Your message dated Sun, 9 Jan 2022 15:16:32 +0100 with message-id <ydruqp08pb8g0...@eldamar.lan> and subject line [ftpmas...@ftp-master.debian.org: Accepted node-shell-quote 1.7.3+~1.7.1-1 (source) into unstable] has caused the Debian Bug report #998418, regarding node-shell-quote: CVE-2021-42740 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 998418: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=998418 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: node-shell-quote Version: 1.7.2-1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerability was published for node-shell-quote. CVE-2021-42740[0]: | The shell-quote package before 1.7.3 for Node.js allows command | injection. An attacker can inject unescaped shell metacharacters | through a regex designed to support Windows drive letters. If the | output of this package is passed to a real shell as a quoted argument | to a command with exec(), an attacker can inject arbitrary commands. | This is because the Windows drive letter regex character class is | {A-z] instead of the correct {A-Za-z]. Several shell metacharacters | exist in the space between capital letter Z and lower case letter a, | such as the backtick character. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-42740 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42740 [1] https://github.com/substack/node-shell-quote/commit/5799416ed454aa4ec9afafc895b4e31760ea1abe Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: node-shell-quote Source-Version: 1.7.3+~1.7.1-1 ----- Forwarded message from Debian FTP Masters <ftpmas...@ftp-master.debian.org> ----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 09 Jan 2022 12:07:45 +0100 Source: node-shell-quote Architecture: source Version: 1.7.3+~1.7.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Yadd <y...@debian.org> Changes: node-shell-quote (1.7.3+~1.7.1-1) unstable; urgency=medium . * Team upload * Bump debhelper compatibility level to 13 * Update standards version to 4.6.0, no changes needed. * Fix GitHub tags regex * Fix filenamemangle * Use dh-sequence-nodejs instead of pkg-js-tools * Embed typescript declarations and repack * New version 1.7.3+~1.7.1 (Closes: CVE-2021-42740) * Don't install example in nodejs dir Checksums-Sha1: 21d5175cef13dd96ac3c332f1eab5c414209fde3 2504 node-shell-quote_1.7.3+~1.7.1-1.dsc 2d059091214a02c29f003f591032172b2aff77e8 2241 node-shell-quote_1.7.3+~1.7.1.orig-types-shell-quote.tar.gz 68cffd0a49b46fed262ae2c3256f2a31be2eb7f9 7448 node-shell-quote_1.7.3+~1.7.1.orig.tar.gz 9abd645499ebfae14f31fc40b3f6628529786a71 3308 node-shell-quote_1.7.3+~1.7.1-1.debian.tar.xz Checksums-Sha256: aac6609a520f28416512038cf3375c93c89c1fa4a7e752747612df4353a77214 2504 node-shell-quote_1.7.3+~1.7.1-1.dsc 732c849a97ba0778c6bd224b09895b95f7ba0bcdeb41658dfbefbd6fcb48c42d 2241 node-shell-quote_1.7.3+~1.7.1.orig-types-shell-quote.tar.gz 81f7b74387eb095f2a6c939857c31e148c0cf53e6a0af89bd24dfaa6717f2eef 7448 node-shell-quote_1.7.3+~1.7.1.orig.tar.gz b772daf1246bb9542544610717cb6447efacd15def7c79d7cbc40fa02c57068a 3308 node-shell-quote_1.7.3+~1.7.1-1.debian.tar.xz Files: be6fee392530c1d7254844fc0c948e46 2504 javascript optional node-shell-quote_1.7.3+~1.7.1-1.dsc c932ae6cdd4e3244131b099713a03457 2241 javascript optional node-shell-quote_1.7.3+~1.7.1.orig-types-shell-quote.tar.gz 718b54ecd08a71f1302470e977ea5145 7448 javascript optional node-shell-quote_1.7.3+~1.7.1.orig.tar.gz 12b7ddff180a9cbf30668d0762f714aa 3308 javascript optional node-shell-quote_1.7.3+~1.7.1-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmHawnoACgkQ9tdMp8mZ 7ulIIBAAjIaLYnwI5m2JVH9ZZiP481sx5mYMOZaQPrOLpBiZhEKkR/Gfy19J0xDM Uenh7fZ7aWfs+QE8SUEejvD1v4vbXBA5q8oX4i6LMIVRzio5yego3HtvIsJfbkbo JMlUvyoN7vbl91XAACwsH65XZCqEoUCnpLl7ah/8Yu2S6eo5TglbMETj3iclRVuh aSTBxPotxInh4D80DySirk0oOI0YnnPclJFHhkQDXlqZwLyegILTVYha8bdt9lJO OBybXUbHBTA7Vh1eg8bS46Q28Roue+oCTH1kxPVD81lutKipNaYzbzF8lugaEax8 f7ChIod848lAVGNmnxjJixW/aud1F9XuxlNwmB4lVNKXMpMWSPVG1Wzd5QvYzNmX pANEAxqNFA/1rqIQvJ7cUlic2JssrhfEMpVHPWqGx3GeH+kcOT7jHY3SuHmDPFCG yMM1qr49+BcCjad/iCN0T17yZBdpUniuXVKb2DZPZhZp/U2eU/vXSExQTIVBRncy xAJOeB1n/BhZ0I7Wo8Ee4tOrRYJ+tA4fPxCAqXpvEGnC/qECjUL9XkHflVlYBuU7 1ZHhclKyLOlSbnySVaLUYJtByex1i5O+gXSrDkxA12uh/YUvkxKSqiSckQFzl+3m htzgox7ZKVX1m/4tchA3s7unyM1m+qoOBZb+1Ag70uKpXPrfI3E= =/twx -----END PGP SIGNATURE----- ----- End forwarded message -----
--- End Message ---
