[Pkg-javascript-devel] Bug#1031418: marked as done (node-undici: CVE-2023-23936 CVE-2023-24807)

[Debian Bug Tracking System]

Your message dated Fri, 17 Feb 2023 04:34:37 +0000
with message-id <e1psssd-000j45...@fasolo.debian.org>
and subject line Bug#1031418: fixed in node-undici 5.19.1+dfsg1+~cs20.10.9.5-1
has caused the Debian Bug report #1031418,
regarding node-undici: CVE-2023-23936 CVE-2023-24807
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1031418: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031418
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: node-undici
Version: 5.15.0+dfsg1+~cs20.10.9.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>

Hi,

The following vulnerabilities were published for node-undici.

CVE-2023-23936[0]:
| Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0
| and prior to version 5.19.1, the undici library does not protect
| `host` HTTP header from CRLF injection vulnerabilities. This issue is
| patched in Undici v5.19.1. As a workaround, sanitize the
| `headers.host` string before passing to undici.


CVE-2023-24807[1]:
| Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the
| `Headers.set()` and `Headers.append()` methods are vulnerable to
| Regular Expression Denial of Service (ReDoS) attacks when untrusted
| values are passed into the functions. This is due to the inefficient
| regular expression used to normalize the values in the
| `headerValueNormalize()` utility function. This vulnerability was
| patched in v5.19.1. No known workarounds are available.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-23936
    https://www.cve.org/CVERecord?id=CVE-2023-23936
[1] https://security-tracker.debian.org/tracker/CVE-2023-24807
    https://www.cve.org/CVERecord?id=CVE-2023-24807

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: node-undici
Source-Version: 5.19.1+dfsg1+~cs20.10.9.5-1
Done: Yadd <y...@debian.org>

We believe that the bug you reported is fixed in the latest version of
node-undici, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1031...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-undici package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 17 Feb 2023 07:23:05 +0400
Source: node-undici
Built-For-Profiles: nocheck
Architecture: source
Version: 5.19.1+dfsg1+~cs20.10.9.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1031418
Changes:
 node-undici (5.19.1+dfsg1+~cs20.10.9.5-1) unstable; urgency=medium
 .
   * New upstream version (Closes: #1031418, CVE-2023-23936, CVE-2023-24807)
   * Refresh patches
Checksums-Sha1: 
 0b4049595414c14f02724d04e8026e07de6dfde5 4216 
node-undici_5.19.1+dfsg1+~cs20.10.9.5-1.dsc
 19a98a06d6e41dbcd590d3bff223e90bbaec971c 2764 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-binary-search.tar.xz
 8d4f831317c15a49b458ec5a603ea4369b23abfe 5890200 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llhttp.tar.xz
 6a4a2af3de8e7e878549c5a5708673c7edcda26c 27864 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse-builder.tar.xz
 8a87e42f332f499e1ef9f38ca0c349a6d3a02e9b 28832 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse-frontend.tar.xz
 cbd8d6727b164bbb46f9900e4a1f91862985732d 34384 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse.tar.xz
 bb452444cd77ceda47b31a3c2b683ba7b434522f 438964 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig.tar.xz
 e334afc7f05a1cebf27858be0581a5a1d6e20edd 30300 
node-undici_5.19.1+dfsg1+~cs20.10.9.5-1.debian.tar.xz
Checksums-Sha256: 
 181f20fe6a22debe1e0b86e2abea957f2dee7927fadf485a3ae1f03e742cef1c 4216 
node-undici_5.19.1+dfsg1+~cs20.10.9.5-1.dsc
 3bafc4492373fb09cb28599af5287e25be78d9b4375415eac33f3578ae4c60b1 2764 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-binary-search.tar.xz
 ab8f0fd169a7a61aa93a80ce94dbd19c60911140812090f8cc8cac70d4a068e2 5890200 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llhttp.tar.xz
 b2d842e5510304456738b84f3886876f756c11db447505e02f5e3ea72b9e90c8 27864 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse-builder.tar.xz
 b961b2f30ecab5a1a6fc8ca152020ad852fd784773e72833736f2ff90ea4a71f 28832 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse-frontend.tar.xz
 d7a8e8873a7f5d8e818cdf8d25fcab4384e9784b19672cc3f13298cc3bfa76f7 34384 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse.tar.xz
 4432b34e592ec856d7de1be911ac0a12e71ee7ce0eaee67a6eb9a69e54da0475 438964 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig.tar.xz
 e26e1e0ef8d4cb2b6240cf54258cbd1f28c8e2b3a177be7e7ac37aaf926ea895 30300 
node-undici_5.19.1+dfsg1+~cs20.10.9.5-1.debian.tar.xz
Files: 
 467311ec2eb188c3147e2741979850d2 4216 javascript optional 
node-undici_5.19.1+dfsg1+~cs20.10.9.5-1.dsc
 0113ec9cb8f5ff3aba87685a5b081c80 2764 javascript optional 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-binary-search.tar.xz
 eba4ec010b70b07dc83e12e96a73c89a 5890200 javascript optional 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llhttp.tar.xz
 da8e7db117b6d4e4d47974907b68df88 27864 javascript optional 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse-builder.tar.xz
 338d962e9803e5c192128ef09682f25a 28832 javascript optional 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse-frontend.tar.xz
 144589e216ed03f5e272b32354f713ce 34384 javascript optional 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse.tar.xz
 3df133df0baa37c2c494bf6be4d38b77 438964 javascript optional 
node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig.tar.xz
 3f3ea57217cb4ee14916f6e6b6243f23 30300 javascript optional 
node-undici_5.19.1+dfsg1+~cs20.10.9.5-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmPvAKcACgkQ9tdMp8mZ
7umF8Q/+PJKgDU763OlWSKwKCHhdItBCVSL2607zN3QMmxetfsQv5Luqx+U6HVIi
y3SoWVespIn7nkjjYpyuW818VOQS+ItoqIq2+7GKIXqyCpS5X7EAv5GgO/Si1LBn
LMKYNDS4D6gDjG5uyRguYEYz5x36DxYbDeR974HgVwOyNDmy/JuLB/cXmoWc0cU3
pZFi53JBrOQKrHzqmqrrd1y1ratrFhWVuZrX++pgeRHIG97mqy5FEv7IOdTbDMqw
Hsw9B4pGzLDfD5ldK1kltQGCQgPEi+9lvVgh+6QVJAjQ/TTTzoUb5sOrjgJjWu61
nnk/Pv6K+k2fmojXg0FkW50YJ2BlU3VJx0SbVm3PzHjpK9BRK8dD35WRGEO4xLIO
jbTfm6vlg51V0AMcuxHJkSS+HqHXCW9Hu/avYmk+w4USTtEq0NMrTcniQ2KN4mIi
ZTIv6rTVH/2eApBpSslb3bZeqm6rqizBgXEE78I13++TdiB0wCk6wwP/IMcyRvTf
tr4xnTDzTP11bgR2kdat90WmBEfSEAPgTsYRu3XjNBV1h+uvjqUv+/Nowu1Y9DKA
JE3ZzklVxrlh9vAzol/S6QWXvMiTWLuETYPM1LagG/nX23IU1nGkKjii3xYEqW/d
a2S8Oq3cytbLokhwchBRFNrPPx9XSFSu6q5lanO2WP5rqa0kZb0=
=vJNn
-----END PGP SIGNATURE-----

--- End Message ---

-- 
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel