Hi Bastian, Just a small remark below:
On Thu, Dec 26, 2024 at 09:38:26PM +0000, Bastien Roucariès wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > X-Debbugs-Cc: node-post...@packages.debian.org > Control: affects -1 + src:node-postcss > User: release.debian....@packages.debian.org > Usertags: pu > > > [ Reason ] > Fix CVE-2023-44270 (Closes: #1053282) > The vulnerability affects linters > using PostCSS to parse external untrusted CSS. > An attacker can prepare CSS in such a way that it will > contains parts parsed by PostCSS as a CSS comment. > After processing by PostCSS, it will be included in > the PostCSS output in CSS nodes (rules, properties) > despite being included in a comment. > * Fix CVE-2024-55565: > nanoid (aka Nano ID) a subcomponent of this package > mishandles non-integer values that could lead to DoS > by infinite loop. > > [ Impact ] > Security bug opened > > [ Tests ] > Testsuite run > > [ Risks ] > low code is pretty straighforward > > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable > [X] the issue is verified as fixed in unstable > > [ Changes ] > see above > > [ Other info ] > Team upload > diff -Nru node-postcss-8.4.20+~cs8.0.23/debian/changelog > node-postcss-8.4.20+~cs8.0.23/debian/changelog > --- node-postcss-8.4.20+~cs8.0.23/debian/changelog 2022-12-12 > 16:48:49.000000000 +0000 > +++ node-postcss-8.4.20+~cs8.0.23/debian/changelog 2024-12-26 > 21:13:18.000000000 +0000 > @@ -1,3 +1,21 @@ > +node-postcss (8.4.20+~cs8.0.23-1+deb12u1) bookworm-security; urgency=medium This should actually target bookworm, not bookworm-security for the point release update. Regards, Salvatore
