Your message dated Mon, 16 Sep 2024 10:21:59 +0000
with message-id <e1sq8rn-00euva...@fasolo.debian.org>
and subject line Bug#1081906: fixed in node-webpack 5.94.0+dfsg1+~cs11.18.26-2
has caused the Debian Bug report #1081906,
regarding node-webpack: CVE-2024-43788
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1081906: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081906
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-webpack
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-webpack.
CVE-2024-43788[0]:
| Webpack is a module bundler. Its main purpose is to bundle
| JavaScript files for usage in a browser, yet it is also capable of
| transforming, bundling, or packaging just about any resource or
| asset. The webpack developers have discovered a DOM Clobbering
| vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM
| Clobbering gadget in the module can lead to cross-site scripting
| (XSS) in web pages where scriptless attacker-controlled HTML
| elements (e.g., an `img` tag with an unsanitized `name` attribute)
| are present. Real-world exploitation of this gadget has been
| observed in the Canvas LMS which allows a XSS attack to happen
| through a javascript code compiled by Webpack (the vulnerable part
| is from Webpack). DOM Clobbering is a type of code-reuse attack
| where the attacker first embeds a piece of non-script, seemingly
| benign HTML markups in the webpage (e.g. through a post or comment)
| and leverages the gadgets (pieces of js code) living in the existing
| javascript code to transform it into executable code. This
| vulnerability can lead to cross-site scripting (XSS) on websites
| that include Webpack-generated files and allow users to inject
| certain scriptless HTML tags with improperly sanitized name or id
| attributes. This issue has been addressed in release version 5.94.0.
| All users are advised to upgrade. There are no known workarounds for
| this issue.
https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986
https://github.com/webpack/webpack/commit/955e057abc6cc83cbc3fa1e1ef67a49758bf5a61
(v5.94.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-43788
https://www.cve.org/CVERecord?id=CVE-2024-43788
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-webpack
Source-Version: 5.94.0+dfsg1+~cs11.18.26-2
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-webpack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1081...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-webpack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Sep 2024 05:45:51 +0400
Source: node-webpack
Architecture: source
Version: 5.94.0+dfsg1+~cs11.18.26-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1081906
Changes:
node-webpack (5.94.0+dfsg1+~cs11.18.26-2) unstable; urgency=medium
.
* Team upload
* Fix autopkgtest
* Update lintian-overrides
* Back to unstable (Closes: #1081906)
Checksums-Sha1:
a1dfab0fca37e383b0edf58b6124adbd6defb318 4767
node-webpack_5.94.0+dfsg1+~cs11.18.26-2.dsc
1a51bc7b57c0a78955f3af4d4a3ee3cc30abf26e 40356
node-webpack_5.94.0+dfsg1+~cs11.18.26-2.debian.tar.xz
Checksums-Sha256:
6e927dd66e9978806132e4edd9b7e47bae074a72287295fd0a138c0e29773fd6 4767
node-webpack_5.94.0+dfsg1+~cs11.18.26-2.dsc
bae153241ed4357e15fe468b5c1efb2e417f4d1ae1fd9317433210ffaed63cc1 40356
node-webpack_5.94.0+dfsg1+~cs11.18.26-2.debian.tar.xz
Files:
710c48617eb613d90a96b1e84bd416c7 4767 javascript optional
node-webpack_5.94.0+dfsg1+~cs11.18.26-2.dsc
e4abd6798386409ed9bcccf420671c30 40356 javascript optional
node-webpack_5.94.0+dfsg1+~cs11.18.26-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmboAHkACgkQ9tdMp8mZ
7ukU1Q/9HcYWqLScLZaFPeEDD+rE4EwYzei+A/NOrqirgSBXCeXZm5QNzh3S8FAB
LKUvd2pjtgiQGNzb7hbLHBqrfJF6KcR4DrSkALQMG2PvohFRbkMfah1JJcq9L3FL
uNDyB3ydg7LABXqfQmK3swx6ApiuT8Rt2SlkHvZycNGqXnDzDbK+8eFaHX28Itqp
HftNNx74wI6VsPTpL2il5fM03fvqr8XgrxVs4yy6Tupnjtk8ajoPzMIQGay5Zoh2
OhEX5JHBbx+n0ifP36BKAhglhLgpn9cStfTRKWjWedCSDV/9DObKTdoq/zenKT6i
NycMfA1G+w68+AHxunNETFUVG+VNzzYNWCPZDTKJ0suorPNNz4Sr2xeBU9lZJUf7
5ZZx8IoltOLfAF0FJM4A/BB9RFE/FzP+BOfMa9xwotpaSugAv6nNhgs5aCNJMYbc
P8uCajLd7hznp5kC7L9/r2C489dvc5Wpu/ksGj0uTz10JDYZihULIwnFdfTBY2IT
Y1atrRsXrGWL4/CsJowfrLN8fvLE1QXoWf9kNIII98C7ztYRc0nJwBMiimgkVzqv
zWsaQ0zqrrdWqTqo7KuHQ/OzRH0n0tqohuv7jXWAb5hy2RAooozr/+GakyqskC6v
o5iCFFFKUZI8/jskCwbdsAIH2TGV8mwXx5GGyuBF3tMj0XfBoik=
=8h5Q
-----END PGP SIGNATURE-----
pgppm3yNtx4Zj.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
