[Secure-testing-team] Bug#836205: node-debug: CVE-2015-8315: Vulnerable to ReDoS attacks
Jonas Smedegaard
dr at jones.dk
Wed Aug 31 14:34:57 UTC 2016
Package: node-debug
Version: 2.1.0+dfsg
Severity: important
Tags: security upstream
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
node-debug contain convenience code copy of ms, which is vulnerable to
so-called ReDoS (regular expression denial of service) attacks:
https://nodesecurity.io/advisories/46
According to above advisory, upgrading to ms 0.7.1 or greater solves the
issue.
node-debug addressed this as last commit before releasing 2.2.0:
https://github.com/visionmedia/debug/commit/0f4fd585befe8ce9287f4407cbcd95c63a6f1cfd
I found this issue through a commit message to node-stringprep:
https://github.com/astro/node-stringprep/commit/e9d5b40ab3c6a03546309ba84b08b159b5d0db59
I wonder if perhaps the security team might have spotted this far
earlier, if the ms code had been properly packaged as a first-class
node-ms package rather than hidden as embedded convenience code copy.
- Jonas
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJXxusPAAoJECx8MUbBoAEhqQQQAKcrT5xHurYY+lFrI01rLeiQ
FY037YgZEUAzyTKEIYRCR46Xw3XEuTv6y670RQsYY7C7/jO2gPzHUACthyaCdak8
SNrSEQYFh52fy9hiSZBtetyrqLh4JN/sPA+/+yGFouFHj+CSILqT7LCPbDfxO0jn
58pN8PTmBeZFaJ0yg8wm1oct/8KlS1loiXoRSLErTBDNJ9fMzooOve1ukMsOYpC2
9gDb0zDogsGf23hvMVfoOJ2jAskCKroVUU9V8/BwiOTJquU9SY/fCtX8+jZXrYVY
vnRuMboZPV/ZHDN3ofO1ZzVS9Kt86Ccvi5+XcwtrEDNBqNCRDaDakaPQ8BH2bF+6
VJIU94haukEgQedO8tvGBgdsE775Nls70UBmwsUKdbrkRBAqsOrlTqpK7HFbEZYF
mYLgVuoPvyl65A8UXypboYJnNYARbCQfXcOve5QAGYUSVqvOudpXUnZWQJ6yY8Rp
vBQB5JgZNJsxNQugbr3yau+/C34/UHSjwDQ2Rlw2EdpXn1bXP7D4EEPtL9RvgVkx
tlKWKPuGrzDygN97PykrYFiQQk7KSPJlTX2Mjf2uHOJNgIrWKq5EGXtFyqLr7zWo
Qd0ovpQ5nPdSdkDpcSZNRyYcqj+xL1KX7N/E5vuVCyvpPA5kck6//XgO4Mx5OozF
pSveE98RXTlWwycgyAtW
=4l4T
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list