Your message dated Wed, 29 May 2024 08:35:22 +0000
with message-id <e1scemi-00ff4e...@fasolo.debian.org>
and subject line Bug#1071631: fixed in node-micromatch 4.0.7+~4.0.7-1
has caused the Debian Bug report #1071631,
regarding node-micromatch: CVE-2024-4067
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1071631: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071631
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-micromatch
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-micromatch.
CVE-2024-4067[0]:
| The NPM package `micromatch` is vulnerable to Regular Expression
| Denial of Service (ReDoS). The vulnerability occurs in
| `micromatch.braces()` in `index.js` because the pattern `.*` will
| greedily match anything. By passing a malicious payload, the pattern
| matching will keep backtracking to the input while it doesn't find
| the closing bracket. As the input size increases, the consumption
| time will also increase until it causes the application to hang or
| slow down. There was a merged fix but further testing shows the
| issue persists. This issue should be mitigated by using a safe
| pattern that won't start backtracking the regular expression due to
| greedy matching.
https://github.com/micromatch/micromatch/issues/243
https://github.com/micromatch/micromatch/pull/247
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-4067
https://www.cve.org/CVERecord?id=CVE-2024-4067
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-micromatch
Source-Version: 4.0.7+~4.0.7-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-micromatch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1071...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-micromatch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 May 2024 11:46:27 +0400
Source: node-micromatch
Architecture: source
Version: 4.0.7+~4.0.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1071631
Changes:
node-micromatch (4.0.7+~4.0.7-1) unstable; urgency=medium
.
* Team upload
* Update lintian override info format in d/source/lintian-overrides
on line 2-5
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse
* Declare compliance with policy 4.7.0
* New upstream version 4.0.7+~4.0.7
* Fix ReDoS (Closes: #1071631, CVE-2024-4067)
Checksums-Sha1:
1c058f9c483e9b54b76c3d2b15d119e53147c729 2532
node-micromatch_4.0.7+~4.0.7-1.dsc
6a0bdf162a025e02318886107f27a55dbcd2fff2 5922
node-micromatch_4.0.7+~4.0.7.orig-types-micromatch.tar.gz
dbf8f8d3d8d19734b0bc183e8f8a9684f7dae8bb 88680
node-micromatch_4.0.7+~4.0.7.orig.tar.gz
ac48b0344b66700b0c5af036caefc5991c2bd483 4636
node-micromatch_4.0.7+~4.0.7-1.debian.tar.xz
Checksums-Sha256:
3eaac9bb0d0974fec6f6cb7669d4145ee4fc85c88adfb02a7774bd4091414cb2 2532
node-micromatch_4.0.7+~4.0.7-1.dsc
295a742699657adf52077a1c82aad7748e9e535ab18f2b93cce25b4afa4a2d8f 5922
node-micromatch_4.0.7+~4.0.7.orig-types-micromatch.tar.gz
e504ec4651237cf01b411fe5758871ee782f1a1e1d5bfe11f343aa35c482bfc5 88680
node-micromatch_4.0.7+~4.0.7.orig.tar.gz
5b7b512429b170cade14f1a3bd341c1fac4f87bff05f2f8f60de73a6ab1d0eff 4636
node-micromatch_4.0.7+~4.0.7-1.debian.tar.xz
Files:
dc6379557e343ec74404542aa411bc8b 2532 javascript optional
node-micromatch_4.0.7+~4.0.7-1.dsc
05ec0dfc43aeaef13e6d485e9649a5cf 5922 javascript optional
node-micromatch_4.0.7+~4.0.7.orig-types-micromatch.tar.gz
e42d39eee8e676df1cb099cf8e78a5f4 88680 javascript optional
node-micromatch_4.0.7+~4.0.7.orig.tar.gz
b260057d6af41d9f9dadd3105ed99dba 4636 javascript optional
node-micromatch_4.0.7+~4.0.7-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmZW3e8ACgkQ9tdMp8mZ
7ulHTw//YMrekK+jGzdubSkBEBKnIYBR6q2pZkFXTwsH2CN9lhhCOCC9b4sT7CDv
ZW6BANEs7A0ACiRL8Ju6fCUdiCRJImPFdQE8sAJk+8s2bqXdGVzlo+VInodFYTZh
9Z0YxCM8/Vs3LlINxcZdZqbv8bLkttDn6Im9H1hgplhUrKoIiwzz30Z7t4o5Kvbw
XK13GdiAnf1bKa/LHE1C4TK1ts4w1T1hzE1Z8mr6jEfaotQv6lN6F3PA5jx2coCK
Nm6B1ueFowj7Ye6oarbaJ1vRVeHI7eGZTC5GPgIX3HdBDF8T3xUWB061OQ1Fo1Ht
fsEyJxhh01w6WG8dQNN5H0Yy75Jz17IZjxLyjCL7IyPDu2IoNZ9JYK/+ujzHYvD8
xEfbmAH6X4wdRk8ibLCTB3V9LdAQdNDety44InHxhSQM4XESvtHWSI6PF9PBQhlQ
tEk+mTUuEWfEnP5T7vS09QSMGGkh0dW2a+6C+kN0cYv8ETYG4iZ+T6+FzcBHsta4
gFzt3F6SN2Ac/UBCdvKhK/0Gi5aeNA4KC9xQL5VrpokJD7gd02ebIiIOpkh67hea
IanZMQ+N5/hYmNesnMIPl98noF+E/ZXXfj/K4a5qkhlmhMbJDDzI+NG6RThXQbJd
FzC5VOWyYlZkIPYAd+HEFUcKw0RQVFZvrhBYWkl7BPytuoiaocY=
=qpzO
-----END PGP SIGNATURE-----
pgpvvE9Gg3paM.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
