[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1006215: bullseye-pu: package node-prismjs/1.23.0+dfsg-1+deb11u1

hi,

On Wed, Feb 23, 2022 at 10:27:33PM +0100, Moritz Mühlenhoff wrote:
> Am Mon, Feb 21, 2022 at 01:57:54PM +0100 schrieb Yadd:
> > Package: release.debian.org
> > Severity: normal
> > Tags: bullseye
> > User: release.debian.org@packages.debian.org
> > Usertags: pu
> > 
> > [ Reason ]
> > node-prismjs has 2 vulnerabilities:
> >  * Regex DoS (CVE-2021-40438)
> 
> Where did you get that CVE reference from? CVE-2021-40438 is for a
> mod_proxy vulnerability in Apache httpd?

The used changelog entry actually has:

+node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Fix ReDoS (Closes: CVE-2021-3801)
+  * Command Line: Escape markup in command line output
+    (Closes: CVE-2022-23647)
+
+ -- Yadd <yadd@debian.org>  Mon, 21 Feb 2022 11:57:44 +0100

But this seems odd: CVE-2021-3801 was already fixed in the last
bullseye point rlease with 1.23.0+dfsg-1+deb11u1. So should this
update be only for CVE-2022-23647 and the version be
1.23.0+dfsg-1+deb11u2?

Regards,
Salvatore
Reply to: