Le 31/07/2021 à 13:25, Yadd a écrit : > Package: release.debian.org > Severity: normal > User: [email protected] > Usertags: unblock > > Please unblock package node-url-parse > > [ Reason ] > node-url-parse 1.5.1 is vulnerable to URL redirection to untrusted > sites. > > [ Impact ] > Medium security issue > > [ Tests ] > Test passed (both build & autopkgtest) > > [ Risks ] > Low risk: node-url-parse is a reverse dependency of: > * node-miragejs (Build only) > * node-original > * node-eventsource > > I tested rebuild & autopkgtest with success: > rebuild node-miragejs ... PASS > autopkgtest node-original ... PASS > rebuild node-original ... PASS > > [ Checklist ] > [X] all changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in testing > > [ Other info ] > I prefered to update node-url-parse instead of backporting changes since > all changes are related to this vulnerabilities (including test updates)
References: * commits list: https://github.com/unshiftio/url-parse/commits/master * 1.5.2 changes: - Sanitize only special URLs (#209) https://github.com/unshiftio/url-parse/pull/209 * 1.5.3 changes: - Fix host parsing for file URLs (#210) https://github.com/unshiftio/url-parse/commit/c7984617 1.5.3 changes are based on 1.5.2 changes, that's why I can't backport only security fix. Cheers, Yadd
