Debian Security Advisory
DLA-3247-1 node-trim-newlines -- LTS security update
- Date Reported:
- 23 Dec 2022
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2021-33623.
- More information:
This regular expression Denial of Service (ReDoS) attack exploited the fact that most Regular Expression implementations can reach extreme situations that cause them to work very slowly in a way that is exponentially related to the input size. An attacker can then cause a program using node-trim-newlines (and thus the offending regex) to enter one of these extreme situations and then hang for a very long time.
The trim-newlines package before 3.0.1 and 4.x before 4.0.1 for Node.js has an issue related to regular expression denial-of-service (ReDoS) for the .end() method.
For Debian 10
Buster, these problems have been fixed in version 1.0.0-1+deb10u1.
We recommend that you upgrade your node-trim-newlines packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS