[SECURITY] [DLA 3247-1] node-trim-newlines security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3247-1] node-trim-newlines security update
From: "Chris Lamb" <lamby@debian.org>
Date: Fri, 23 Dec 2022 14:08:28 +0000
Message-id: <[🔎] 167178594947.470134.5036929005501061913@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3247-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
December 23, 2022                             https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : node-trim-newlines
Version        : 1.0.0-1+deb10u1
CVE ID         : CVE-2021-33623

It was discovered that there was a potential remote denial of service
vulnerability in node-trim-newlines, a Javascript module to strip
newlines from the start and/or end of a string.

This regular expression Denial of Service (ReDoS) attack exploited
the fact that most Regular Expression implementations can reach
extreme situations that cause them to work very slowly in a way that
is exponentially related to the input size. An attacker can then
cause a program using node-trim-newlines (and thus the offending
regex) to enter one of these extreme situations and then hang for a
very long time.

For Debian 10 buster, this problem has been fixed in version
1.0.0-1+deb10u1.

We recommend that you upgrade your node-trim-newlines packages.

For the detailed security status of node-trim-newlines please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-trim-newlines

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmOlbdsACgkQHpU+J9Qx
HliwlA/+Pys1jm5/6MVSg0utSNN/WeJU2FgyAjKarfectokRWBXLE99FEIVuGSZW
gSOmbcBptbzaYvZSBnjnYm6vy1yMSILo6+tEdbJKnK7Xb/oHg7GoiHvCn0IiUXoI
WyxXjBWqqkw7geL1D4HZpwQzgWwyAayia7cLmANY3TwsxQG6WYmE2KP90uUIYtDm
JPP8ybPPeV9UyLGw/GZOsbzn3YJXT5tXrwZvJAYH0xWMZzzGJyfdse8kFJnuBJsl
VWblHfPcm9nrp3or96mzPseNyGqOEBV36VK3uLt9baXWIro0nLwZ98/VN5+LcCeV
zKZV9fgfZ9LC+A+wCy9YnfMm8/DQapLH8I+WSxhi43/UfxyBK20LB95sWe4+W3zk
bxO3Yku5Diw+WfozMU9iFEiT8vYcOSW6CzGDbeDJxW6RdNN6WVg9R+7WDWiFhobo
T+k9HvVpwfEFmEZF1WYuG0RBpsJukTX+CTgFuCf8/khv7c+UAClqVJrzDnS0l6pe
AGwjsipim9b9yk5b7BqPrVPd1xm5IkWPZRai2Zko0ObTr3AUcNf57k8EZnmSF0yF
jIkVmO4vgKSp6wMtAKif9yiwIagUIKSdUag4S5MUQp8dEd0Y/ScecsXA9UbbvsYT
K5PgNlifiqqU5i/2pUxY9yr9CU1J1yr7qeh6tuWPczNOP+IzCVQ=
=4j6A
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3246-1] node-hawk security update
Next by Date: [SECURITY] [DLA 3245-1] linux security update
Previous by thread: [SECURITY] [DLA 3246-1] node-hawk security update
Next by thread: [SECURITY] [DLA 3245-1] linux security update
Index(es):
- Date
- Thread