[Pkg-javascript-devel] Bug#985841: marked as done (node-ssri: CVE-2021-27290)

[Debian Bug Tracking System]

Your message dated Wed, 24 Mar 2021 19:33:31 +0000
with message-id <e1lp9fz-0008rz...@fasolo.debian.org>
and subject line Bug#985841: fixed in node-ssri 8.0.1-1
has caused the Debian Bug report #985841,
regarding node-ssri: CVE-2021-27290
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
985841: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985841
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: node-ssri
Version: 8.0.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerability was published for node-ssri.

CVE-2021-27290[0]:
| ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular
| expression which is vulnerable to a denial of service. Malicious SRIs
| could take an extremely long time to process, leading to denial of
| service. This issue only affects consumers using the strict option.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-27290
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290
[1] https://github.com/npm/ssri/commit/76e223317d971

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: node-ssri
Source-Version: 8.0.1-1
Done: Yadd <y...@debian.org>

We believe that the bug you reported is fixed in the latest version of
node-ssri, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 985...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-ssri package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 24 Mar 2021 20:09:55 +0100
Source: node-ssri
Architecture: source
Version: 8.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 985841
Changes:
 node-ssri (8.0.1-1) unstable; urgency=medium
 .
   * Team upload
   * Bump debhelper compatibility level to 13
   * Declare compliance with policy 4.5.1
   * Modernize debian/watch
   * Add ctype=nodejs to component(s)
   * Use dh-sequence-nodejs
   * Fix GitHub tags regex
   * New upstream version 8.0.1 (Closes: #985841, CVE-2021-27290)
Checksums-Sha1: 
 3a114ac06fe4b6b957938bb8b54a228f1af12c18 2647 node-ssri_8.0.1-1.dsc
 b87d81e1ba137f677982a61e87f0f75c4d0011dc 52503 
node-ssri_8.0.1.orig-figgy-pudding.tar.gz
 601a95c4cb1d2976072c1720338de85757fc7a74 50240 
node-ssri_8.0.1.orig-minipass.tar.gz
 f862e8c1d22db6887a5d0b2ed0ee753a9c5dcd17 162365 node-ssri_8.0.1.orig.tar.gz
 8a4ff8029cda13e7a4a2ce901f0afba738e255d5 3480 node-ssri_8.0.1-1.debian.tar.xz
Checksums-Sha256: 
 8781a1a5a2f4fb008d57186294915a225373516ad1fa519539aa8569c981e192 2647 
node-ssri_8.0.1-1.dsc
 6c7fd98f49444c2d20c4cd377c9e26d9a8cdd194d016f86e23763b969ece0ad4 52503 
node-ssri_8.0.1.orig-figgy-pudding.tar.gz
 496598d78b824ddb3116c4a4fe0123516b318eab820d0ee80cb892ef3ba0c4c9 50240 
node-ssri_8.0.1.orig-minipass.tar.gz
 b9eacfc8c94378ae0bd4602590e50da8dffaa6e3b09e56632d168c3df816c2e7 162365 
node-ssri_8.0.1.orig.tar.gz
 846a87b355c121d3ea36a95e75ef79f34d3f8990bb1c86ff05bc8e27ba2bb8a9 3480 
node-ssri_8.0.1-1.debian.tar.xz
Files: 
 06b764d5c8314fd048db6eb408490aea 2647 javascript optional node-ssri_8.0.1-1.dsc
 460ce21ba8ee86d369bb30abc3e04e16 52503 javascript optional 
node-ssri_8.0.1.orig-figgy-pudding.tar.gz
 b49657e3714f92ab73a7deb5aca36f53 50240 javascript optional 
node-ssri_8.0.1.orig-minipass.tar.gz
 d7b15634f596c3612074b7861f771f56 162365 javascript optional 
node-ssri_8.0.1.orig.tar.gz
 dc3cf7cb140678add89690a89d23eab6 3480 javascript optional 
node-ssri_8.0.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmBbj6YACgkQ9tdMp8mZ
7uma4w/9HKjdHYn0YTm3my2vhto8B6NQmugCveQmX3pgKvOsg29Dxq5gAv4aR8hN
ldlaK7J+BmBvb40wxOJ9LSolHe1bNinYQinKxOXyx2OAYiPCzSKD+S+Ozxext0af
6TBLYuP3aQZ6BBAKw20fxBPTFTsDzMfkE1o06qvVmsSpBSy8uua6dB4LlU6hfJO2
wETzGUuAOyVko/nwKXqF06iFuz86RVvUaI8CcB3ksB2WqZICUuuUFkp3WknCW2iW
8EP43qtC7ZHSc32va0KkJXgLa8uKgrvhBG+hCm3X94XlYCl8ZZmpTNaf9R9iBhRu
KgDyAHV6J0X2pF/6CwiWNMDKY/9paoWWE6gAOZu2npQBNy48vwd8l0+yflPg1l4L
O4mtJVVB4geQBnuVNKfasTi13UVt59w5zxmy3aVHVlzO6uGFRQ3aUG1x5lYHordQ
8gMl638eGjd49g8CmbN8nYkkPirrez3HlxqwgXzCQ98N2ZaL31Ox64s4l2++VLIo
UkMtVJ9ik3J9Z9I0CAEV94G1gctNHTumCO53MDE6l2PtNfcvEB1noHp0p50FqSdA
0nK7ffAxiw7PsoCid8+xndI8sek7LNL0KrgqiUDEUBgirP2amwOzrablTgnJPoRz
30M9kY1gqWarCnRmuUoa5SsxG3dAAADM8/pDBjHV7dr/tLxrdLY=
=peLf
-----END PGP SIGNATURE-----

--- End Message ---

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel