Your message dated Wed, 12 Jul 2023 20:47:12 +0000
with message-id <e1qjgjw-007j55...@fasolo.debian.org>
and subject line Bug#1032904: fixed in node-webpack
5.75.0+dfsg+~cs17.16.14-1+deb12u1
has caused the Debian Bug report #1032904,
regarding node-webpack: CVE-2023-28154
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1032904: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032904
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-webpack
Version: 5.75.0+dfsg+~cs17.16.14-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/webpack/webpack/pull/16500
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-webpack.
CVE-2023-28154[0]:
| Webpack 5 before 5.76.0 does not avoid cross-realm object access.
| ImportParserPlugin.js mishandles the magic comment feature. An
| attacker who controls a property of an untrusted object can obtain
| access to the real global object.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-28154
https://www.cve.org/CVERecord?id=CVE-2023-28154
[1] https://github.com/webpack/webpack/pull/16500
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-webpack
Source-Version: 5.75.0+dfsg+~cs17.16.14-1+deb12u1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-webpack, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1032...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-webpack package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 29 May 2023 07:53:16 +0400
Source: node-webpack
Architecture: source
Version: 5.75.0+dfsg+~cs17.16.14-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1032904
Changes:
node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium
.
* Team upload
* Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154)
Checksums-Sha1:
04d65c6add6b7b00030d5b24025b299f4bd1d71c 4730
node-webpack_5.75.0+dfsg+~cs17.16.14-1+deb12u1.dsc
425d42ef6b7bce09ed0a7bcb8a5880a4c610ca58 32824
node-webpack_5.75.0+dfsg+~cs17.16.14-1+deb12u1.debian.tar.xz
Checksums-Sha256:
be618f638b3f211282bd237deceb8c5a03887c99ac3dcb36468468feb54f0f87 4730
node-webpack_5.75.0+dfsg+~cs17.16.14-1+deb12u1.dsc
b7d0b4dc568d221da31c2c8b445422f7cc4a5ca8e76637164e4ab48f49c6e542 32824
node-webpack_5.75.0+dfsg+~cs17.16.14-1+deb12u1.debian.tar.xz
Files:
0e747a3807da3622b33396d1c07243c0 4730 javascript optional
node-webpack_5.75.0+dfsg+~cs17.16.14-1+deb12u1.dsc
6cfddcd1069f1958caf8d3b59d7ad54d 32824 javascript optional
node-webpack_5.75.0+dfsg+~cs17.16.14-1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmSuIaAACgkQ9tdMp8mZ
7ukzsxAAhpQc2aZlD6g73Gb3ZG2lfuNiG+wC9Jmjp9SHEQ+0WXeD80KgABlG+kgQ
WhHkGARwlly4PpZ4zWMh5Fx8g2aGCEgJ4du5la4xob37D5NUirlvy7NFuBriMSf8
v5Fk9EybBQVSukpohD90c5eh1A0pSi7Vw2FFiGD1yzq8hqssVA1PbmCDO5YYSbu4
HwgyTm67MSACNV32VvAiqZVvNenb4u9FkBEmCmuY94n/XJsL2sP9fWWqxTgCZsYA
PvzDRWaVwYKZ72FRDQGJWpnjbpZRGarnb3vJwCHIjveyStT4IDAiOr6SAPyDm4HK
N9g5nlraX48lOzHAvi6IVc35udOJimqsjDfahSD+3RwCZ1X+K+fEu6vkp8/RDR4i
oaLlaAjlKzhvWyyfW6loWBGVzZBrL1Oz4VxW1sI4CCqTV+u8s8YtNEEcmvU3yJMT
Wp1mi438f+nRObFtAjHEXTk2RilhLFrsaG9ohWpojBQJM0FEsuYceq0EzD2ueRkK
iR4PdEuLN+IIkAjix4OhAkG5hPgju6epZ7lVVGt2kYZMo/PHnHiDmA6KXXKaVASb
RsUtV/Ak9ktuO2cpO3agL0uQFLsJmbJ3bxi7pXWxiKaL2YwnFSSbDmlxUtvntScB
uEcP3lrOfGHME6d8p5eJvpcLjijrxokDI6Dlgfc3RfJtMR6+72M=
=R7oo
-----END PGP SIGNATURE-----
--- End Message ---
