On Mon, Mar 20 2023 at 07:34:33 PM +01:00:00 +01:00:00, Moritz
Mühlenhoff <j...@inutil.org> wrote:
Source: node-request
X-Debbugs-CC: t...@security.debian.org
Severity: normal
Tags: security
Hi,
The following vulnerability was published for node-request.
CVE-2023-28155[0]:
| ** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1
for
| Node.js allows a bypass of SSRF mitigations via an
attacker-controller
| server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS
to
| HTTP). NOTE: This vulnerability only affects products that are no
| longer supported by the maintainer.
https://github.com/request/request/issues/3442 was reported, but seems
the module is EOLed, so maybe we should be looking into retiring it
for trixie?
$ reverse-depends node-request
Reverse-Depends
===============
* node-jsonld
* node-matrix-js-sdk
* yarnpkg
For yarnpkg, we are trying to remove the dependency to node-request,
see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980316#43
(hopefully we will be able to remove it for trixie).
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-28155
https://www.cve.org/CVERecord?id=CVE-2023-28155
Please adjust the affected versions in the BTS as needed.
--
Pkg-javascript-devel mailing list
pkg-javascript-de...@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
