Source: node-undici Version: 5.28.2+dfsg1+~cs23.11.12.3-6 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for node-undici. CVE-2024-24758[0]: | Undici is an HTTP/1.1 client, written from scratch for Node.js. | Undici already cleared Authorization headers on cross-origin | redirects, but did not clear `Proxy-Authentication` headers. This | issue has been patched in versions 5.28.3 and 6.6.1. Users are | advised to upgrade. There are no known workarounds for this | vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-24758 https://www.cve.org/CVERecord?id=CVE-2024-24758 [1] https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3 [2] https://github.com/nodejs/undici/commit/d3aa574b1259c1d8d329a0f0f495ee82882b1458 Please adjust the affected versions in the BTS as needed. Regards, Salvatore