Your message dated Mon, 21 Apr 2025 06:19:20 +0000
with message-id <e1u6kuy-001oog...@fasolo.debian.org>
and subject line Bug#1098325: fixed in node-dompurify 3.2.5+dfsg-1
has caused the Debian Bug report #1098325,
regarding node-dompurify: CVE-2025-26791
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1098325: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098325
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-dompurify
Version: 3.1.7+dfsg+~3.0.5-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-dompurify.
CVE-2025-26791[0]:
| DOMPurify before 3.2.4 has an incorrect template literal regular
| expression, sometimes leading to mutation cross-site scripting
| (mXSS).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-26791
https://www.cve.org/CVERecord?id=CVE-2025-26791
[1]
https://github.com/cure53/DOMPurify/commit/d18ffcb554e0001748865da03ac75dd7829f0f02
[2] https://ensy.zip/posts/dompurify-323-bypass/
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-dompurify
Source-Version: 3.2.5+dfsg-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-dompurify, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1098...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-dompurify package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 21 Apr 2025 08:02:21 +0200
Source: node-dompurify
Architecture: source
Version: 3.2.5+dfsg-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1098325 1103615
Changes:
node-dompurify (3.2.5+dfsg-1) experimental; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.2
* Drop @types/dompurify
* New upstream version 3.2.5+dfsg
(Closes: #1103615, #1098325, CVE-2025-26791)
* Add rollup-plugin-dts and @types/trusted-types for build only
* Build also with typescript
* Add build dependencies:
node-magic-string, node-rollup-plugin-typescript2, node-typescript
* Update copyright
Checksums-Sha1:
3d055fd6b97d850b62243e3c696ddb06e5ac7e58 2291 node-dompurify_3.2.5+dfsg-1.dsc
b3f84121a7c883e9632e75f24bdf8ad395bdcd33 163280
node-dompurify_3.2.5+dfsg.orig.tar.xz
2a54076ddd8605151729956d4586bbb3eb7f7d92 36064
node-dompurify_3.2.5+dfsg-1.debian.tar.xz
Checksums-Sha256:
7de75f05d76fa387febc8bb3091f540b080918ca7790668e646d213230ae256f 2291
node-dompurify_3.2.5+dfsg-1.dsc
ceefdc868bd8e2b9aebcd1d44e35ff72e37a27fa7a34c93ac8e965deb858dd3f 163280
node-dompurify_3.2.5+dfsg.orig.tar.xz
7ce869725a0a1b7e6e2ce1d5129749294c2690672395a0c0b2ab53d7122bd527 36064
node-dompurify_3.2.5+dfsg-1.debian.tar.xz
Files:
fd3f5fa317538e8b53908c977057bb44 2291 javascript optional
node-dompurify_3.2.5+dfsg-1.dsc
cef79a29636fb93020be1097684adad5 163280 javascript optional
node-dompurify_3.2.5+dfsg.orig.tar.xz
a4504eb24deb440ec10de286da9aa339 36064 javascript optional
node-dompurify_3.2.5+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmgF4LIACgkQ9tdMp8mZ
7uleRQ//TsGWlBva8w5/zFBgEm/3BTqR5nrwdtvU7P8hi2pZYFcij2dwAxsRGGQP
FF9UBplTsQkvESqQNSeZ1VLXB66YTF4TX5s91kJnqHoZNZS/OLXECsk9PiMbUMSo
HXm2ejKWDa/lymF5ABfDtY2qGQlKOf44xUZhbJZ6ByMUJ+0PO5l64r0OzHQpBme8
bernVZvqWzZyQzM1oto+VbjkIlzPjNt4jhYBbLjxEqp8RYOcD335y/pSwSGbBD0f
T8uJRrp2NQs1ZEoH6Xb4w1ze1zrzfPoTCPRQl6mZIcvhkbf6Q2Ah2KKsLJZR1vw3
bfz+rSd/c6O1UPyO4KCWfOwEx4dgXSPL/50tb2rL2U3X32xFUfkHBKS31eVOeAbY
mp2iTyxwisfbI5cWEmWExK3/c9D4ng8wsWgXXFeKW7aglQS9Fmj6Zt0gsgUPrM55
TqXjNNTsJ4TtTSJe8I1imESBGwjaIFya4S6LHZbscfjLKeWPyGQZyBCyYttnJR5J
iruQ1JR1yS6oalEP3Nyx8LsZ0EUzuaONX7W5lNwFuUpYJQUHWf0Cl1aV1Hw/P+GA
p0YaJmXILXvq04pPZIJ/6vpdV8JNpmnSVXvFUp98W7GjHCLh9VcnNuBviGh0O+OB
qB1zQTSwagCAfxjgs5fT95ZesJ3FKm303uXMi7i7+U3uNdiZmXA=
=F6Us
-----END PGP SIGNATURE-----
pgp1bGneUyQxG.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
