Your message dated Mon, 20 Nov 2023 07:04:10 +0000
with message-id <e1r4yki-008iqy...@fasolo.debian.org>
and subject line Bug#1056099: fixed in node-axios 1.6.2+dfsg-1
has caused the Debian Bug report #1056099,
regarding node-axios: CVE-2023-45857
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1056099: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056099
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-axios
Version: 1.5.1+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/axios/axios/issues/6006
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-axios.
CVE-2023-45857[0]:
| An issue discovered in Axios 1.5.1 inadvertently reveals the
| confidential XSRF-TOKEN stored in cookies by including it in the
| HTTP header X-XSRF-TOKEN for every request made to any host allowing
| attackers to view sensitive information.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45857
https://www.cve.org/CVERecord?id=CVE-2023-45857
[1] https://github.com/axios/axios/issues/6006
[2]
https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-axios
Source-Version: 1.6.2+dfsg-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-axios, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1056...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-axios package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 17 Nov 2023 14:52:00 +0400
Source: node-axios
Built-For-Profiles: nocheck
Architecture: source
Version: 1.6.2+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1056099
Changes:
node-axios (1.6.2+dfsg-1) unstable; urgency=medium
.
* Team upload
* Set upstream metadata fields: Repository.
* New upstream version (Closes: #1056099, CVE-2023-45857)
* Unfuzz patches
Checksums-Sha1:
a598d222f287b446fb1e84206efb19178e5c5d8b 2586 node-axios_1.6.2+dfsg-1.dsc
9d4449dd364e014152f18310ad87053e8d25e8f7 295844
node-axios_1.6.2+dfsg.orig.tar.xz
601663274843473bec4d11de28d9bab804fcc28e 22260
node-axios_1.6.2+dfsg-1.debian.tar.xz
Checksums-Sha256:
44e6766064d4945bc9fe3414593f723a1a3d1d8ccc9ce36148f1038e83854551 2586
node-axios_1.6.2+dfsg-1.dsc
038090982974fad4a14372c16b99e127ebbc9acd35b4b7380f97926cae36a258 295844
node-axios_1.6.2+dfsg.orig.tar.xz
f9a2fc8c1a9d9c345e2361b037b4d4ed23f8534de43f73820c176b3bcdd3d692 22260
node-axios_1.6.2+dfsg-1.debian.tar.xz
Files:
a1ee5c0d6397c92150a251ae0ee66896 2586 javascript optional
node-axios_1.6.2+dfsg-1.dsc
7be02eb30e58a5cb384cf7dea42e4e19 295844 javascript optional
node-axios_1.6.2+dfsg.orig.tar.xz
da236e180bd1a47b1e96befa6dcc3a8e 22260 javascript optional
node-axios_1.6.2+dfsg-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmVbABYACgkQ9tdMp8mZ
7ultRhAAnsVgGht9gbPPIVNqSrlrqcv4Nl8CnrCBYcUQ449clEQKv0ee6vNVo1GU
WaCVRGmQh6567bY3monjTxWFOJ4FEYHAFG/b2GTo6Rr+zHYD+l//A+sfAgbMpezz
arXFLTt4daZk665hDKmOzwZTsKrrKlvzTEGbpYffoj8/nVy9JFbQbO6sD/Nxb05X
bLnPIfeUbgYSOAlBamllrjfirJfLfnXuz1vBxiPg1eiIOCCNzLbqtyO2ocJCAwKI
UGNOSrV/QRMBz5Bx4tbbN4wJT+vuj17kw0pXpTORyAybuCbPXWrLiwXVJddR0wX1
E2l/9Kax7n7+YltPl1WPG+zIy4efeAYeVpSQc1i2DceVqrR7y99rB/XestFg2S6t
v8h8jWsGGA2n2gVSTI2NRKHk+SOyGrmPaA2u2InG4k8TfhGUWtMFyb331iifD8xI
zHVfDek0JFMkCKoycalot9HixMQKUsnZ0s81pcVEXLtqOHVbP+xI7iwmxWA5pmLJ
9vZ0vdbN1W8bNE4KL59Ggy7EOAPZohdNPhyIqaHZisnaY3yuyCtpAPGB+ouQdYSI
d8J5gjbQpu/1D+mcln1DyqZMKBgSjSbpG2zsUwq+q/Eiz5JC+3uKUVnEDIXElu6h
W8lIkG65T0uL8phX0fgJL+wj7cUhlobMr6c+O5niMMn55EY8ko0=
=Dpzb
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
