Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

node-ssri: CVE-2021-27290

Related Vulnerabilities: CVE-2021-27290  

Source

Debian Bug report logs - #985841
node-ssri: CVE-2021-27290

version graph

Package: src:node-ssri; Maintainer for src:node-ssri is Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 24 Mar 2021 18:27:01 UTC

Severity: important

Tags: pending, security, upstream

Found in version node-ssri/8.0.0-1

Fixed in version node-ssri/8.0.1-1

Done: Yadd <yadd@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#985841; Package src:node-ssri. (Wed, 24 Mar 2021 18:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>. (Wed, 24 Mar 2021 18:27:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: node-ssri: CVE-2021-27290
Date: Wed, 24 Mar 2021 19:22:50 +0100
Source: node-ssri
Version: 8.0.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for node-ssri.

CVE-2021-27290[0]:
| ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular
| expression which is vulnerable to a denial of service. Malicious SRIs
| could take an extremely long time to process, leading to denial of
| service. This issue only affects consumers using the strict option.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-27290
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27290
[1] https://github.com/npm/ssri/commit/76e223317d971

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Yadd <yadd@debian.org>:
You have taken responsibility. (Wed, 24 Mar 2021 19:36:05 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 24 Mar 2021 19:36:05 GMT) (full text, mbox, link).

Message #10 received at 985841-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 985841-close@bugs.debian.org
Subject: Bug#985841: fixed in node-ssri 8.0.1-1
Date: Wed, 24 Mar 2021 19:33:31 +0000
Source: node-ssri
Source-Version: 8.0.1-1
Done: Yadd <yadd@debian.org>

We believe that the bug you reported is fixed in the latest version of
node-ssri, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 985841@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-ssri package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 24 Mar 2021 20:09:55 +0100
Source: node-ssri
Architecture: source
Version: 8.0.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 985841
Changes:
 node-ssri (8.0.1-1) unstable; urgency=medium
 .
   * Team upload
   * Bump debhelper compatibility level to 13
   * Declare compliance with policy 4.5.1
   * Modernize debian/watch
   * Add ctype=nodejs to component(s)
   * Use dh-sequence-nodejs
   * Fix GitHub tags regex
   * New upstream version 8.0.1 (Closes: #985841, CVE-2021-27290)
Checksums-Sha1: 
 3a114ac06fe4b6b957938bb8b54a228f1af12c18 2647 node-ssri_8.0.1-1.dsc
 b87d81e1ba137f677982a61e87f0f75c4d0011dc 52503 node-ssri_8.0.1.orig-figgy-pudding.tar.gz
 601a95c4cb1d2976072c1720338de85757fc7a74 50240 node-ssri_8.0.1.orig-minipass.tar.gz
 f862e8c1d22db6887a5d0b2ed0ee753a9c5dcd17 162365 node-ssri_8.0.1.orig.tar.gz
 8a4ff8029cda13e7a4a2ce901f0afba738e255d5 3480 node-ssri_8.0.1-1.debian.tar.xz
Checksums-Sha256: 
 8781a1a5a2f4fb008d57186294915a225373516ad1fa519539aa8569c981e192 2647 node-ssri_8.0.1-1.dsc
 6c7fd98f49444c2d20c4cd377c9e26d9a8cdd194d016f86e23763b969ece0ad4 52503 node-ssri_8.0.1.orig-figgy-pudding.tar.gz
 496598d78b824ddb3116c4a4fe0123516b318eab820d0ee80cb892ef3ba0c4c9 50240 node-ssri_8.0.1.orig-minipass.tar.gz
 b9eacfc8c94378ae0bd4602590e50da8dffaa6e3b09e56632d168c3df816c2e7 162365 node-ssri_8.0.1.orig.tar.gz
 846a87b355c121d3ea36a95e75ef79f34d3f8990bb1c86ff05bc8e27ba2bb8a9 3480 node-ssri_8.0.1-1.debian.tar.xz
Files: 
 06b764d5c8314fd048db6eb408490aea 2647 javascript optional node-ssri_8.0.1-1.dsc
 460ce21ba8ee86d369bb30abc3e04e16 52503 javascript optional node-ssri_8.0.1.orig-figgy-pudding.tar.gz
 b49657e3714f92ab73a7deb5aca36f53 50240 javascript optional node-ssri_8.0.1.orig-minipass.tar.gz
 d7b15634f596c3612074b7861f771f56 162365 javascript optional node-ssri_8.0.1.orig.tar.gz
 dc3cf7cb140678add89690a89d23eab6 3480 javascript optional node-ssri_8.0.1-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmBbj6YACgkQ9tdMp8mZ
7uma4w/9HKjdHYn0YTm3my2vhto8B6NQmugCveQmX3pgKvOsg29Dxq5gAv4aR8hN
ldlaK7J+BmBvb40wxOJ9LSolHe1bNinYQinKxOXyx2OAYiPCzSKD+S+Ozxext0af
6TBLYuP3aQZ6BBAKw20fxBPTFTsDzMfkE1o06qvVmsSpBSy8uua6dB4LlU6hfJO2
wETzGUuAOyVko/nwKXqF06iFuz86RVvUaI8CcB3ksB2WqZICUuuUFkp3WknCW2iW
8EP43qtC7ZHSc32va0KkJXgLa8uKgrvhBG+hCm3X94XlYCl8ZZmpTNaf9R9iBhRu
KgDyAHV6J0X2pF/6CwiWNMDKY/9paoWWE6gAOZu2npQBNy48vwd8l0+yflPg1l4L
O4mtJVVB4geQBnuVNKfasTi13UVt59w5zxmy3aVHVlzO6uGFRQ3aUG1x5lYHordQ
8gMl638eGjd49g8CmbN8nYkkPirrez3HlxqwgXzCQ98N2ZaL31Ox64s4l2++VLIo
UkMtVJ9ik3J9Z9I0CAEV94G1gctNHTumCO53MDE6l2PtNfcvEB1noHp0p50FqSdA
0nK7ffAxiw7PsoCid8+xndI8sek7LNL0KrgqiUDEUBgirP2amwOzrablTgnJPoRz
30M9kY1gqWarCnRmuUoa5SsxG3dAAADM8/pDBjHV7dr/tLxrdLY=
=peLf
-----END PGP SIGNATURE-----

Added tag(s) pending. Request was from Yadd <yadd@debian.org> to control@bugs.debian.org. (Wed, 24 Mar 2021 19:42:02 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Mar 25 12:07:27 2021; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started