Your message dated Sat, 17 Aug 2024 15:18:54 +0000
with message-id <e1sflcg-009vbv...@fasolo.debian.org>
and subject line Bug#1078880: fixed in gettext.js 0.7.0-4
has caused the Debian Bug report #1078880,
regarding gettext.js: CVE-2024-43370
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1078880: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078880
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gettext.js
Version: 0.7.0-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for gettext.js.
CVE-2024-43370[0]:
| gettext.js is a GNU gettext port for node and the browser. There is
| a cross-site scripting (XSS) injection if `.po` dictionary
| definition files are corrupted. This vulnerability has been patched
| in version 2.0.3. As a workaround, control the origin of the
| definition catalog to prevent the use of this flaw in the definition
| of plural forms.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-43370
https://www.cve.org/CVERecord?id=CVE-2024-43370
[1]
https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg
[2]
https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8fa7d7c8b358e78b613d47ea332b8a56c
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gettext.js
Source-Version: 0.7.0-4
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
gettext.js, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1078...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated gettext.js package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 17 Aug 2024 18:54:24 +0400
Source: gettext.js
Architecture: source
Version: 0.7.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1078880
Changes:
gettext.js (0.7.0-4) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.0
* Fix SSRF issue (Closes: #1078880, CVE-2024-43370)
Checksums-Sha1:
405531c07809b4db3cb970e45ef7115abc2965fa 2089 gettext.js_0.7.0-4.dsc
58d1524cd13c648a98f632c2f5976602045f7bf5 3448 gettext.js_0.7.0-4.debian.tar.xz
Checksums-Sha256:
6a43b90a3f86d6acae055e776b9b914810bc35711345a231b8897452dabe4417 2089
gettext.js_0.7.0-4.dsc
fd369381d86a3adade7fae2b95b2d91280e0162eaef1432eeb14a77b1eda1b79 3448
gettext.js_0.7.0-4.debian.tar.xz
Files:
92e6f96881a662663280ac56dc542189 2089 javascript optional
gettext.js_0.7.0-4.dsc
5e9ce7f0753b62c9d22fe2b241d1957d 3448 javascript optional
gettext.js_0.7.0-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmbAuecACgkQ9tdMp8mZ
7ukU3g/5AWx6gTl0jWY52w40RKFjaRcGjyrQSmlx6i46iNeZXFp9Xy87ydb2r62M
v5NovuiiWldxWeMu0vlJAFR2FVgEul6m7Bdjcf/wPyl42aF2RnSMcOn1pJVubWMr
y4y8cxB5hp6eoqZCh9ty7i3psKu4TDeK4GqERgr44f/a5mR0Apflmf+dMTABs6dO
uEBROk9Kcs8rjrYzlGdxTMVp2j7SneFZ0QtPbvSFdbZ0JbQXvFCBAO4lyeiDh8Ws
i0WxQPgQ4D1dTrYB9fpxXv1g5zRxjNwXGG83lIsCuGXd9xanUqgM5+G+CPc5yhaO
hWYL3HkKofXCU6Ls+CYW3ZARDE0vj6lKTxKq0G8QYmpaY8bgfRhRlk/iTi833XmX
hbJgQJf/0HT18Z6d8GeHXiv0psgafBYUL6y0XZqmlNCSFOZlJeOZV3nZS4MIR8k/
eVjoOSD70thDpJyTJv3Vslm47+aeFmy4V9fhcdU//X8CHwdHtY+wooOGHKm0ydNt
JYYD8NoD4FbQBQA48yEspTjr1sC4488u5eXG0Hn5lG+dWSI2PPVT2P4rCcnDm+r9
G4FWJmQJRxc/SQeNkgInrUyp4hL/gyehGM6waAJh62bmANj38rtHSmMCG9YJD/pm
bk56RtOTZuSWxRPFqHEqKWP1ZoUT2MDu6FKqDsjbiBp/BGXHBfw=
=0iyp
-----END PGP SIGNATURE-----
pgpCyGSuIfeFA.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
