Your message dated Sat, 14 Mar 2026 11:48:35 +0000
with message-id <[email protected]>
and subject line Released with 13.4
has caused the Debian Bug report #1129338,
regarding trixie-pu: package node-proxy-agents/0~2024040606-6+deb13u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129338: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129338
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: trixie
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:node-proxy-agents
User: [email protected]
Usertags: pu
[ Reason ]
node-proxy-agents enbeds basic-ftp which is vulnerable to CVE-2026-27699[0]:
| The `basic-ftp` FTP client library for Node.js contains a path
| traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the
| `downloadToDir()` method. A malicious FTP server can send directory
| listings with filenames containing path traversal sequences (`../`)
| that cause files to be written outside the intended download
| directory. Version 5.2.0 patches the issue.
[ Impact ]
High security issue
[ Tests ]
Tests pass, non new test.
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just verify that file target isn't outside main directory
Best regards,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 80e675c..e12d92e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-proxy-agents (0~2024040606-6+deb13u1) trixie; urgency=medium
+
+ * Team upload
+ * Fix basic-ftp traversal vulnerability (Closes: #1129093, CVE-2026-27699)
+
+ -- Yadd <[email protected]> Fri, 27 Feb 2026 07:58:26 +0100
+
node-proxy-agents (0~2024040606-6) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2026-27699.patch
b/debian/patches/CVE-2026-27699.patch
new file mode 100644
index 0000000..9b7d881
--- /dev/null
+++ b/debian/patches/CVE-2026-27699.patch
@@ -0,0 +1,32 @@
+From: Patrick Juchli <[email protected]>
+Date: feb., 23 2026 09:01:12 +0100
+Subject: [PATCH] Skip invalid filenames
+Origin: upstream, https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e65
+Bug:
https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c
+Bug-Debian: https://bugs.debian.org/1129093
+Forwarded: not-needed
+Applied-Upstream: 5.2.0, commit:2a2a0e65
+Reviewed-By: Yadd <[email protected]>
+
+--- a/basic-ftp/src/Client.ts
++++ b/basic-ftp/src/Client.ts
+@@ -1,5 +1,5 @@
+ import { createReadStream, createWriteStream, mkdir, readdir, stat, open,
close, unlink } from "fs"
+-import { join } from "path"
++import { basename, join } from "path"
+ import { Readable, Writable } from "stream"
+ import { connect as connectTLS, ConnectionOptions as TLSConnectionOptions }
from "tls"
+ import { promisify } from "util"
+@@ -694,6 +694,12 @@
+ protected async _downloadFromWorkingDir(localDirPath: string):
Promise<void> {
+ await ensureLocalDirectory(localDirPath)
+ for (const file of await this.list()) {
++ const hasInvalidName = !file.name || basename(file.name) !==
file.name
++ if (hasInvalidName) {
++ const safeName = JSON.stringify(file.name)
++ this.ftp.log(`Invalid filename from server listing, will skip
file. (${safeName})`)
++ continue
++ }
+ const localPath = join(localDirPath, file.name)
+ if (file.isDirectory) {
+ await this.cd(file.name)
diff --git a/debian/patches/series b/debian/patches/series
index a1ce508..11cd8b5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ use-quickjs-emscripten.patch
tsc-workaround.patch
0004-Use-modern-lru-cache.patch
0005-get-uri-compilation.patch
+CVE-2026-27699.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 13.4
This update has been released as part of Debian 13.4.
--- End Message ---
