1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • unblock: node-jsdom/20.0.3+~cs124.18.21-5

    From Bastien Roucaries@21:1/5 to Debian Bug Tracking System on Sun Jul 20 11:21:16 2025
    XPost: linux.debian.devel.release

    This is a multi-part message in MIME format.

    --nextPart2134557.6tgchFWduM
    Content-Transfer-Encoding: 7Bit
    Content-Type: text/plain; charset="utf-8"

    Package: release.debian.org
    Severity: normal
    X-Debbugs-Cc: [email protected], [email protected], [email protected]
    Control: affects -1 + src:node-jsdom
    User: [email protected]
    Usertags: unblock

    Please unblock package node-jsdom

    [ Reason ]
    Affected by a ReDoS (outside upstream security support) but this block autopkgtest for angular.js affected by about 10 CVEs

    [ Impact ]
    Fix a ReDoS

    [ Tests ]
    testsuite

    [ Risks ]
    Low

    [ Checklist ]
    [X] all changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in testing

    [ Other info ]
    Will like to have angular.js fixed in trixie.

    unblock node-jsdom/20.0.3+~cs124.18.21-5

    --nextPart2134557.6tgchFWduM
    Content-Disposition: attachment; filename="debdiff.diff" Content-Transfer-Encoding: quoted-printable
    Content-Type: text/x-patch; charset="UTF-8"; name="debdiff.diff"

    diff -Nru node-jsdom-20.0.3+~cs124.18.21/debian/changelog node-jsdom-20.0.3+~cs124.18.21/debian/changelog
    --- node-jsdom-20.0.3+~cs124.18.21/debian/changelog 2023-11-25 04:15:10.000000000 +0100
    +++ node-jsdom-20.0.3+~cs124.18.21/debian/changelog 2025-06-28 22:22:20.000000000 +0200
    @@ -1,3 +1,10 @@
    +node-jsdom (20.0.3+~cs124.18.21-5) unstable; urgency=medium
    +
    + * Team upload
    + * Avoid a ReDos in string.js
    +
    + -- Bastien Roucariès <[email protected]> Sat, 28 Jun 2025 22:22:20 +0200
    +
    node-jsdom (20.0.3+~cs124.18.21-4) unstable; urgency=medium

    * Team upload
    diff -Nru node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch
    --- node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch 1970-01-01 01:00:00.000000000 +0100
    +++ node-jsdom-20.0.3+~cs124.18.21/debian/patches/0005-Avoid-a-ReDos-in-string.js.patch 2025-06-28 22:22:20.000000000 +0200
    @@ -0,0 +1,61 @@
    +From 0848d35195fada87b1fedab0f6a566308a892a6a Mon Sep 17 00:00:00 2001
    +From: =?UTF-8?q?Bastien=2
  • From Paul Gevers@21:1/5 to All on Sun Jul 20 15:00:01 2025
    XPost: linux.debian.devel.release
    To: [email protected] (=?UTF-8?Q?Bastien_Roucari=C3=A8s?=)
    Copy: [email protected] (Debian Security Team)

    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------Uod2za0oetn9uBqPqUOysXQN
    Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

    Q29udHJvbDogdGFncyAtMSBtb3JlaW5mbw0KDQpIaSwNCg0KT24gU3VuLCAyMCBKdWwgMjAy NSAxMToyMTo0NSArMDIwMCBCYXN0aWVuIFJvdWNhcmllcyA8cm91Y2FAZGViaWFuLm9yZz4g DQp3cm90ZToNCj4gWyBSZWFzb24gXQ0KPiBBZmZlY3RlZCBieSBhIFJlRG9TIChvdXRzaWRl IHVwc3RyZWFtIHNlY3VyaXR5IHN1cHBvcnQpIGJ1dCB0aGlzIGJsb2NrDQo+IGF1dG9wa2d0 ZXN0IGZvciBhbmd1bGFyLmpzIGFmZmVjdGVkIGJ5IGFib3V0IDEwIENWRXMNCg0KQ2FuIHlv dSBwbGVhc2UgZXhwbGFpbiB3aHkgdXBzdHJlYW0gZGVjbGluZWQgeW91ciBwYXRjaCBhbmQg d2h5IHdlIA0Kc2hvdWxkIGNhcnJ5IGl0PyBBcmUgcmV2ZXJzZSBkZXBlbmRlbmNpZXMgdXNp bmcgdGhpcyBwYWNrYWdlIGZvciB1c2UgDQpjYXNlcyBpdCB3YXNuJ3QgaW50ZW5kZWQgZm9y IChhbmQgbm90IHN1cHBvcnRlZCB1cHN0cmVhbSk/IFBsZWFzZSBhc3N1bWUgDQpJIGtub3cg bmVhcmx5IG5vdGhpbmcgYWJvdXQgdGhlIG5vZGUgZWNvc3lzdGVtLg0KDQpQYXVsDQoNCg==


    --------------Uod2za0oetn9uBqPqUOysXQN--

    -----BEGIN PGP SIGNATURE-----

    wsC7BAABCABvBYJofOY6CRCcXJnrBb11CkcUAAAAAAAeACBzYWx0QG5vdGF0aW9u cy5zZXF1b2lhLXBncC5vcmd9MwtSTGqwf9rWbxjoBLcSb97QUs1Jz8Wr0Tyx8dEM LxYhBFi2bUhza+k7BS3mcpxcmesFvXUKAAAEVAf/WCozs/XNW5xU2VhfeFRMz7LW N7GHZL2pPKjLRBOnElJh2ap1/l10txsBAFUJfrPWdJVEg2l4Y8y0xfjWf3PWbqu8 LfEIJb5ZEbTE/AfzukFrJ1B6gFU2YAcs8/NNKaHF3HdtS783Q/lo4xY8UNkSglX+ 62moqwaSFZOld5OPTnikxOBhRIl6AvKWFqgL8D/kUmohGm650j4zGAJAMpyB5K4S dvpzKHA4OuyOisoyTpckc1FFyBTw41mvqMnp6VZJISiLTC1oOder4Ci0oWSVRUDQ 6ODq7SjWsSUfxMjvwRHUk7+AL1LVe71E0Rn4xzZSP0sDvN6m1GpO4ws30GmC3g==
    =HJZ+
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Bastien Roucaries@21:1/5 to They explictly on Sun Jul 20 20:38:18 2025
    XPost: linux.debian.devel.release
    To: [email protected] (Paul Gevers)
    Copy: [email protected] (Debian Security Team)

    Le dimanche 20 juillet 2025, 14:51:06 heure d’été d’Europe centrale Paul Gevers a écrit :
    Control: tags -1 moreinfo

    Hi,

    On Sun, 20 Jul 2025 11:21:45 +0200 Bastien Roucaries <[email protected]> wrote:

    [ Reason ]
    Affected by a ReDoS (outside upstream security support) but this block autopkgtest for angular.js affected by about 10 CVEs


    Can you please explain why upstream declined your patch and why we
    should carry it?
    They explictly said that redos are not a security problem

    Are reverse dependencies using this package for use
    cases it wasn't intended for (and not supported upstream)?
    we use node-jsdom for testing angular.js and thus hit a redos in node-jsdom before hiting the redos in angular.js

    jsdom is the gold standard for automated test of js.

    I have reported to security support of jsdom and we are trying to get the patch merged as a improvement not a security support.

    Please assume
    I know nearly nothing about the node ecosystem.

    Paul



    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEXQGHuUCiRbrXsPVqADoaLapBCF8FAmh9N5oACgkQADoaLapB CF9wAw//eSxSdVaI98GfxtKnuP2J9zW37K/DMx9kMWDGsCtAIGXtpuqgrjkY4ACj irdG4rPBoWet2YVQvzP0m+jB6C+/QcO6ncnlYB9ku4sAONvWqJJRlMaLgspDpt54 e2Y8USYuPnWq1lG+2fgrceVkoEkcY/wdts0F5fHIujrtEylR/fQCHj+tJSJl2Nwo kJaRLqjw9SZndSoBv6wrQe504S4/AeKU9BIJMA1nAiLuLDUXY70sqHi9zWbXklIa Ay/rspifyAzzAs9ZSQWqPzN9748rlrHDajdUd2Cb7Rwx9MXmlZ3Y5jJdstC4rUoz 7UWAs6QQRN+/l//x5Oqaxz3FSkflw7pteQpvRv6QfEO+0Lcvv1RbtxadQapL+0IH 5z11bQmMfA/fKSZQLFSVjlQxlN5lfq+vDevisj2bxaV/28TidzKfDC5NUjP7CSy5 XQaURnSRzcxKGKiLSHq6fcB1IK0WtXN5kIaLa2kFWZLqf6xY5Q+0N7wvaaY0rzcS /+5ud74BV6gBBWFJyIbG+YW60jRWraT/T7ZHdGR7NAtHr9EcRV+JgfhIjmina0Ul Hwg+n2JRMwq2j5/H2wPXn0TvK+5k1c+CJ94AvIhb1D49Tp7ypdBTXDf0nxC1ATqA hF6B20bf5B7qw8amxFVjdNVbYktZKA4eRQdLNlrGWC0JnwNodIM=
    =LqSn
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)