Your message dated Sat, 10 Dec 2022 19:17:08 +0000 with message-id <e1p45lq-004rbb...@fasolo.debian.org> and subject line Bug#1024736: fixed in node-xmldom 0.5.0-1+deb11u2 has caused the Debian Bug report #1024736, regarding node-xmldom: CVE-2022-39353 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1024736: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1024736 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: node-xmldom Version: 0.8.3-1 Severity: important Tags: security upstream Forwarded: https://github.com/jindw/xmldom/issues/150 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for node-xmldom. CVE-2022-39353[0]: | xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) | `DOMParser` and `XMLSerializer` module. xmldom parses XML that is not | well-formed because it contains multiple top level elements, and adds | all root nodes to the `childNodes` collection of the `Document`, | without reporting any error or throwing. This breaks the assumption | that there is only a single root node in the tree, which led to | issuance of CVE-2022-39299 as it is a potential issue for dependents. | Update to @xmldom/xmldom@~0.7.7, @xmldom/xmldom@~0.8.4 (dist-tag | latest) or @xmldom/xmldom@>=0.9.0-beta.4 (dist-tag next). As a | workaround, please one of the following approaches depending on your | use case: instead of searching for elements in the whole DOM, only | search in the `documentElement`or reject a document with a document | that has more then 1 `childNode`. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-39353 https://www.cve.org/CVERecord?id=CVE-2022-39353 [1] https://github.com/jindw/xmldom/issues/150 [2] https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: node-xmldom Source-Version: 0.5.0-1+deb11u2 Done: Yadd <y...@debian.org> We believe that the bug you reported is fixed in the latest version of node-xmldom, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1024...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd <y...@debian.org> (supplier of updated node-xmldom package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 24 Nov 2022 09:22:10 +0100 Source: node-xmldom Architecture: source Version: 0.5.0-1+deb11u2 Distribution: bullseye Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Yadd <y...@debian.org> Closes: 1024736 Changes: node-xmldom (0.5.0-1+deb11u2) bullseye; urgency=medium . * Team upload * Prevent inserting DOM nodes when they are not well-formed (Closes: #1024736, CVE-2022-39353) Checksums-Sha1: d4f586e86fbc59bc7e7d860d8f5fd7b3261779c7 2054 node-xmldom_0.5.0-1+deb11u2.dsc c455af80b895d0a79b3eb62273304fa803e6a840 6124 node-xmldom_0.5.0-1+deb11u2.debian.tar.xz Checksums-Sha256: ac998862275d0869e8b1b374df78aebf92b606fe3e5fa0c9d00423ed8bad071f 2054 node-xmldom_0.5.0-1+deb11u2.dsc 0e17fadfe1e3c2e8a39577067d4ba698e889c0887bcf613f18cd603b8707dec3 6124 node-xmldom_0.5.0-1+deb11u2.debian.tar.xz Files: e71b01da634fa7b1eb3efc5f157e1b26 2054 javascript optional node-xmldom_0.5.0-1+deb11u2.dsc df022f1c612ce445480436c375a37586 6124 javascript optional node-xmldom_0.5.0-1+deb11u2.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmOTii0ACgkQ9tdMp8mZ 7un5eBAAji6HhS+Mv/PPEAifUNkvrjVSgnD5gOPJW1xb1f1qiaHUSYSwakzxaDso GxrBdsU5wPlM2jqgruQ8A9BjiZdfaV/vDpCH5u1L66fBCrZ2L44Za+0qDbdWnHoL tjtOvhcRAgzAwFpVPQSA+ZwpYR4U5FqHxA/hcB0It7UqM92blG6khkeO9x1/kCq/ et7XHEAb0fcQxnMPV83QH7xs62c/rPURZWvi2Bd/Amtx4QmUnE4N7CuVE1A5RVps 0vyO5qRIvTxmgfokgm8H5UxNNxR3WioMxn5jV4ZuF/I40jbNbBI7q9kXL3g8PWQP yZEiCrYSCDOBe07UyA6EPjaXImZEurUv9xXGhZMy7BQoFGAFtXrk5lf8YJ9zvYa5 fX3IRIJ8UDqFrK+xed4ZGcAu5HFbZFWxcwT1eFjHXTgRVvsmbTltlqgYA4UWVsvM 93e+K+13WOkkEOFftG7Z7TFXpnlx/0DQQCaF4GjR65T/d649jXLHrVChZzm3C2RT IMWMHvo4s8Ck2GFIRCxIIUjkr1/XcKElFohWKAPduTFAwn0OwAn8o2QSin2Sq+vw 8jSe42fDUfdggQvnOda5VY24kI+fmCuseQ7OPY3x7tfRMlNXJCUHfqpErGFHTdDQ +R8M3KTixo7XqAW5LaL4vMF0u/CjnWMj/uErVNLQHeu1Vcwcvk8= =o5x4 -----END PGP SIGNATURE-----
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
