Bug#1078951: civicrm: include vulnerable sinon without source

Sun, 18 Aug 2024 02:30:22 -0700 

Source: civicrm
Severity: serious
Tags: security
Justification: security problem
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>

Dear Maintainer,

You include a sinon in installed package and bundle without source (thus
serious bug).

This a duplication of package but moreover a security problem (even if minor
due to being only local and during log reading)

Could you use the packaged node-sinon ?

npm audit sinon@1.14.1
# npm audit report

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces -
https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/braces

elliptic  2.0.0 - 6.5.6
Elliptic's EDDSA missing signature length check -
https://github.com/advisories/GHSA-f7q4-pwc6-w24p
Elliptic's ECDSA missing check for whether leading bit of r and s is zero -
https://github.com/advisories/GHSA-977x-g7h5-7qgw
Elliptic allows BER-encoded signatures -
https://github.com/advisories/GHSA-49q7-c7j4-3p7m
fix available via `npm audit fix`
node_modules/elliptic

ws  8.0.0 - 8.17.0
Severity: high
ws affected by a DoS when handling a request with many HTTP headers -
https://github.com/advisories/GHSA-3h5v-q93c-6h6q
fix available via `npm audit fix --force`
Will install mochify@9.1.0, which is a breaking change
node_modules/mochify/node_modules/ws
node_modules/ws
  puppeteer  11.0.0 - 22.11.1
  Depends on vulnerable versions of puppeteer-core
  Depends on vulnerable versions of ws
  node_modules/mochify/node_modules/puppeteer
  node_modules/puppeteer
    mochify  >=9.2.0
    Depends on vulnerable versions of puppeteer
    node_modules/mochify
  puppeteer-core  11.0.0 - 22.11.1
  Depends on vulnerable versions of ws
  node_modules/puppeteer-core

6 vulnerabilities (1 low, 5 high)
*


-- System Information:
Debian Release: trixie/sid
  APT prefers testing-debug
  APT policy: (900, 'testing-debug'), (900, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel

Kernel: Linux 6.9.12-rt-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply via email to