On 4/29/23 16:00, Salvatore Bonaccorso wrote:
Control: severity 1032904 serious
Hi Yadd,
On Wed, Mar 15, 2023 at 09:11:46PM +0100, Paul Gevers wrote:
Control: tags -1 moreinfo
Hi Yadd,
On 15-03-2023 13:38, Yadd wrote:
[ Reason ]
node-webpack is vulnerable to cross-realm object access
(#1032904, CVE-2023-28154).
This doesn't look like a targeted fix, but rather seems to include much
more.
How about reverting and providing a fix only for that CVE please?
have you seen Paul's comment/question above? We have now a somehow
unfortunate situation that the CVE is fixed in unstable, and it is
fixed with the last point release as well in bullseye. But it is still
open in bookworm.
I will bump for this reason the severity of #1032904 to RC as it is a
regression on this regards.
Regards,
Salvatore
Hi,
extracting only CVE patch means:
* keep some (unimportant) bugs in Bullseye
* publish such version number:
5.76.1+dfsg1+~cs17.16.16+really~5.75.0+dfsg+~cs17.16.14-1
