Debian Package Tracker

general

source: libsass (main)
version: 3.4.8-1
maintainer: Debian Sass team (archive) [DMD]
uploaders: Jonas Smedegaard [DMD]
arch: any
std-ver: 4.1.3
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

old-bpo: 3.4.3-1~bpo8+1
stable: 3.4.3-1
testing: 3.4.8-1
unstable: 3.4.8-1

versioned links

3.4.3-1~bpo8+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.4.3-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.4.8-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libsass-dev
libsass0
libsass0-dbg

action needed

A new upstream version is available: 3.5.2 high

A new upstream version 3.5.2 is available, you should consider packaging it.

Created: 2018-02-09 Last update: 2018-04-19 08:17

11 security issues in buster high

There are 11 open security issues in buster.

11 important issues:

CVE-2017-12962: There are memory leaks in LibSass 3.4.5 triggered by deeply nested code, such as code with a long sequence of open parenthesis characters, leading to a remote denial of service attack.
CVE-2017-10687: In LibSass 3.4.5, there is a heap-based buffer over-read in the function json_mkstream() in sass_context.cpp. A crafted input will lead to a remote denial of service attack.
CVE-2017-11605: There is a heap based buffer over-read in LibSass 3.4.5, related to address 0xb4803ea1. A crafted input will lead to a remote denial of service attack.
CVE-2017-12963: There is an illegal address access in Sass::Eval::operator() in eval.cpp of LibSass 3.4.5, leading to a remote denial of service attack. NOTE: this is similar to CVE-2017-11555 but remains exploitable after the vendor's CVE-2017-11555 fix (available from GitHub after 2017-07-24).
CVE-2017-12964: There is a stack consumption issue in LibSass 3.4.5 that is triggered in the function Sass::Eval::operator() in eval.cpp. It will lead to a remote denial of service attack.
CVE-2017-11555: There is an illegal address access in the Eval::operator function in eval.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service.
CVE-2017-11608: There is a heap-based buffer over-read in the Sass::Prelexer::re_linebreak function in lexer.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.
CVE-2017-11341: There is a heap based buffer over-read in lexer.hpp of LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.
CVE-2017-11342: There is an illegal address access in ast.cpp of LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.
CVE-2017-11556: There is a stack consumption vulnerability in the Parser::advanceToNextToken function in parser.cpp in LibSass 3.4.5. A crafted input may lead to remote denial of service.
CVE-2017-11554: There is a stack consumption vulnerability in the lex function in parser.hpp (as used in sassc) in LibSass 3.4.5. A crafted input will lead to a remote denial of service.

Please fix them.

Created: 2017-06-30 Last update: 2018-01-17 07:50

11 security issues in sid high

There are 11 open security issues in sid.

11 important issues:

CVE-2017-12962: There are memory leaks in LibSass 3.4.5 triggered by deeply nested code, such as code with a long sequence of open parenthesis characters, leading to a remote denial of service attack.
CVE-2017-10687: In LibSass 3.4.5, there is a heap-based buffer over-read in the function json_mkstream() in sass_context.cpp. A crafted input will lead to a remote denial of service attack.
CVE-2017-11605: There is a heap based buffer over-read in LibSass 3.4.5, related to address 0xb4803ea1. A crafted input will lead to a remote denial of service attack.
CVE-2017-12963: There is an illegal address access in Sass::Eval::operator() in eval.cpp of LibSass 3.4.5, leading to a remote denial of service attack. NOTE: this is similar to CVE-2017-11555 but remains exploitable after the vendor's CVE-2017-11555 fix (available from GitHub after 2017-07-24).
CVE-2017-12964: There is a stack consumption issue in LibSass 3.4.5 that is triggered in the function Sass::Eval::operator() in eval.cpp. It will lead to a remote denial of service attack.
CVE-2017-11555: There is an illegal address access in the Eval::operator function in eval.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service.
CVE-2017-11608: There is a heap-based buffer over-read in the Sass::Prelexer::re_linebreak function in lexer.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.
CVE-2017-11341: There is a heap based buffer over-read in lexer.hpp of LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.
CVE-2017-11342: There is an illegal address access in ast.cpp of LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.
CVE-2017-11556: There is a stack consumption vulnerability in the Parser::advanceToNextToken function in parser.cpp in LibSass 3.4.5. A crafted input may lead to remote denial of service.
CVE-2017-11554: There is a stack consumption vulnerability in the lex function in parser.hpp (as used in sassc) in LibSass 3.4.5. A crafted input will lead to a remote denial of service.

Please fix them.

Created: 2017-06-30 Last update: 2018-01-17 07:50

Multiarch hinter reports 1 issue(s) normal

There are issues with the multiarch metadata for this package.

libsass0-dbg could be marked Multi-Arch: same

Created: 2017-03-05 Last update: 2018-04-19 08:32

1 bug tagged patch in the BTS normal

The BTS contains patches fixing 1 bug, consider including or untagging them.

Created: 2017-11-21 Last update: 2018-04-19 07:53

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2018-04-15 Last update: 2018-04-15 07:53

11 ignored security issues in stretch low

There are 11 open security issues in stretch.

11 issues skipped by the security teams:

CVE-2017-12962: There are memory leaks in LibSass 3.4.5 triggered by deeply nested code, such as code with a long sequence of open parenthesis characters, leading to a remote denial of service attack.
CVE-2017-10687: In LibSass 3.4.5, there is a heap-based buffer over-read in the function json_mkstream() in sass_context.cpp. A crafted input will lead to a remote denial of service attack.
CVE-2017-11605: There is a heap based buffer over-read in LibSass 3.4.5, related to address 0xb4803ea1. A crafted input will lead to a remote denial of service attack.
CVE-2017-12963: There is an illegal address access in Sass::Eval::operator() in eval.cpp of LibSass 3.4.5, leading to a remote denial of service attack. NOTE: this is similar to CVE-2017-11555 but remains exploitable after the vendor's CVE-2017-11555 fix (available from GitHub after 2017-07-24).
CVE-2017-12964: There is a stack consumption issue in LibSass 3.4.5 that is triggered in the function Sass::Eval::operator() in eval.cpp. It will lead to a remote denial of service attack.
CVE-2017-11555: There is an illegal address access in the Eval::operator function in eval.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service.
CVE-2017-11608: There is a heap-based buffer over-read in the Sass::Prelexer::re_linebreak function in lexer.cpp in LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.
CVE-2017-11341: There is a heap based buffer over-read in lexer.hpp of LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.
CVE-2017-11342: There is an illegal address access in ast.cpp of LibSass 3.4.5. A crafted input will lead to a remote denial of service attack.
CVE-2017-11556: There is a stack consumption vulnerability in the Parser::advanceToNextToken function in parser.cpp in LibSass 3.4.5. A crafted input may lead to remote denial of service.
CVE-2017-11554: There is a stack consumption vulnerability in the lex function in parser.hpp (as used in sassc) in LibSass 3.4.5. A crafted input will lead to a remote denial of service.

Please fix them.

Created: 2017-06-30 Last update: 2018-01-17 07:50

Build log checks report 1 warning low

Build log checks report 1 warning

Created: 2016-09-09 Last update: 2016-09-09 13:09

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.1.4 instead of 4.1.3).

Created: 2018-04-16 Last update: 2018-04-16 20:43

news

[rss feed]

[2018-01-17] libsass 3.4.8-1 MIGRATED to testing (Debian testing watch)
[2018-01-12] Accepted libsass 3.4.8-1 (source) into unstable (Jonas Smedegaard)
[2017-11-03] libsass 3.4.6-1 MIGRATED to testing (Debian testing watch)
[2017-10-28] Accepted libsass 3.4.6-1 (source) into unstable (Jonas Smedegaard)
[2017-03-16] Accepted libsass 3.4.3-1~bpo8+1 (source amd64) into jessie-backports->backports-policy, jessie-backports (Rhonda D'Vine) (signed by: Rhonda)
[2017-02-03] libsass 3.4.3-1 MIGRATED to testing (Debian testing watch)
[2017-01-23] Accepted libsass 3.4.3-1 (source amd64) into unstable (Jonas Smedegaard)
[2016-12-22] libsass 3.4.0-1 MIGRATED to testing (Debian testing watch)
[2016-12-11] Accepted libsass 3.4.0-1 (source amd64) into unstable (Jonas Smedegaard)
[2016-09-15] libsass 3.3.6-2 MIGRATED to testing (Debian testing watch)
[2016-09-09] Accepted libsass 3.3.6-2 (source) into unstable (Jonas Smedegaard)
[2016-09-09] Accepted libsass 3.3.6-1 (source amd64) into unstable (Jonas Smedegaard)
[2016-03-28] libsass 3.3.4-1 MIGRATED to testing (Debian testing watch)
[2016-03-21] Accepted libsass 3.3.4-1 (source amd64) into unstable (Jonas Smedegaard)
[2016-03-13] libsass 3.3.3-1 MIGRATED to testing (Debian testing watch)
[2016-03-08] Accepted libsass 3.3.3-1 (source amd64) into unstable (Jonas Smedegaard)
[2016-02-11] libsass 3.3.2-1 MIGRATED to testing (Debian testing watch)
[2015-11-30] Accepted libsass 3.3.2-1 (source amd64) into unstable (Jonas Smedegaard)
[2015-11-30] Accepted libsass 3.2.5-2 (source amd64) into unstable (Jonas Smedegaard)
[2015-06-27] libsass 3.2.5-1 MIGRATED to testing (Britney)
[2015-06-20] Accepted libsass 3.2.5-1 (source amd64) into unstable (Jonas Smedegaard)
[2015-05-26] libsass 3.2.4-2 MIGRATED to testing (Britney)
[2015-05-20] Accepted libsass 3.2.4-1 (source amd64) into unstable, unstable (Jonas Smedegaard)
[2015-05-20] Accepted libsass 3.1.0-1 (source amd64) into unstable, unstable (Jonas Smedegaard)
[2015-05-20] Accepted libsass 3.2.4-2 (source amd64) into unstable, unstable (Jonas Smedegaard)

bugs [bug history graph]

all: 7
RC: 0
I&N: 7
M&W: 0
F&P: 0

links

homepage
lintian (0, 2)
buildd: logs, checks, clang, reproducibility
popcon
debci
browse source code
edit tags
security tracker

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.4.8-1