|
|
Subscribe / Log in / New account

Debian alert DLA-3561-1 (node-cookiejar)



From:
              Chris Lamb <lamby@debian.org>


To:
              debian-lts-announce@lists.debian.org


Subject:
              [SECURITY] [DLA 3561-1] node-cookiejar security update


Date:
              Mon, 11 Sep 2023 18:00:43 -0700


Message-ID:
              <169446159379.209727.10817127827429462993@copycat>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3561-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
September 11, 2023                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : node-cookiejar
Version        : 2.0.1-1+deb10u1
CVE ID         : CVE-2022-25901

It was discovered that there was a potential Regular Expression
Denial of Service (ReDoS) attack in node-cookiejar, a Node.js library
for parsing and manipulating HTTP cookies. An attack was possible via
passing a large value to the Cookie.parse function.

For Debian 10 buster, this problem has been fixed in version
2.0.1-1+deb10u1.

We recommend that you upgrade your node-cookiejar packages.

For the detailed security status of node-cookiejar please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/node-cookiejar

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmT/bpgACgkQHpU+J9Qx
HljIOQ/9F6beLpCvWe3n5uNAGGAbRMdVzZi/ypd7ag0BfTRX77QHGI2sLxPrhW/6
QX//1+nBvZD9DT0po3acJ5Q4OQ0cEwqpqU3NiUbyaaaB3JwcnZFBxTScBIFtJH46
2G0k5UvBxeCAf201QTpdYi31O+jvA6Ot7nKNChSKSJAGhdTNyoF/u0cGvElgGXog
wk58kbzVqKFuYoRC57P7h4rvXmRAjmIbj0UFMNImwCv24e9aTVx4DOm95pofAOCH
mhvQLlojXiHjRfuvBY4bDod3DGuFu8fi3eQZLmnBhrutyvBktua4869nVPGAghKF
+ZtDCZ4caWdYg+8JyuaeqByOXLbqZBGCoUos903t9VznyYV5Qn22jP0FXnQPUqS6
rQSdpYvoTQtoz8BYPLHwqEXIkDO/judpPFy3uKjpboJOCfpLLxhgC6d7wGj/PXGM
apT9fUSmMjrKkfHrhHR76ZlN6OwCnWtBXXHq5+DfVYC895+53QYv0iDp/b9Y3tRx
rH7pzOOWvpEA2qE8p3HsZK2qCoHGNn0mcGBKww17voiVO0kjm3vn9wVSZo4GR3qz
Pv1jrNKEmLYvxyZrPIzVRwBhpTyQP/BLZvYfaTtpomywvdGZk7vhvW2E7CgjEo/n
zA47CoH6eavxoyUIspUvZrOgTeodkpzKYeB6v0wCn9dvooq4kPY=
=K4nM
-----END PGP SIGNATURE-----
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds