Debian Bug report logs -
#1021618
node-xmldom: CVE-2022-37616
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#1021618; Package src:node-xmldom.
(Tue, 11 Oct 2022 20:45:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Tue, 11 Oct 2022 20:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-xmldom
Version: 0.7.5-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/xmldom/xmldom/issues/436
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for node-xmldom.
CVE-2022-37616[0]:
| A prototype pollution vulnerability exists in the function copy in
| dom.js in the xmldom (published as @xmldom/xmldom) package before
| 0.8.3 for Node.js via the p variable.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-37616
https://www.cve.org/CVERecord?id=CVE-2022-37616
[1] https://github.com/xmldom/xmldom/issues/436
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Yadd <yadd@debian.org>:
You have taken responsibility.
(Wed, 12 Oct 2022 07:21:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 12 Oct 2022 07:21:03 GMT) (full text, mbox, link).
Message #10 received at 1021618-close@bugs.debian.org (full text, mbox, reply):
Source: node-xmldom
Source-Version: 0.8.3-1
Done: Yadd <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-xmldom, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1021618@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-xmldom package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 12 Oct 2022 08:56:03 +0200
Source: node-xmldom
Built-For-Profiles: nocheck
Architecture: source
Version: 0.8.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1021618
Changes:
node-xmldom (0.8.3-1) unstable; urgency=medium
.
* Team upload
* Update standards version to 4.6.1, no changes needed.
* New upstream version 0.8.3 (Closes: #1021618, CVE-2022-37616)
* Add fix for jest >= 29
Checksums-Sha1:
2319bf964d528c73045726a96a76e7fd3e4b1003 2022 node-xmldom_0.8.3-1.dsc
f34d36537a5156dce0f6239e2d9b46c5e57ab2ca 314999 node-xmldom_0.8.3.orig.tar.gz
3b7d97dd3a054237581cc587076f8d5ccedf975c 3512 node-xmldom_0.8.3-1.debian.tar.xz
Checksums-Sha256:
cf542ebde717945f7114e2356e4bf525bd9fe261f1bf806b180429d098b4054f 2022 node-xmldom_0.8.3-1.dsc
1c23c83a817c876154823f464059c68859367037f3288397af27db512aa4ac26 314999 node-xmldom_0.8.3.orig.tar.gz
d61966e4dfbfa027bd418ce3d49a375785185ada70e7e73251258c4afa8c79f2 3512 node-xmldom_0.8.3-1.debian.tar.xz
Files:
fff681d26442c8468252e82b5d3f1ecc 2022 javascript optional node-xmldom_0.8.3-1.dsc
82fdd82059a3cbf4bc4a3f756a0454d4 314999 javascript optional node-xmldom_0.8.3.orig.tar.gz
95b2e80a4e2afae913aa50c0aa499795 3512 javascript optional node-xmldom_0.8.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmNGZWQACgkQ9tdMp8mZ
7ulG3Q/+MKVDSTnkxV6S7akbVO/uFdrtwg85GE4GZZmajQhfxkQm+6R5+z+mpB2L
CCQzdbv2kWoeJzNV1BofsaGQQ45P5j5d8fzWV/eUGxxq6t5P8XCA5C9VvXWYRcnI
pcWGZGIXk8Z4yTixc+FjbDFv1/xEiYFljKnwq+G2mxQjZKs4tZrGpV1pU8Ig7LYh
iwNYKQnMPOhVw5nJCNYfP6Kb9TI+GdHgdDETdEK6YbmXxT0GwMB4PTB3lziIFaAY
LptR0RsANVQl1Hn60oilcy0Jyo7vopeUcjw5W22Zl41ZiT/3bTYrDHw0hMVr/KLk
6c0MTHXdo9GVUTtkcboKd/UcOTcrcwyaov3iqdDLLCr9fBI4URl2ZYqIHG7+Nut+
dNA4k1IA9h4tPSMco9Hv3IRfAnJ+CsS5LhL9WZ5La298YSkQtbeFmiwxlYJo6V8o
/OXpbXxEsQbqniYXxUzgoG21d6nsqPAFB06mUrZR4fvevXNNDqBdllysaYxJuB3K
r7s1I9o8NFQaMSQlt8Ag29W7UyEdwbDE6dQ8kvePTBbICbsU3/OHjyfktwRQBNXU
qeGBVgz5Leq1eNYuJlHGNSCB5fkIYB2mNOvF+IDLcJb4kwqc96kytmZ+QX/Y6RXd
xWSRHJkk3UxZywUOjq2DaBAkCNv2LASwEUWbplio7oyDx76FobQ=
=svyh
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Oct 12 13:22:44 2022;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon