MDu/
-----END PGP SIGNATURE-----
--- End Message ---
