Your message dated Mon, 06 Apr 2026 10:05:54 +0000
with message-id <[email protected]>
and subject line Bug#1126272: fixed in node-diff 5.2.2~dfsg+~5.2.3-1
has caused the Debian Bug report #1126272,
regarding node-diff: CVE-2026-24001
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1126272: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126272
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-diff
Version: 5.0.0~dfsg+~5.0.1-4
Severity: important
Tags: security upstream
Forwarded: https://github.com/kpdecker/jsdiff/issues/653
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-diff.
CVE-2026-24001[0]:
| jsdiff is a JavaScript text differencing implementation. Prior to
| versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose
| filename headers contain the line break characters `\r`, `\u2028`,
| or `\u2029` can cause the `parsePatch` method to enter an infinite
| loop. It then consumes memory without limit until the process
| crashes due to running out of memory. Applications are therefore
| likely to be vulnerable to a denial-of-service attack if they call
| `parsePatch` with a user-provided patch as input. A large payload is
| not needed to trigger the vulnerability, so size limits on user
| input do not provide any protection. Furthermore, some applications
| may be vulnerable even when calling `parsePatch` on a patch
| generated by the application itself if the user is nonetheless able
| to control the filename headers (e.g. by directly providing the
| filenames of the files to be diffed). The `applyPatch` method is
| similarly affected if (and only if) called with a string
| representation of a patch as an argument, since under the hood it
| parses that string using `parsePatch`. Other methods of the library
| are unaffected. Finally, a second and lesser interdependent bug - a
| ReDOS - also exhibits when those same line break characters are
| present in a patch's *patch* header (also known as its "leading
| garbage"). A maliciously-crafted patch header of length *n* can take
| `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4
| contain a fix. As a workaround, do not attempt to parse patches that
| contain any of these characters: `\r`, `\u2028`, or `\u2029`.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24001
https://www.cve.org/CVERecord?id=CVE-2026-24001
[1] https://github.com/kpdecker/jsdiff/issues/653
[2] https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx
[3] https://github.com/kpdecker/jsdiff/pull/649
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-diff
Source-Version: 5.2.2~dfsg+~5.2.3-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-diff, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-diff package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 06 Apr 2026 11:40:08 +0200
Source: node-diff
Architecture: source
Version: 5.2.2~dfsg+~5.2.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1126272
Changes:
node-diff (5.2.2~dfsg+~5.2.3-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* debian/watch version 5
* New upstream version (Closes: #1126272, CVE-2026-24001)
* Refresh patches
Checksums-Sha1:
1a7261f9ab762e46b1dd335aa54200fca0ee0277 2481 node-diff_5.2.2~dfsg+~5.2.3-1.dsc
bd3c8d144411832cebeea784fbeba42ba2c31920 4724
node-diff_5.2.2~dfsg+~5.2.3.orig-types-diff.tar.xz
9637272c858741dab7d8599cc51762a86fe039ed 177992
node-diff_5.2.2~dfsg+~5.2.3.orig.tar.xz
4825e6be199adad6e7beee749239ef1eae53e1ee 6916
node-diff_5.2.2~dfsg+~5.2.3-1.debian.tar.xz
Checksums-Sha256:
cb1f1fdc1a523af7b9d815e279d73d659a170dee04720abc92270eaabf94963d 2481
node-diff_5.2.2~dfsg+~5.2.3-1.dsc
a153e27034c7fd7d6b56f546646819486f40207cf13468d83a74fc0ed4711849 4724
node-diff_5.2.2~dfsg+~5.2.3.orig-types-diff.tar.xz
927ddb0eed019c49f0dd2ece154199fd1dd50d3e3104d9c70755bb88d2759f69 177992
node-diff_5.2.2~dfsg+~5.2.3.orig.tar.xz
d8876930c0bfea2b090dd3c511c71a7d94f5033fd2f8351b5d26df84ba30cd32 6916
node-diff_5.2.2~dfsg+~5.2.3-1.debian.tar.xz
Files:
7d84904f162e85bc36edcd589c2cddfa 2481 javascript optional
node-diff_5.2.2~dfsg+~5.2.3-1.dsc
925297f23ffcfacdf3e58fd38e99c654 4724 javascript optional
node-diff_5.2.2~dfsg+~5.2.3.orig-types-diff.tar.xz
6414fbd91ba6572accd7863d5fb58112 177992 javascript optional
node-diff_5.2.2~dfsg+~5.2.3.orig.tar.xz
064f182392b39c754e0548628dee7da1 6916 javascript optional
node-diff_5.2.2~dfsg+~5.2.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnTgYAACgkQ9tdMp8mZ
7ulBRQ//TH9pSNYUr9U1tnlu9lDWHfTWnPhoaVqgZkiVNSmM5Ke6uqqQta3r5MF5
BtOWiIaLeAJNlfD+7+h6WoPhrG/WzYpEy3/egMDoapoBNa0EKUk3HnfFY454QHHY
Zz6B7E7PVgkfkuFAg3GCpmQSBLy8/ZFPnD7ZTFZC2GzBPIiM+HPPGirxlt6pJ6fK
5N5Ct3KZ8Eo+WWhsQUhzBxzAeVqrR/3qyJQUNPO09jVSBWgHTUW/Z0VqAMzCqg+4
5cSreq3XRzLXdqw2q2qp7X35BS85EwJXkGvq7p3Af9S919R/IYO3zQC28sx5rVMr
3yM+my3bpj5he3IOobar/Z8B9WHfWIlT1wRSICPB/95b6TarijnXrrqusMmzOcA5
gavYnZje9ZFw9lmw0WsiJTEG48KNQV/bTWkX+C12vRDFkSj0+npIErXg4vZF7605
mJpg/m7+1/AlghtHY8f/vQpp20K+3TkWaU+dau2FvFk6w30OsdzXClq7xb4UQoJp
HmvLEitrZ5SjL4UxdZW3+mum5s2D8sBGYghwZ+E0ieDQbtGHlIL0Tp0h6K6AGlhO
w6A+dsz2s36KZj/oUYcY21KW1cbTRXeSQZpaOW82BXR1U72kMPKSYBk2NN7voumc
OX8ow/zLQ7/UMpm+yDptrhxz5FwlEZtWzzrVepOKuq/v1soGwyc=
=eyNR
-----END PGP SIGNATURE-----
pgp40Y2_WLgUm.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
