<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hi Bastien,<br>
<br>
If you would like me to prepare an upload to unstable for this
(& unblock request), let me know. I have some time today &
tomorrow - but travelling with work next week. I have DM upload
rights for it.<br>
<br>
Only asking in case you are already working on it.<br>
<br>
Cheers,<br>
<br>
Ross<br>
<br>
On 05/27/2017 04:51 PM, Bastien ROUCARIÈS wrote:<br>
</div>
<blockquote type="cite"
cite="mid:2409874.mvXUDI8C0e@portable2015-bastien">
<pre wrap="">Package: node-concat-stream
Version: 1.5.1-1
Severity: grave
Tags: patch security fixed-upstream fixed-in-experimental
X-Debbugs-CC: <a class="moz-txt-link-abbreviated" href="mailto:secure-testing-team@lists.alioth.debian.org">secure-testing-team@lists.alioth.debian.org</a>
forwarded: <a class="moz-txt-link-freetext" href="https://snyk.io/vuln/npm:concat-stream:20160901">https://snyk.io/vuln/npm:concat-stream:20160901</a>
Overview
concat-stream is writable stream that concatenates strings or binary data and
calls a callback with the result. Affected versions of the package are
vulnerable to Uninitialized Memory Exposure.
A possible memory disclosure vulnerability exists when a value of type number
is provided to the stringConcat() method and results in concatination of
uninitialized memory to the stream collection.
This is a result of unobstructed use of the Buffer constructor, whose insecure
default constructor increases the odds of memory leakage.</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<p><br>
</p>
</body>
</html>