Your message dated Mon, 06 Apr 2026 07:04:18 +0000
with message-id <[email protected]>
and subject line Bug#1132714: fixed in node-xmldom 0.9.9-1
has caused the Debian Bug report #1132714,
regarding node-xmldom: CVE-2026-34601
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1132714: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132714
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-xmldom
Version: 0.9.8-2
Severity: important
X-Debbugs-Cc: [email protected]
Control: found -1 0.9.6-1
Control: found -1 0.8.6-1
Hi,
The following vulnerability was published for node-xmldom.
CVE-2026-34601[0]:
| xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2
| Core) `DOMParser` and `XMLSerializer` module. In xmldom versions
| 0.6.0 and prior and @xmldom/xmldom prior to versions 0.8.12 and
| 0.9.9, xmldom/xmldom allows attacker-controlled strings containing
| the CDATA terminator ]]> to be inserted into a CDATASection node.
| During serialization, XMLSerializer emitted the CDATA content
| verbatim without rejecting or safely splitting the terminator. As a
| result, data intended to remain text-only became active XML markup
| in the serialized output, enabling XML structure injection and
| downstream business-logic manipulation. This issue has been patched
| in xmldom version 0.6.0 and @xmldom/xmldom versions 0.8.12 and
| 0.9.9.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-34601
https://www.cve.org/CVERecord?id=CVE-2026-34601
[1] https://github.com/xmldom/xmldom/security/advisories/GHSA-wh4c-j3r5-mjhp
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-xmldom
Source-Version: 0.9.9-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-xmldom, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-xmldom package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 06 Apr 2026 08:39:17 +0200
Source: node-xmldom
Architecture: source
Version: 0.9.9-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1132714
Changes:
node-xmldom (0.9.9-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* debian/watch version 5
* New upstream version (Closes: #1132714, CVE-2026-34601)
Checksums-Sha1:
f64b50664a3e58afc4e32c9e893acc35c19425be 2022 node-xmldom_0.9.9-1.dsc
8e7658c830b2a891b97679366f6b9dda9641ebd8 631266 node-xmldom_0.9.9.orig.tar.gz
910ca719acda0c2da9bf2bca6f00a6ea00a53816 3676 node-xmldom_0.9.9-1.debian.tar.xz
Checksums-Sha256:
54c69ff19d0c24c8e31020ee442b7483b651788f8dcd38465642daf19fb52090 2022
node-xmldom_0.9.9-1.dsc
6ee8f89838ccb738c01d4e9e35ab011a3ab85912a7f31ac4758e0e03159ff739 631266
node-xmldom_0.9.9.orig.tar.gz
48e7846df0de38dad85668c6f803d7f659ad330dbfc22c5cad9edceb09b4ec4e 3676
node-xmldom_0.9.9-1.debian.tar.xz
Files:
c84d46ceeb132360d6ba29c305054a72 2022 javascript optional
node-xmldom_0.9.9-1.dsc
531e4a98e11cec5fde23d682722627a9 631266 javascript optional
node-xmldom_0.9.9.orig.tar.gz
bd258734861e3bd2dda5d9d8a26ca1d8 3676 javascript optional
node-xmldom_0.9.9-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnTVrQACgkQ9tdMp8mZ
7ulzMA/9Gw0h+BwJ68GcD4cLzxz6pj7t7Ifm49WIEnXVOMY6oTun0VUNqnTfG1Gx
HBW8pWfBb4m0zGHxC5JLBXTyFhCb/GUIk+1LLqqVywdlaws8FfrP4EH+OV/uwJze
Tedq6qHM8IceUQ21U69XZBinD4G+MnbA0uBGMwEtn5oktQF7yUbNmO0FYJa8xV/r
lNBN4UkY0TUgjxAK16RLE/cWX5Dydrlc9p8PcisHv9l8s1oRa3YFtvCADcyAX7/O
nNsNgq+MMK7Hg6SwokuiSfHxOmlxo2rt9J45e5xNw7vEbRZaPe2FiYEExqWIDnyJ
kOOi+fzE5sjC5fvx/F9W9LfyB83FeaeC2WFa1GVDMqDbPZO9c4x0hic7sTxxoawW
K94Bh0WhegETv34oY8mfOl/TFv6btA+4O1a1w2lTwJ9f24x6NfwMYh0qWmEzl78k
WdFRADz5bXblsTSPP0qfj6djlPi4EwkYMFRtkrTqGsOHFchlYuvPOU7nEeuT5Wct
FfyTxLCeXsmEUctSeg2NF71l9K/4hz+IKaW2Fh+I0sWT46pQLcgUYQLabQlnMjSO
m4ZZDLv/GQCPBNeKvVTBbH0IuaTj02DyoKdEna/0bVSfElbhuk0odorOIH0UdI3A
vF9dvo/g9Sh0PjLcf5kyvtkha3EuouUQ+preflqvRU8R373iSb8=
=9AcG
-----END PGP SIGNATURE-----
pgpJ1uzrirR9K.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
