Debian 11: DLA-4003-1 moderate: node-postcss info exposure and flaws
debian lts
December 26, 2024
Multiple vulnerabilities were fixed in node-postcss a tool for transforming styles with JS plugins
Topics Covered
Summary
CVE-2021-23566
nanoid package is vulnerable to Information Exposure via the
valueOf() function which allows to reproduce the last id generated.
CVE-2023-44270
The vulnerability affects linters using PostCSS to parse external
untrusted CSS. An attacker can prepare CSS in such a way that it will
contains parts parsed by PostCSS as a CSS comment. After processing
by PostCSS, it will be included in the PostCSS output in CSS nodes
(rules, properties) despite being included in a comment.
CVE-2024-55565
nanoid package mishandles non-integer values of size parameter.
For Debian 11 bullseye, these problems have been fixed in version
8.2.1+~cs5.3.23-8+deb11u1.
We recommend that you upgrade your node-postcss packages.
For the detailed security status of node-postcss please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/node-postcss
Further information about Debian LTS security advisories, how to apply
PREVIOUS 
NEXT Package: node-postcss
Version: 8.2.1+~cs5.3.23-8+deb11u1
CVE ID: CVE-2021-23566 CVE-2023-44270 CVE-2024-55565
Debian Bug: 1053282
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!