Your message dated Tue, 16 Apr 2019 08:35:01 +0000
with message-id <[email protected]>
and subject line Bug#906058: fixed in node-url-parse 1.2.0-2
has caused the Debian Bug report #906058,
regarding node-url-parse: CVE-2018-3774
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
906058: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906058
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-url-parse
Version: 1.2.0-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for node-url-parse.
CVE-2018-3774[0]:
| Incorrect parsing in url-parse <1.4.3 returns wrong hostname which
| leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass
| Authentication Protocol.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-3774
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3774
[1] https://hackerone.com/reports/384029
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-url-parse
Source-Version: 1.2.0-2
We believe that the bug you reported is fixed in the latest version of
node-url-parse, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-url-parse package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 16 Apr 2019 10:18:36 +0200
Source: node-url-parse
Architecture: source
Version: 1.2.0-2
Distribution: unstable
Urgency: medium
Maintainer: Xavier Guimard <[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 906058
Changes:
node-url-parse (1.2.0-2) unstable; urgency=medium
.
* Team upload
* Bump debhelper compatibility level to 11
* Declare compliance with policy 4.3.0
* Add patch to fix bad URL parsing (Closes: #906058, CVE-2018-3774)
* Enable upstream tests using pkg-js-tools. This adds node-deep-eql,
node-object-inspect and node-pathval in build dependencies
* Fix VCS fields
* Fix debian/copyright format URL
* Fix description (trailing whitespaces)
* Add upstream/metadata
Checksums-Sha1:
74258f45a357aebba059084a484d3bea5619d516 2217 node-url-parse_1.2.0-2.dsc
f3163427e10647243a1870456f7b377a3977d858 23816
node-url-parse_1.2.0-2.debian.tar.xz
Checksums-Sha256:
7db81083cd1523dfa58001a51b3c4d8c19931b956040e1ce501917562590e436 2217
node-url-parse_1.2.0-2.dsc
aeedf0b050854feb2ff7e43af97b6e4a5a96a36194d8a9bf729664d3401bafcc 23816
node-url-parse_1.2.0-2.debian.tar.xz
Files:
3d774024debfd740f754aaefce173dd8 2217 javascript optional
node-url-parse_1.2.0-2.dsc
95b1c7ba88b29d29aa832fae46166233 23816 javascript optional
node-url-parse_1.2.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAly1kUIACgkQ9tdMp8mZ
7ulnyw/+PHpJLC9c3F3/MEUUhGxGuyaWV5ofQD9IFUTelm9NJZbyyCE6h+o2MsqJ
VxWizTNdl8Vm2iHn4GUImO0qUiaVUJDHb1C/N8S48dPht6JP9cby/ShpL3ALF4AU
8Um5HspFPRUPnWPyD8tmfqD4tN2FzvZcAns7h1W6UGDlYpY9JqIbIDtI73gA4Tg5
Zdl9iVKPlujWVfR5Dvvn8D71sHvLzxM7rA1ZKAfcXD6YzqSBfk9KOdDrCfdUpb1e
EnMmUKHExS4W2YP6Q2jqIHvkAKALH5LGcFe0DD4RGWhr1d9e5bxVoMcHEXUI+pE4
27j1h4Q0pQKXXviI+aUPviYzAzbBw0mvSlAj9zhdmujkvoUiEahcgl9NKWtX4OPE
X5SRXTNUz+Iw7jqg3wJUU0La77e3g7E566Btx2Uo8xhbNM9t0plyZVsE62bBzQiM
aMNA8e5g36tQISAUd1JsRVtGKm76azr0MMG97ONEubmkX9haa4Wo+gaSXnB2fgkt
ufMsbzJJNH3Gbgs7RZ/3SGnTRR7jkk9C9r7nBaJm6XXTOagUz9ZN+vo0879LkyaL
Qr3VNQDq3wzPGJf0wgLdJYYzZqf/BVveUwUP/HcVmoTmIOTy2ol8JmHigfj7lXGy
00s7pV6Kc6dGDod+zU2mGqW7QsK5WL9CPG1wUXxfXQD5xz+q1zc=
=JuhN
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
