[Pkg-javascript-devel] Bug#998418: [ftpmas...@ftp-master.debian.org: Accepted node-shell-quote 1.7.3+~1.7.1-1 (source) into unstable]

Source: node-shell-quote Source-Version: 1.7.3+~1.7.1-1 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 09 Jan 2022 12:07:45 +0100 Source: node-shell-quote Architecture: source Version: 1.7.3+~1.7.1-1 Distribution: un

[Pkg-javascript-devel] Bug#1004177: nodejs: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824

Source: nodejs Version: 12.22.7~dfsg-2 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 12.22.5~dfsg-2~11u1 Hi, The following vulnerabilities were published for nodejs. CVE-2021-44531[0]: | Improper handling of URI Subject Alternati

[Pkg-javascript-devel] Accepted node-cached-path-relative 1.1.0+~1.0.0-1 (source) into unstable

Source: node-cached-path-relative Source-Version: 1.1.0+~1.0.0-1 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 26 Jan 2022 12:30:15 +0100 Source: node-cached-path-relative Architecture: source Version: 1.1.0+~1.0.0-

Re: [Pkg-javascript-devel] Fwd: dh-sequence-nodejs improvements

Hi, On Sat, Feb 05, 2022 at 08:23:17AM +0100, Yadd wrote: > On 04/02/2022 17:59, Yadd wrote: > > Hi, > > > > my new pkgjs-audit tool found this 3 vulnerabilities, not found on > > security-tracker: > > > > eslint-config-eslint  5.0.1 > > Severity: critical > > Malicious Package in eslint-scope -

[Pkg-javascript-devel] [ftpmas...@ftp-master.debian.org: Accepted nodejs 12.22.9~dfsg-1 (source) into unstable]

Source: nodejs Source-Version: 12.22.9~dfsg-1 This should fix #1004177 and the four open CVEs. - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 27 Jan 2022 13:42:36 +0100 Source: nodejs Architecture: source Version: 1

[Pkg-javascript-devel] Bug#1009327: node-moment: CVE-2022-24785: path traversal vulnerability

Source: node-moment Version: 2.29.1+ds-3 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 2.29.1+ds-2 Control: found -1 2.24.0+ds-1 Hi, The following vulnerability was published for node-moment. CVE-2022-24785[0]: | Moment.js is

[Pkg-javascript-devel] Bug#977718: node-ini: CVE-2020-7788

Source: node-ini Version: 1.3.5-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-ini. CVE-2020-7788[0]: | This affects the package ini before 1.3.6. If an attacker submits a | malicious INI

[Pkg-javascript-devel] Bug#977736: iotjs: CVE-2020-29657

Source: iotjs Version: 1.0+715-1 Severity: important Tags: security upstream Forwarded: https://github.com/jerryscript-project/jerryscript/issues/4244 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.0-1 Hi, The following vulnerability was published for iotjs. Actually f

[Pkg-javascript-devel] Bug#979364: nodejs: CVE-2020-8265 CVE-2020-8287

Source: nodejs Version: 12.19.0~dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 10.21.0~dfsg-1~deb10u1 Control: found -1 14.13.0~dfsg-1 Hi, The following vulnerabilities were published for no

[Pkg-javascript-devel] Bug#977736: iotjs: CVE-2020-29657 : False positive ?

Control: severity -1 minor Hi On Thu, Jan 07, 2021 at 10:58:03PM +0100, Philippe Coval wrote: > Package: iotjs > Followup-For: Bug #977736 > > Dear Maintainer, > > As iotjs's Debian maintainer, > I have forwarded this issue to upstream tracker: > > https://github.com/jerryscript-project/iotjs/

[Pkg-javascript-devel] Bug#982587: ckeditor: CVE-2021-26271 CVE-2021-26272

Source: ckeditor Version: 4.12.1+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for ckeditor. CVE-2021-26271[0]: | It was possible to execute a ReDoS-type attack inside CKEditor 4 | before

[Pkg-javascript-devel] Bug#985109: node-prismjs: CVE-2021-23341

Source: node-prismjs Version: 1.11.0+dfsg-4 Severity: important Tags: security upstream Forwarded: https://github.com/PrismJS/prism/issues/2583 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-prismjs. CVE-2021-23341[0]: | The package

[Pkg-javascript-devel] Bug#985110: node-url-parse: CVE-2021-27515

Source: node-url-parse Version: 1.4.7+repack-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-url-parse. CVE-2021-27515[0]: | url-parse before 1.5.0 mishandles certain uses of backslash suc

[Pkg-javascript-devel] Bug#985568: node-ua-parser-js: CVE-2021-27292

Source: node-ua-parser-js Version: 0.7.23+ds-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 0.7.14-1 Hi, The following vulnerability was published for node-ua-parser-js. CVE-2021-27292[0]: | ua-parser-js >= 0.7.14, fixed in

[Pkg-javascript-devel] Bug#985841: node-ssri: CVE-2021-27290

Source: node-ssri Version: 8.0.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-ssri. CVE-2021-27290[0]: | ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular | expression wh

[Pkg-javascript-devel] Bug#986171: underscore: CVE-2021-23358

Source: underscore Version: 1.9.1~dfsg-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team ,y...@debian.org Hi, The following vulnerability was published for underscore. CVE-2021-23358[0]: | The package underscore fro

[Pkg-javascript-devel] Bug#987792: node-browserslist: CVE-2021-23364

Source: node-browserslist Version: 4.16.3+~cs5.4.72-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-browserslist. CVE-2021-23364[0]: | The package browserslist from 4.0.0 and before 4.16.5

[Pkg-javascript-devel] Bug#962145: nodejs: CVE-2020-11080 CVE-2020-8172 CVE-2020-8174 (June 2020 security release)

Source: nodejs Version: 10.20.1~dfsg-1 Severity: grave Tags: security upstream Justification: user security hole Control: found -1 10.19.0~dfsg1-1 Hi, The following vulnerabilities were published for nodejs. CVE-2020-11080[0]: HTTP/2 Large Settings Frame DoS CVE-2020-8172[1]: TLS session reuse

[Pkg-javascript-devel] Bug#963149: node-elliptic: CVE-2020-13822

Source: node-elliptic Version: 6.5.1~dfsg-2 Severity: important Tags: security upstream Forwarded: https://github.com/indutny/elliptic/issues/226 Hi, The following vulnerability was published for node-elliptic. CVE-2020-13822[0]: | The Elliptic package 6.5.2 for Node.js allows ECDSA signature |

[Pkg-javascript-devel] Bug#964746: npm: CVE-2020-15095

Source: npm Version: 6.14.5+ds-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for npm. CVE-2020-15095[0]: | Versions of the npm CLI prior to 6.14.6 are vulnerable to an | information exposure vulnerability through log files. The CLI supports | URLs li

[Pkg-javascript-devel] Bug#965283: node-lodash: CVE-2020-8203

Source: node-lodash Version: 4.17.15+dfsg-2 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: Debian Security Team Hi, The following vulnerability was published for node-lodash. CVE-2020-8203[0]: | Prototype pollution attack when using _.zipObjectDeep in lo

[Pkg-javascript-devel] Bug#968094: node-prismjs: CVE-2020-15138

Source: node-prismjs Version: 1.11.0+dfsg-3 Severity: important Tags: security upstream X-Debbugs-Cc: Debian Security Team Hi, The following vulnerability was published for node-prismjs. CVE-2020-15138[0]: | Prism is vulnerable to Cross-Site Scripting. The easing preview of the | Previewers plu

[Pkg-javascript-devel] Bug#969309: node-bl: CVE-2020-8244

Source: node-bl Version: 4.0.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-bl. CVE-2020-8244[0]: | A buffer over-read vulnerability exists in bl <4.0.3, <3.0.1 and | <2.2.1 which could

[Pkg-javascript-devel] Bug#969668: grunt: CVE-2020-7729

Source: grunt Version: 1.0.4-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.0.1-8 Hi, The following vulnerability was published for grunt. CVE-2020-7729[0]: | The package grunt before 1.3.0 are vulnerable to Arbitrary Code

[Pkg-javascript-devel] Bug#969669: node-node-forge: CVE-2020-7720

Source: node-node-forge Version: 0.9.1~dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 0.8.1~dfsg-1 Hi, The following vulnerability was published for node-node-forge. CVE-2020-7720[0]: | The package node-forge before 0.

[Pkg-javascript-devel] Bug#970000: dojo: CVE-2020-4051

Source: dojo Version: 1.15.3+dfsg1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for dojo. CVE-2020-4051[0]: | In Dijit before versions 1.11.11, and greater than or equal to 1.12.0 | and less tha

[Pkg-javascript-devel] Bug#970173: node-fetch: CVE-2020-15168

Source: node-fetch Version: 1.7.3-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 1.7.3-1 Hi, The following vulnerability was published for node-fetch. CVE-2020-15168[0]: | node-fetch before versions 2.6.1 and 3.0.0-beta.9 di

[Pkg-javascript-devel] Bug#970173: Bug#970173: node-fetch: CVE-2020-15168

Hi Xavier, On Sun, Sep 13, 2020 at 05:29:56PM +0200, Xavier wrote: > Le 12/09/2020 à 15:33, Salvatore Bonaccorso a écrit : > > Source: node-fetch > > Version: 1.7.3-2 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debia

[Pkg-javascript-devel] Bug#972895: node-pathval: CVE-2020-7751

Source: node-pathval Version: 1.1.0-3 Severity: important Tags: security upstream Forwarded: https://github.com/chaijs/pathval/pull/58 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-pathval. * CVE-2020-7751[0] If you fix the vulner

[Pkg-javascript-devel] Bug#975305: node-axios: CVE-2020-28168

Source: node-axios Version: 0.21.0+dfsg-1 Severity: important Tags: security upstream Forwarded: https://github.com/axios/axios/issues/3369 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-axios. CVE-2020-28168[0]: | Axios NPM package

[Pkg-javascript-devel] Bug#976390: node-y18n: CVE-2020-7774

Source: node-y18n Version: 4.0.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/yargs/y18n/issues/96 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-y18n. CVE-2020-7774[0]: | This affects the package y18n

[Pkg-javascript-devel] Bug#976446: highlight.js: CVE-2020-26237

Source: highlight.js Version: 9.18.1+dfsg1-2 Severity: important Tags: security upstream Forwarded: https://github.com/highlightjs/highlight.js/pull/2636 X-Debbugs-Cc: car...@debian.org, Debian Security Team Control: found -1 9.12.0+dfsg1-4 Hi, The following vulnerability was published for highl

[Pkg-javascript-devel] Bug#925571: node-opencv: CVE-2019-10061

Source: node-opencv Version: 6.0.0+git20180416.cfc96ba0-2 Severity: important Tags: security upstream Hi, The following vulnerability was published for node-opencv. CVE-2019-10061[0]: | utils/find-opencv.js in node-opencv (aka OpenCV bindings for Node.js) | prior to 6.1.0 is vulnerable to Comman

[Pkg-javascript-devel] Bug#927385: jquery: Prototype Pollution vulnerability

Source: jquery Version: 3.3.1~dfsg-1 Severity: grave Tags: patch security upstream fixed-upstream Justification: user security hole Control: found -1 3.1.1-2 Hi A prototype pollution vulnerability (so far no CVE) has been fixed in jQuery 3.4.0: https://blog.jquery.com/2019/04/10/jquery-3-4-0-rel

[Pkg-javascript-devel] Bug#927385: jquery: Prototype Pollution vulnerability

Control: retitle 927385 jquery: CVE-2019-11358: Prototype Pollution vulnerability Control: retitle 927330 drupal7: CVE-2019-11358: XSS in bundled library (jquery) Hi CVE-2019-11358 was assigned for the jquery issue (and to be used as well for drupal). Regards, Salvatore -- Pkg-javascript-deve

[Pkg-javascript-devel] Bug#927716: Bug#927716: CVE-2018-1109

Control: notfound 927716 2.0.2-2 Hi Xavier, On Fri, Apr 26, 2019 at 07:52:55PM +0200, Xavier wrote: > Le 26/04/2019 à 19:40, Xavier a écrit : > > [...] > > Hello, > > > > The regex that causes CVE-2018-1109 was introduced in upstream version > > 2.2.0, commit dcc1acab [1]. So Buster node-braces

[Pkg-javascript-devel] Bug#928624: node-axios: CVE-2019-10742

Source: node-axios Version: 0.17.1+dfsg-1 Severity: grave Tags: security upstream Forwarded: https://github.com/axios/axios/issues/1098 Hi, The following vulnerability was published for node-axios. CVE-2019-10742[0]: | Axios up to and including 0.18.0 allows attackers to cause a denial of | serv

[Pkg-javascript-devel] Bug#928673: node-mqtt-packet: CVE-2019-5432

Source: node-mqtt-packet Version: 6.0.0-1 Severity: grave Tags: security upstream Hi, The following vulnerability was published for node-mqtt-packet. CVE-2019-5432[0]: | A specifically malformed MQTT Subscribe packet crashes MQTT Brokers | using the mqtt-packet module versions < 3.5.1, 4.0.0 - 4

[Pkg-javascript-devel] Bug#931408: node-fstream: CVE-2019-13173

Source: node-fstream Version: 1.0.10-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for node-fstream. CVE-2019-13173[0]: | fstream before 1.0.12 is vulnerable to Arbitrary File Overwrite. | Extracting tarballs containing a hardlink to a file that alre

[Pkg-javascript-devel] Bug#932500: Bug#932500: vulnerability: prototype pollution

Hi Xavier, On Sat, Jul 20, 2019 at 05:44:05PM +0200, Xavier wrote: > Le 20/07/2019 à 06:32, Paolo Greppi a écrit : > > Package: node-mixin-deep > > Version: 1.1.3-3 > > Severity: important > > > > Dear Maintainer, > > > > node-mixin-deep 1.1.3-3 is affected by a prototype pollution vulnerabilit

[Pkg-javascript-devel] Bug#933079: node-lodash: CVE-2019-10744

Source: node-lodash Version: 4.17.11+dfsg-2 Severity: important Tags: security upstream Forwarded: https://github.com/lodash/lodash/issues/4348 Hi, The following vulnerability was published for node-lodash. CVE-2019-10744[0]: | Versions of lodash lower than 4.17.12 are vulnerable to Prototype |

[Pkg-javascript-devel] Bug#934712: node-mysql: CVE-2019-14939

Source: node-mysql Version: 2.16.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/mysqljs/mysql/issues/2257 Hi, The following vulnerability was published for node-mysql. I'm opening this bug for now mainly for tracking. The upstream issue got locked down and the origi

[Pkg-javascript-devel] Bug#941189: node-set-value: CVE-2019-10747

Source: node-set-value Version: 0.4.0-1 Severity: important Tags: security upstream Control: found -1 3.0.0-1 Hi, The following vulnerability was published for node-set-value. CVE-2019-10747[0]: | set-value is vulnerable to Prototype Pollution in versions lower than | 3.0.1. The function mixin-d

[Pkg-javascript-devel] Bug#941189: Bug#941189: node-set-value: CVE-2019-10747

Hi Xavier, On Thu, Sep 26, 2019 at 07:31:21AM +0200, Xavier wrote: > Le 26/09/2019 à 07:12, Salvatore Bonaccorso a écrit : > > Source: node-set-value > > Version: 0.4.0-1 > > Severity: important > > Tags: security upstream > > Control: found -1 3.0.0-1 &g

[Pkg-javascript-devel] Bug#941354: node-yarnpkg: CVE-2019-5448

Source: node-yarnpkg Version: 1.13.0-2 Severity: important Tags: security upstream Control: found -1 1.13.0-1 Hi, The following vulnerability was published for node-yarnpkg. CVE-2019-5448[0]: | Yarn before 1.17.3 is vulnerable to Missing Encryption of Sensitive | Data due to HTTP URLs in lockfil

[Pkg-javascript-devel] Bug#941354: proposed fix

On Sun, Sep 29, 2019 at 02:43:21PM +0200, Paolo Greppi wrote: > I have imported the upstream patch in a new version 1.13.0-3: > https://salsa.debian.org/js-team/node-yarnpkg/commit/6808cd918e8c12182e14666c715bb1d372d82449/pipelines > > I have checked that it now uses https even if http links are p

[Pkg-javascript-devel] Bug#941354: node-yarnpkg: CVE-2019-5448

Hi Xavier, On Thu, Oct 03, 2019 at 06:27:40PM +0200, Xavier wrote: > Hi, > > I don't know if you want to DSA this bug. Anyway here is the patch. I think we can have this schedule via next point releases as well. Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alio

[Pkg-javascript-devel] Bug#943560: node-knockout: CVE-2019-14862

Source: node-knockout Version: 3.4.2-2 Severity: important Tags: security upstream Hi, The following vulnerability was published for node-knockout. CVE-2019-14862[0]: |Cross-site Scripting (XSS) attacks due to not escaping the name |attribute. If you fix the vulnerability please also make sure

[Pkg-javascript-devel] Bug#947127: npm: CVE-2019-16775 CVE-2019-16776 CVE-2019-16777

Source: npm Version: 5.8.0+ds6-4 Severity: important Tags: security upstream Hi, The following vulnerabilities were published for npm. CVE-2019-16775[0]: | Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary | File Write. It is possible for packages to create symlinks to files

[Pkg-javascript-devel] Bug#948095: node-kind-of: CVE-2019-20149

Source: node-kind-of Version: 6.0.2+dfsg-1 Severity: important Tags: security upstream Forwarded: https://github.com/jonschlinkert/kind-of/issues/30 Hi, The following vulnerability was published for node-kind-of. CVE-2019-20149[0]: | ctorName in index.js in kind-of v6.0.2 allows external user in

[Pkg-javascript-devel] Bug#952771: dojo: CVE-2019-10785

Source: dojo Version: 1.15.0+dfsg1-1 Severity: important Tags: security upstream Control: found -1 1.14.2+dfsg1-1 Hi, The following vulnerability was published for dojo. CVE-2019-10785[0]: | dojox is vulnerable to Cross-site Scripting in all versions before | version 1.16.1, 1.15.2, 1.14.5, 1.13

[Pkg-javascript-devel] Bug#952912: node-yarnpkg: CVE-2020-8131

Source: node-yarnpkg Version: 1.21.1-1 Severity: important Tags: security upstream Forwarded: https://github.com/yarnpkg/yarn/pull/7831 Hi, The following vulnerability was published for node-yarnpkg. CVE-2020-8131[0]: | Arbitrary filesystem write vulnerability in Yarn before 1.22.0 allows | atta

[Pkg-javascript-devel] Bug#953585: dojo: CVE-2020-5258

Source: dojo Version: 1.15.2+dfsg1-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for dojo. CVE-2020-5258[0]: | In affected versions of dojo (NPM package), the deepCopy method is | vulnerable to Prototype Pollution. Prototype Pollution refers to the |

[Pkg-javascript-devel] Bug#953587: dojo: CVE-2020-5259

Source: dojo Version: 1.15.2+dfsg1-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for dojo. CVE-2020-5259[0]: | In affected versions of dojox (NPM package), the jqMix method is | vulnerable to Prototype Pollution. Prototype Pollution refers to the | a

[Pkg-javascript-devel] Bug#953762: node-minimist: CVE-2020-7598

Source: node-minimist Version: 1.2.0-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for node-minimist. CVE-2020-7598[0]: | minimist before 1.2.2 could be tricked into adding or modifying | properties of Object.prototype using a "constructor" or "__pro

[Pkg-javascript-devel] Bug#1050739: nodejs: CVE-2023-32002 CVE-2023-32006 CVE-2023-32559

Source: nodejs Version: 18.13.0+dfsg1-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for nodejs. CVE-2023-32002[0]: | The use of `Module._load()` can bypass the po

[Pkg-javascript-devel] Bug#1053262: node-get-func-name: CVE-2023-43646

Source: node-get-func-name Version: 2.0.0+dfsg-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-get-func-name. CVE-2023-43646[0]: | get-func-name is a module to retrieve a function's name s

[Pkg-javascript-devel] Bug#1053282: node-postcss: CVE-2023-44270

Source: node-postcss Version: 8.4.20+~cs8.0.23-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-postcss. CVE-2023-44270[0]: | An issue was discovered in PostCSS before 8.4.31. It affects li

[Pkg-javascript-devel] Bug#1054892: nodejs: CVE-2023-39333 CVE-2023-38552

Source: nodejs Version: 18.13.0+dfsg1-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for nodejs. CVE-2023-39333[0]: | Code injection via WebAssembly export names CVE-2023-38552[1]: | When the Nod

[Pkg-javascript-devel] Bug#1054667: Bug#1054667: node-browserify-sign: CVE-2023-46234

Hi Yadd, On Sat, Oct 28, 2023 at 12:05:25PM +0400, Yadd wrote: > On 10/27/23 20:20, Moritz Mühlenhoff wrote: > > Source: node-browserify-sign > > X-Debbugs-CC: t...@security.debian.org > > Severity: grave > > Tags: security > > > > Hi, > > > > The following vulnerability was published for node-b

[Pkg-javascript-devel] Bug#1055612: libjs-bootbox: CVE-2023-46998

Source: libjs-bootbox Version: 5.5.3~ds-1 Severity: important Tags: security upstream Forwarded: https://github.com/bootboxjs/bootbox/issues/661 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for libjs-bootbox. CVE-2023-46998[0]: | Cross Site

[Pkg-javascript-devel] Bug#1056099: node-axios: CVE-2023-45857

Source: node-axios Version: 1.5.1+dfsg-1 Severity: important Tags: security upstream Forwarded: https://github.com/axios/axios/issues/6006 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-axios. CVE-2023-45857[0]: | An issue discovered

[Pkg-javascript-devel] Bug#1039990: Bug#1039990: nodejs: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590

Am Fri, Jun 30, 2023 at 08:12:37PM +0200 schrieb J??r??my Lal: > >> > Hi, > >> > > >> > Le ven. 30 juin 2023 ?? 19:21, Salvatore Bonaccorso > >> a > >> > ??crit : > >> > > >> > > Source: nodejs > >> >

[Pkg-javascript-devel] Bug#1059926: node-follow-redirects: CVE-2023-26159

Source: node-follow-redirects Version: 1.15.3+~1.14.2-1 Severity: important Tags: security upstream Forwarded: https://github.com/follow-redirects/follow-redirects/issues/235 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-follow-redir

[Pkg-javascript-devel] Bug#1064312: node-undici: CVE-2024-24758

Source: node-undici Version: 5.28.2+dfsg1+~cs23.11.12.3-6 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-undici. CVE-2024-24758[0]: | Undici is an HTTP/1.1 client, written from scratch for

[Pkg-javascript-devel] Bug#1064808: node-sanitize-html: CVE-2024-21501

Source: node-sanitize-html Version: 2.8.0+~2.6.2-1 Severity: important Tags: security upstream Forwarded: https://github.com/apostrophecms/sanitize-html/pull/650 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-sanitize-html. CVE-2024-

[Pkg-javascript-devel] Bug#1064933: node-es5-ext: CVE-2024-27088

Source: node-es5-ext Version: 0.10.62+dfsg1+~1.1.0-2 Severity: important Tags: security upstream Forwarded: https://github.com/medikoo/es5-ext/issues/201 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-es5-ext. CVE-2024-27088[0]: | es

[Pkg-javascript-devel] Bug#1066971: node-follow-redirects: CVE-2024-28849

Source: node-follow-redirects Version: 1.15.3+~1.14.2-1 Severity: important Tags: security upstream Forwarded: https://github.com/psf/requests/issues/1885 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-follow-redirects. CVE-2024-2884

[Pkg-javascript-devel] Bug#1067805: node-katex: CVE-2024-28243 CVE-2024-28244 CVE-2024-28245 CVE-2024-28246

Source: node-katex Version: 0.16.4+~cs6.1.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerabilities were published for node-katex. CVE-2024-28243[0]: | KaTeX is a JavaScript library for TeX math rendering on the web.

[Pkg-javascript-devel] [ftpmas...@ftp-master.debian.org: Accepted nodejs 18.20.1+dfsg-1 (source) into unstable]

Source: nodejs Source-Version: 18.20.1+dfsg-1 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Format: 1.8 Date: Wed, 03 Apr 2024 16:50:38 +0200 Source: nodejs Architecture: source Version: 18.20.1+dfsg-1 Distribution: unstable Urgency: medi

[Pkg-javascript-devel] [ftpmas...@ftp-master.debian.org: Accepted node-express 4.19.2+~cs8.36.21-1 (source) into unstable]

Source: node-express Source-Version: 4.19.2+~cs8.36.21-1 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 07 Apr 2024 07:52:14 +0400 Source: node-express Architecture: source Version: 4.19.2+~cs8.36.21-1 Distribution:

Re: [Pkg-javascript-devel] Accepted node-es5-ext 0.10.64+dfsg1+~1.1.0-1 (source) into unstable

Source: node-es5-ext Source-Version: 0.10.64+dfsg1+~1.1.0-1 On Sun, Apr 28, 2024 at 02:39:58PM +, Debian FTP Masters wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Format: 1.8 > Date: Sun, 28 Apr 2024 17:42:38 +0400 > Source: node-es5-ext > Architecture: source > Version: 0.10

Re: [Pkg-javascript-devel] Accepted node-ip 2.0.1+~1.1.3-1 (source) into unstable

Source: node-ip Source-Version: 2.0.1+~1.1.3-1 On Sun, Apr 28, 2024 at 02:40:08PM +, Debian FTP Masters wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Format: 1.8 > Date: Sun, 28 Apr 2024 17:44:01 +0400 > Source: node-ip > Architecture: source > Version: 2.0.1+~1.1.3-1 > Distr

Re: [Pkg-javascript-devel] Accepted node-sanitize-html 2.13.0+~2.11.0-1 (source) into unstable

Source: node-sanitize-html Source-Version: 2.13.0+~2.11.0-1 On Sun, Apr 28, 2024 at 02:40:18PM +, Debian FTP Masters wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Format: 1.8 > Date: Sun, 28 Apr 2024 17:48:12 +0400 > Source: node-sanitize-html > Built-For-Profiles: nocheck >

Re: [Pkg-javascript-devel] Bug#1074059: bookworm-pu: package nodejs/18.19.0+dfsg-6~deb12u2

Hi all, On Sat, Jun 22, 2024 at 06:26:23PM +0300, Adrian Bunk wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian@packages.debian.org > Usertags: pu > X-Debbugs-Cc: secur...@debian.org, Debian Javascript Maintainers > , Jérémy Lal > > This upload

Re: [Pkg-javascript-devel] Bug#1074059: bookworm-pu: package nodejs/18.19.0+dfsg-6~deb12u2

Hi, On Wed, Jul 03, 2024 at 11:36:46PM +0200, Jérémy Lal wrote: > Le mer. 3 juil. 2024 à 23:04, Andres Salomon a écrit : > > > > > > > On 6/25/24 16:34, Jérémy Lal wrote: > > > > > > > > > Le mar. 25 juin 2024 à 22:22, Salvatore

[Pkg-javascript-devel] Bug#1078878: node-axios: CVE-2024-39338

Source: node-axios Version: 1.7.3+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-axios. CVE-2024-39338[0]: | axios 1.7.2 allows SSRF via unexpected behavior where requests for | path

[Pkg-javascript-devel] Bug#1078880: gettext.js: CVE-2024-43370

Source: gettext.js Version: 0.7.0-3 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for gettext.js. CVE-2024-43370[0]: | gettext.js is a GNU gettext port for node and the browser. There is | a cross-site

[Pkg-javascript-devel] Bug#850322: npm: CVE-2016-3956

Hi! On Sat, Sep 15, 2018 at 06:19:29PM +0530, Pirate Praveen wrote: > Control: fixed -1 5.8.0+ds-1 > > On Thu, 05 Jan 2017 22:16:38 +0100 Salvatore Bonaccorso > wrote: > > > the following vulnerability was published for npm. > > > > CVE-2016-3956[0]: > >

[Pkg-javascript-devel] Bug#898315: node-mixin-deep: CVE-2018-3719: Prototype pollution via merging functions

Source: node-mixin-deep Version: 1.1.3-1 Severity: important Tags: security upstream Forwarded: https://nodesecurity.io/advisories/578 Hi, The following vulnerability was published for node-mixin-deep. CVE-2018-3719[0]: Prototype pollution via merging functions If you fix the vulnerability plea

[Pkg-javascript-devel] Bug#900868: node-growl: CVE-2017-16042: Does not properly sanitize input before passing it to exec

Source: node-growl Version: 1.7.0-1 Severity: grave Tags: security upstream Forwarded: https://github.com/tj/node-growl/issues/60 Hi, The following vulnerability was published for node-growl. CVE-2017-16042[0]: | Growl adds growl notification support to nodejs. Growl before 1.10.2 | does not pro

[Pkg-javascript-devel] Bug#901093: node-sshpk: CVE-2018-3737

Source: node-sshpk Version: 1.13.1+dfsg-1 Severity: important Tags: security upstream Forwarded: https://github.com/joyent/node-sshpk/issues/44 Hi, The following vulnerability was published for node-sshpk. CVE-2018-3737[0]: | sshpk is vulnerable to ReDoS when parsing crafted invalid public keys.

[Pkg-javascript-devel] Bug#901277: node-mime: CVE-2017-16138

Source: node-mime Version: 1.3.4-1 Severity: important Tags: security upstream Forwarded: https://github.com/broofa/node-mime/issues/167 Hi, The following vulnerability was published for node-mime. CVE-2017-16138[0]: | The mime module is vulnerable to regular expression denial of service | when

[Pkg-javascript-devel] Bug#901708: node-request: CVE-2017-16026: remote memory exposure

Source: node-request Version: 2.26.1-1 Severity: important Tags: security upstream Forwarded: https://github.com/request/request/issues/1904 Hi, The following vulnerability was published for node-request. CVE-2017-16026[0]: | Request is an http client. If a request is made using ```multipart```,

[Pkg-javascript-devel] Bug#906058: node-url-parse: CVE-2018-3774

Source: node-url-parse Version: 1.2.0-1 Severity: important Tags: security upstream Hi, The following vulnerability was published for node-url-parse. CVE-2018-3774[0]: | Incorrect parsing in url-parse <1.4.3 returns wrong hostname which | leads to multiple vulnerabilities such as SSRF, Open Redi

[Pkg-javascript-devel] Bug#906540: dojo: CVE-2018-15494

Source: dojo Version: 1.13.0+dfsg1-3 Severity: important Tags: security upstream Forwarded: https://github.com/dojo/dojox/pull/283 Hi, The following vulnerability was published for dojo. CVE-2018-15494[0]: | In Dojo Toolkit before 1.14, there is unescaped string injection in | dojox/Grid/DataGri

[Pkg-javascript-devel] Bug#1078880: Bug#1078880: gettext.js: CVE-2024-43370

Hi Xavier, On Tue, Aug 20, 2024 at 05:33:49PM +0400, Yadd wrote: > On 8/20/24 17:30, Salvatore Bonaccorso wrote: > > Hi, > > > > On Tue, Aug 20, 2024 at 05:20:38PM +0400, Yadd wrote: > > > On 8/20/24 16:34, Moritz M??hlenhoff wrote: > > > > Hi Yadd, >

[Pkg-javascript-devel] [ftpmas...@ftp-master.debian.org: Accepted node-path-to-regexp 6.3.0-1 (source) into unstable]

Source: node-path-to-regexp Source-Version: 6.3.0-1 - Forwarded message from Debian FTP Masters - -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 14 Sep 2024 16:14:48 +0400 Source: node-path-to-regexp Architecture: source Version: 6.3.0-1 Distribution: unstable U

[Pkg-javascript-devel] Bug#1014845: node-moment: CVE-2022-31129

Source: node-moment Version: 2.29.3+ds-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-moment. CVE-2022-31129[0]: | moment is a JavaScript date library for parsing, validating, | manipulating,

[Pkg-javascript-devel] Bug#1014845: Bug#1014845: node-moment: CVE-2022-31129

Hi Yadd, On Wed, Jul 13, 2022 at 09:14:56PM +0200, Yadd wrote: > On 13/07/2022 08:38, Salvatore Bonaccorso wrote: > > Source: node-moment > > Version: 2.29.3+ds-1 > > Severity: grave > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debia

[Pkg-javascript-devel] Bug#1016497: node-fetch: CVE-2022-2596

Source: node-fetch Version: 3.2.9+~cs18.4.14-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-fetch. CVE-2022-2596[0]: | Denial of Service in GitHub repository node-fetch/node-fetch prior t

[Pkg-javascript-devel] Bug#1017707: RM: rainloop -- RoQA; "unmaintained" upstream, security issues, upstream-fork exists (but not yet packaged in Debian)

Package: ftp.debian.org Severity: normal X-Debbugs-Cc: car...@debian.org, anar...@debian.org, t...@security.debian.org, pkg-javascript-de...@lists.alioth.debian.org, y...@debian.org Hi As it was mentioned in #debian-security: rainloop seems to have now a unmaintained upstream and has security i

[Pkg-javascript-devel] Bug#1019219: node-sanitize-html: CVE-2022-25887

Source: node-sanitize-html Version: 2.7.0+~2.6.2-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-sanitize-html. CVE-2022-25887[0]: | The package sanitize-html before 2.7.1 are vulnerable t

[Pkg-javascript-devel] Bug#1021618: node-xmldom: CVE-2022-37616

Source: node-xmldom Version: 0.7.5-1 Severity: important Tags: security upstream Forwarded: https://github.com/xmldom/xmldom/issues/436 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-xmldom. CVE-2022-37616[0]: | A prototype pollution

Re: [Pkg-javascript-devel] CVE-2021-33587 too intrusive

Hi Yadd, On Mon, May 31, 2021 at 11:50:56AM +0200, Yadd wrote: > Hi, > > Looking at CVE-2021-33587 patch, it seems too intrusive to be applied > for Bullseye: patch seems not easily usable for version 4 of > node-css-what. Could you tag it ? Sorry for got to confirm: this is done and marked to b

[Pkg-javascript-devel] Bug#990449: node-mermaid: CVE-2021-35513

Source: node-mermaid Version: 8.7.0+ds+~cs27.17.17-2 Severity: important Tags: security upstream Forwarded: https://github.com/mermaid-js/mermaid/issues/2122 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-mermaid. CVE-2021-35513[0]:

[Pkg-javascript-devel] Bug#990485: node-nodemailer: CVE-2021-23400

Source: node-nodemailer Version: 6.4.17-2 Severity: important Tags: security upstream Forwarded: https://github.com/nodemailer/nodemailer/issues/1289 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-nodemailer. CVE-2021-23400[0]: | The

[Pkg-javascript-devel] Bug#991577: node-url-parse: CVE-2021-3664

Source: node-url-parse Version: 1.5.1-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-url-parse. CVE-2021-3664[0]: | url-parse is vulnerable to URL Redirection to Untrusted Site If you f

[Pkg-javascript-devel] Bug#991612: node-xmldom: CVE-2021-32796

Source: node-xmldom Version: 0.5.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-xmldom. CVE-2021-32796[0]: | xmldom is an open source pure JavaScript W3C standard-based (XML DOM | Level

[Pkg-javascript-devel] Bug#992111: node-tar: CVE-2021-32804

Source: node-tar Version: 6.0.5+ds1+~cs11.3.9-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-tar. CVE-2021-32804[0]: | The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, |

  1   2   >