On 18/10/2022 13:10, Emilio Pozuelo Monfort wrote:
On 18/10/2022 10:23, Yadd wrote:
On 18/10/2022 09:28, Emilio Pozuelo Monfort wrote:
Hi Yadd,
On 12/10/2022 18:38, Salvatore Bonaccorso wrote:
+node-xmldom (0.1.27+ds-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: #1021618, CVE-2022-37616)
+
+ -- Yadd <y...@debian.org> Wed, 12 Oct 2022 10:07:56 +0200
Thanks for preparing this. I wonder if a fix for CVE-2021-21366 can
be applied while we're at it, if it's not too intrusive/risky?
Can you upload this (with or without the extra fix depending on your
judgement) to security-master targeting buster-security? I can take
of the paperwork after that.
Cheers,
Emilio
Hi,
no risk here, patch is trivial and just avoid prototype pollution.
I meant [1], which is different than CVE-2022-37616. There's an
additional issue, [2], but that may be unsuitable for buster (it's
triaged as too intrusive).
[1] https://security-tracker.debian.org/tracker/CVE-2021-21366
[2] https://security-tracker.debian.org/tracker/CVE-2021-32796
I just pushed it to security-master.
I don't see any upload yet. Did you target buster-security?
Cheers,
Emilio
Hi,
sorry, the push was rejected. I just reuploaded it
Cheers,
Yadd