1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1102478: bookworm-pu: package node-serialize-javascript/6.0.0-2+deb

    From Yadd@21:1/5 to All on Wed Apr 9 14:10:01 2025
    XPost: linux.debian.devel.release

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    Tags: bookworm
    X-Debbugs-Cc: node-serialize-javascript@packages.debian.org, yadd@debian.org Control: affects -1 + src:node-serialize-javascript
    User: release.debian.org@packages.debian.org
    Usertags: pu

    [ Reason ]
    A flaw was found in npm-serialize-javascript. The vulnerability occurs
    because the serialize-javascript module does not properly sanitize
    certain inputs, such as regex or other JavaScript object types, allowing
    an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks.
    This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package (#1095767, CVE-2024-11831).

    [ Impact ]
    Medium security issue

    [ Tests ]
    Patch contains new tests.

    [ Risks ]
    Low risk, patch is trivial

    [ Checklist ]
    [X] *all* changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in (old)stable
    [X] the issue is verified as fixed in unstable

    [ Changes ]
    Better check of remote parameters

    Cheers,
    Xavier

    diff --git a/debian/changelog b/debian/changelog
    index c0b369d..2a488d8 100644
    --- a/debian/changelog
    +++ b/debian/changelog
    @@ -1,3 +1,11 @@
    +node-serialize-javascript (6.0.0-2+deb12u1) bookworm; urgency=medium
    +
    + * Team upload
    + * Serialize URL string contents to prevent XSS
    + (Closes: #1095767, CVE-2024-11831)
    +
    + -- Yadd <yadd@debian.org> Wed, 09 Apr 2025 13:54:59 +0200
    +
    node-serialize-javascript (6.0.0-2) unstable; urgency=medium

    [ Debian Janitor ]
    diff --git a/debian/patches/CVE-2024-11831.patch b/debian/patches/CVE-2024-11831.patch
    new file mode 100644
    index 0000000..481529f
    --- /dev/null
    +++ b/debian/patches/CVE-2024-11831.patch
    @@ -0,0 +1,43 @@
    +Description: serialize URL string contents to prevent XSS
    +Author: Ryan Delaney <ryan@reverecre.com>
    +Origin: upstream, https://github.com/yahoo/serialize-javascript/commit/f27d65d3
    +Bug: https://github.com/yahoo/serialize-javascript/pull/173
    +Bug-Debian: https://bugs.debian.org/1095767
    +Forwarded: not-needed
    +Applied-Upstream: 6.0.2, commit:f27d65d3
    +Reviewed-By: Yadd <yadd@debian.org>
    +Last-Upd
  • From Adam D. Barratt@21:1/5 to Yadd on Sat May 10 17:00:01 2025
    XPost: linux.debian.devel.release

    Control: tags -1 + confirmed

    On Wed, 2025-04-09 at 13:59 +0200, Yadd wrote:
    A flaw was found in npm-serialize-javascript. The vulnerability
    occurs because the serialize-javascript module does not properly
    sanitize certain inputs, such as regex or other JavaScript object
    types, allowing an attacker to inject malicious code. This code could
    be executed when deserialized by a web browser, causing Cross-site
    scripting (XSS) attacks.

    Please go ahead.

    Regards,

    Adam

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adam D Barratt@21:1/5 to All on Sun May 11 11:50:01 2025
    XPost: linux.debian.devel.release

    package release.debian.org
    tags 1102478 = bookworm pending
    thanks

    Hi,

    The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

    Thanks for your contribution!

    Upload details
    ==============

    Package: node-serialize-javascript
    Version: 6.0.0-2+deb12u1

    Explanation: fix cross-site scripting issue [CVE-2024-11831]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)