Your message dated Fri, 23 Aug 2024 10:17:10 +0000
with message-id <e1shrly-006uyy...@fasolo.debian.org>
and subject line Bug#1078880: fixed in gettext.js 0.7.0-3+deb12u1
has caused the Debian Bug report #1078880,
regarding gettext.js: CVE-2024-43370
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1078880: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078880
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gettext.js
Version: 0.7.0-3
Severity: grave
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for gettext.js.
CVE-2024-43370[0]:
| gettext.js is a GNU gettext port for node and the browser. There is
| a cross-site scripting (XSS) injection if `.po` dictionary
| definition files are corrupted. This vulnerability has been patched
| in version 2.0.3. As a workaround, control the origin of the
| definition catalog to prevent the use of this flaw in the definition
| of plural forms.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-43370
https://www.cve.org/CVERecord?id=CVE-2024-43370
[1]
https://github.com/guillaumepotier/gettext.js/security/advisories/GHSA-vwhg-jwr4-vxgg
[2]
https://github.com/guillaumepotier/gettext.js/commit/6e52e0f8fa7d7c8b358e78b613d47ea332b8a56c
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: gettext.js
Source-Version: 0.7.0-3+deb12u1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
gettext.js, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1078...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated gettext.js package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 17 Aug 2024 18:58:13 +0400
Source: gettext.js
Architecture: source
Version: 0.7.0-3+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1078880
Changes:
gettext.js (0.7.0-3+deb12u1) bookworm; urgency=medium
.
* Team upload
* Fix SSRF issue (Closes: #1078880, CVE-2024-43370)
Checksums-Sha1:
71066092fb034e6c372361ad638da67eadc46fce 2121 gettext.js_0.7.0-3+deb12u1.dsc
e0eb467566d1b17811f1f881c7ed2860a1e98c5e 3448
gettext.js_0.7.0-3+deb12u1.debian.tar.xz
Checksums-Sha256:
6f789c00f17b454a3cd019a25952fbf65271aaa531965eba06bb8608a9c766e8 2121
gettext.js_0.7.0-3+deb12u1.dsc
60d94255c344bccb425b16ebe3a8467b0c38c8d86b4183d08e8cb305eb917a05 3448
gettext.js_0.7.0-3+deb12u1.debian.tar.xz
Files:
776414f0974839d1dce58af8cebd0410 2121 javascript optional
gettext.js_0.7.0-3+deb12u1.dsc
93138529eeea04fb22dd47a3b1e79a4b 3448 javascript optional
gettext.js_0.7.0-3+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmbHBzIACgkQ9tdMp8mZ
7ulPUQ/+J1kAIMzyupXJvkXPifqSpbvzcWBt1LQEHFxp6KwZbQwr4eJq86Pv4G+t
VlvS61z83eWu7/vJ/G03N2IfLwIM7tcxijdNY92JQyJ48BNNG73bDSjq8AFDXoYK
e84lvaJBgZWGmEzZbDPFeIUgTgeF2wj1/tWJ8g8/s9SbkUTMuz9GrO75LJXemK0n
df79smBYZLaM9idIl9ObEX+3+iKoi6f2gicgQb7qDcaSfDMfgpNwWTX29LmlOnHR
T9eRaM7HEULQqo5vUNXCdPAt/qn5X4w890piqOdEgYKoPxklMEQZjzabsfGeQ1ZI
7r+85pnh0i4YEdo7xaW6zqSUXEJvPE35PRqcY8OrKfjhfcRENs3yIENUrvJX8FiH
MynNidDsgc4VONhY5HqKnHpLyj5glyX916MSk9J7CFBCE1G8wU3RDD1YLZfGRn8L
Nkdo1wxmRGmp8RJSR7bBTqfI9LJcDefXirOATL8D2VMPM4df6juqQuKmh6hp6W5k
8OGT3fi79zhIHkvL+/obHhAaaOVPmNsfxVkX7HjO1XAcmLcOGF6nrERO80c35dej
ylIhrI8iX/XS9n0Fln9uQAO0CapKhEZ24Y8QTjDfsQgWSY/xvEgfvad08NLHrPbe
wOH9XH9nKzSVJevkmzzLO1Ad99pTj3vWMKrcOodAotfmExV3DJA=
=fNmr
-----END PGP SIGNATURE-----
pgpFzNsWIEntw.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
