On Sat, Nov 02, 2024 at 07:20:27AM +0100, Yadd wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: node-dompur...@packages.debian.org, y...@debian.org > Control: affects -1 + src:node-dompurify > User: release.debian....@packages.debian.org > Usertags: pu > > [ Reason ] > node-dompurify is vulnerable to prototype pollutions. > > Note that CVE-2024-45801 cae with previous security fix pushed to > Bookworm via security update (regression).
For SRM, it is correct that the one CVE was introduced due to a incomplete fix in the last DSA, but we agreed with Yadd, that it might be the best to include the update together with other updates in the upcoming point release (rather than an out of band DSA, as the issues are minor). So this just for context in case you wonder about the special tracking of CVE-2024-45801. The tracker shows it as not affected, as indeed initially we had no Debian version vulnerable to this, but only introduced with the last DSA in bookworm then. We will make sure to later note th fix for CVE-2024-45801 in bookworm. Regards, Salvatore
