Debian Package Tracker
Register | Log in
Subscribe

libjavascript-minifier-xs-perl

XS based JavaScript minifier

Choose email to subscribe with

general
  • source: libjavascript-minifier-xs-perl (main)
  • version: 0.16-1
  • maintainer: Debian Perl Group (archive) (DMD) (LowNMU)
  • uploaders: gregor herrmann [DMD]
  • arch: any
  • std-ver: 4.7.4
  • VCS: Git (Browse, QA)
versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]
[pool directory]
  • o-o-stable: 0.13-1
  • oldstable: 0.15-1
  • stable: 0.15-1
  • testing: 0.16-1
  • unstable: 0.16-1
versioned links
  • 0.13-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.15-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
  • 0.16-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
binaries
  • libjavascript-minifier-xs-perl
action needed
2 security issues in bullseye high

There are 2 open security issues in bullseye.

2 important issues:
  • CVE-2026-56017: JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer. The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.
  • CVE-2026-56018: JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth. In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token's contents buffer is therefore leaked on every call, and the two early returns taken when the node list is empty leak the whole NodeSet. A long-lived process that minifies repeatedly, such as an asset pipeline or a server-side minifier endpoint, grows in memory without bound until it exhausts available memory and is killed, causing denial of service.
Created: 2026-06-29 Last update: 2026-07-02 07:30
2 security issues in bookworm high

There are 2 open security issues in bookworm.

2 important issues:
  • CVE-2026-56017: JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer. The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.
  • CVE-2026-56018: JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth. In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token's contents buffer is therefore leaked on every call, and the two early returns taken when the node list is empty leak the whole NodeSet. A long-lived process that minifies repeatedly, such as an asset pipeline or a server-side minifier endpoint, grows in memory without bound until it exhausts available memory and is killed, causing denial of service.
Created: 2026-06-29 Last update: 2026-07-02 07:30
2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:
  • CVE-2026-56017: (needs triaging) JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first meaningful token of the input is a slash. The regexp versus division disambiguator in JsTokenizeString (XS.xs) inspects the previous token's last byte to choose between a regexp literal and a division operator. When a slash is the first meaningful token, with the start of input or only whitespace and comments before it, there is no valid preceding token: the walk back over whitespace and comment nodes runs off the head of the node list to NULL, and the byte lookup reads through a NULL contents pointer at an underflowed length index. The following identifier check dereferences the same NULL pointer. The crash is reachable through the public minify() API, so input as small as a single slash byte crashes the calling process. A service that minifies untrusted or third-party JavaScript can be crashed by a remote request, causing denial of service.
  • CVE-2026-56018: (needs triaging) JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbounded memory growth. In JsMinify (XS.xs) the cleanup frees only the NodeSet structures and never the per-token contents buffers allocated in JsSetNodeContents; JsDiscardNode unlinks nodes without freeing their contents. Each token's contents buffer is therefore leaked on every call, and the two early returns taken when the node list is empty leak the whole NodeSet. A long-lived process that minifies repeatedly, such as an asset pipeline or a server-side minifier endpoint, grows in memory without bound until it exhausts available memory and is killed, causing denial of service.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-06-29 Last update: 2026-07-02 07:30
testing migrations
  • This package will soon be part of the perl-5.42 transition. You might want to ensure that your package is ready for it. You can probably find supplementary information in the debian-release archives or in the corresponding release.debian.org bug.
news
[rss feed]
  • [2026-07-02] libjavascript-minifier-xs-perl 0.16-1 MIGRATED to testing (Debian testing watch)
  • [2026-06-29] Accepted libjavascript-minifier-xs-perl 0.16-1 (source) into unstable (gregor herrmann)
  • [2021-10-24] libjavascript-minifier-xs-perl 0.15-1 MIGRATED to testing (Debian testing watch)
  • [2021-10-21] Accepted libjavascript-minifier-xs-perl 0.15-1 (source) into unstable (gregor herrmann)
  • [2021-09-29] libjavascript-minifier-xs-perl 0.14-1 MIGRATED to testing (Debian testing watch)
  • [2021-09-27] Accepted libjavascript-minifier-xs-perl 0.14-1 (source) into unstable (gregor herrmann)
  • [2021-01-05] libjavascript-minifier-xs-perl 0.13-1 MIGRATED to testing (Debian testing watch)
  • [2021-01-03] Accepted libjavascript-minifier-xs-perl 0.13-1 (source) into unstable (gregor herrmann)
  • [2021-01-01] libjavascript-minifier-xs-perl 0.12-1 MIGRATED to testing (Debian testing watch)
  • [2020-12-29] Accepted libjavascript-minifier-xs-perl 0.12-1 (source) into unstable (gregor herrmann)
  • [2015-05-31] Accepted libjavascript-minifier-xs-perl 0.11-1 (source) into unstable (gregor herrmann)
  • [2013-05-24] libjavascript-minifier-xs-perl 0.09-2 MIGRATED to testing (Debian testing watch)
  • [2013-05-13] Accepted libjavascript-minifier-xs-perl 0.09-2 (source amd64) (gregor herrmann)
  • [2011-02-06] libjavascript-minifier-xs-perl 0.09-1 MIGRATED to testing (Debian testing watch)
  • [2010-11-06] Accepted libjavascript-minifier-xs-perl 0.09-1 (source amd64) (Nicholas Bamber) (signed by: Ansgar Burchardt)
  • [2009-09-30] libjavascript-minifier-xs-perl 0.06-1 MIGRATED to testing (Debian testing watch)
  • [2009-09-19] Accepted libjavascript-minifier-xs-perl 0.06-1 (source i386) (gregor herrmann)
  • [2009-07-20] libjavascript-minifier-xs-perl 0.05-1 MIGRATED to testing (Debian testing watch)
  • [2009-07-09] Accepted libjavascript-minifier-xs-perl 0.05-1 (source i386) (Ryan Niebur)
bugs [bug history graph]
  • all: 0
links
  • homepage
  • lintian
  • buildd: logs, reproducibility, cross
  • popcon
  • browse source code
  • other distros
  • security tracker
  • debci
ubuntu Ubuntu logo [Information about Ubuntu for Debian Developers]
  • version: 0.15-1build6

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers
Report problems to the tracker.debian.org pseudo-package in the Debian BTS.
Documentation — Bugs — Git Repository — Contributing