Your message dated Fri, 13 Oct 2023 14:37:13 +0000 with message-id <e1qrjht-009zur...@fasolo.debian.org> and subject line Bug#1053880: fixed in node-babel7 7.20.15+ds1+~cs214.269.168-5 has caused the Debian Bug report #1053880, regarding node-babel7: CVE-2023-45133 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1053880: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053880 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: node-babel7 X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security Hi, The following vulnerability was published for node-babel7. CVE-2023-45133[0]: | Babel is a compiler for writingJavaScript. In `@babel/traverse` | prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of | `babel-traverse`, using Babel to compile code that was specifically | crafted by an attacker can lead to arbitrary code execution during | compilation, when using plugins that rely on the `path.evaluate()`or | `path.evaluateTruthy()` internal Babel methods. Known affected | plugins are `@babel/plugin-transform-runtime`; `@babel/preset-env` | when using its `useBuiltIns` option; and any "polyfill provider" | plugin that depends on `@babel/helper-define-polyfill-provider`, | such as `babel-plugin-polyfill-corejs3`, `babel-plugin-polyfill- | corejs2`, `babel-plugin-polyfill-es-shims`, `babel-plugin-polyfill- | regenerator`. No other plugins under the `@babel/` namespace are | impacted, but third-party plugins might be. Users that only compile | trusted code are not impacted. The vulnerability has been fixed in | `@babel/traverse@7.23.2` and `@babel/traverse@8.0.0-alpha.4`. Those | who cannot upgrade `@babel/traverse` and are using one of the | affected packages mentioned above should upgrade them to their | latest version to avoid triggering the vulnerable code path in | affected `@babel/traverse` versions: `@babel/plugin-transform- | runtime` v7.23.2, `@babel/preset-env` v7.23.2, `@babel/helper- | define-polyfill-provider` v0.4.3, `babel-plugin-polyfill-corejs2` | v0.4.6, `babel-plugin-polyfill-corejs3` v0.8.5, `babel-plugin- | polyfill-es-shims` v0.10.0, `babel-plugin-polyfill-regenerator` | v0.5.3. https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92 https://github.com/babel/babel/pull/16033 https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-45133 https://www.cve.org/CVERecord?id=CVE-2023-45133 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: node-babel7 Source-Version: 7.20.15+ds1+~cs214.269.168-5 Done: Yadd <y...@debian.org> We believe that the bug you reported is fixed in the latest version of node-babel7, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1053...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd <y...@debian.org> (supplier of updated node-babel7 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 13 Oct 2023 17:53:38 +0400 Source: node-babel7 Architecture: source Version: 7.20.15+ds1+~cs214.269.168-5 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Yadd <y...@debian.org> Closes: 1053880 Changes: node-babel7 (7.20.15+ds1+~cs214.269.168-5) unstable; urgency=medium . * Team upload * Only evaluate own String/Number/Math methods (Closes: #1053880, CVE-2023-45133) Checksums-Sha1: 619734cff5f03d380e45d2a34a516b894b06b78e 19547 node-babel7_7.20.15+ds1+~cs214.269.168-5.dsc 8bd7cde12d9e58232336e6ff9d2b6af16c0bcd03 243560 node-babel7_7.20.15+ds1+~cs214.269.168-5.debian.tar.xz Checksums-Sha256: a155b71442b7c9ad210cc5b30549811214af77427011a5cae2a0198e95a397c6 19547 node-babel7_7.20.15+ds1+~cs214.269.168-5.dsc d0c526b2ab950c8310bd0910d19273d189e243dedfdf6297b718da87fbcf7717 243560 node-babel7_7.20.15+ds1+~cs214.269.168-5.debian.tar.xz Files: ee75bcff22329b15debf0de240937bd0 19547 javascript optional node-babel7_7.20.15+ds1+~cs214.269.168-5.dsc 3be4cdf9642d762b6eeea88367365065 243560 javascript optional node-babel7_7.20.15+ds1+~cs214.269.168-5.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmUpTMUACgkQ9tdMp8mZ 7ulUKw/8D1IQIVZRpo8aIS/IBo3OdGq0aEngnrgK2zgIgjJPVZdVYbGOL/uj4VEs 0v22avN0w3VcI7h/TgT8sNNeJvb8dNhDzm4msYxaSEBr7KBsUPSsrzncntdHDdq+ otY/ejAAFxJmcW+vGqYtZs4R9xBwAZTMTJa/YTJUHWhJnmEfKAE3tlUIDfdX2V0U 8F9l1PCIPJu/DIGlw6rQiB85kkIOLNeeDioXRjouxXgjprz2uhP2LlDJ7X9Y3Jk3 kEzaZCklhHlzRtEGtZUT4p79JFyQx3dyIaztn7b4L4Zlt2c+Zz+JPqAqDvm08C+N tyN+ZdtUosslpswTSTOuigJWaoD4Ld0dhV+PPOeLV7B3yHf/4PRYBrd9mbeliR/C ilJyXUSNhTImvLIIOsaStGtQm/V39hiI3rRN3M/0jJkjwEymEwmB1ih0Wrd8PPUe saeVnatP7wlatvw2nJRCrlFq5nLvMV0S+UQuOgVsq7AdsP97D6t5PALCcXgBnm9d 5pBgGhomLmqz0VyS3S+DFNFtoN6DVmpNKC+FrJHj45UiK6kw/8+QE94E371A+5r9 3PE2mDitKlcv0zaExtFSOGr7z4g3eUpH5V5m92ufhZMWW6DuehsMAsPTV/NlhoJJ hWgRqE1fmEo3gurgw+NQhWOYiWviSsU/2qTH0ATU79Ltuwc10WQ= =xa1y -----END PGP SIGNATURE-----
--- End Message ---
