Your message dated Wed, 29 May 2024 06:49:03 +0000
with message-id <e1scd7p-00ej3l...@fasolo.debian.org>
and subject line Bug#1072121: fixed in node-ip 2.0.1+~1.1.3-2
has caused the Debian Bug report #1072121,
regarding node-ip: CVE-2024-29415
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1072121: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072121
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-ip
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-ip.
CVE-2024-29415[0]:
| The ip package through 2.0.1 for Node.js might allow SSRF because
| some IP addresses (such as 127.1, 01200034567, 012.1.2.3,
| 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as
| globally routable via isPublic. NOTE: this issue exists because of
| an incomplete fix for CVE-2023-42282.
https://github.com/indutny/node-ip/issues/150
https://github.com/indutny/node-ip/pull/144
https://github.com/indutny/node-ip/pull/143
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-29415
https://www.cve.org/CVERecord?id=CVE-2024-29415
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-ip
Source-Version: 2.0.1+~1.1.3-2
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-ip, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1072...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-ip package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 29 May 2024 10:21:39 +0400
Source: node-ip
Architecture: source
Version: 2.0.1+~1.1.3-2
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1072121
Changes:
node-ip (2.0.1+~1.1.3-2) experimental; urgency=medium
.
* Team upload
* Import proposed fix for CVE-2024-29415 (Closes: #1072121)
Checksums-Sha1:
3cbfb7db1c8641caf0d8d51c25c69d3cfd5dbcf2 2302 node-ip_2.0.1+~1.1.3-2.dsc
567c166c4dc0f2d0b3320bed4a0179a3acefe52e 6312
node-ip_2.0.1+~1.1.3-2.debian.tar.xz
Checksums-Sha256:
d8293e2612407611d2429927b65da3c8a78c73a1ee1839d84fa6a7f900031135 2302
node-ip_2.0.1+~1.1.3-2.dsc
e4c0a5524b240b0f19cfca0427a583d5b0f4134b49870cc99fc40aa47402d768 6312
node-ip_2.0.1+~1.1.3-2.debian.tar.xz
Files:
f5d7b264906063fa5d5c48f638e909e6 2302 javascript optional
node-ip_2.0.1+~1.1.3-2.dsc
f2b753007fa74991fb1f997e6dbaa0e9 6312 javascript optional
node-ip_2.0.1+~1.1.3-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmZWyc4ACgkQ9tdMp8mZ
7um8+xAAjPWjnJ0x/XsMV6ytvTCqQYu2RxiQa3NhJuv2mJoX7ZJjoHRvuKe7fdof
SpIIZYqpIIt0NToY4bwm281pa095T5ZjvbEqwQHZdGBCNQAak5WOs9NSLFBoqADC
Fhq/6KX1THqPrXFJv3pz3D+Ue1rt6V2ZTWUL4bpd//83C09Ll2pmfDa79Suraw5N
kpLPGkOWmmKR+Z7BwPpx2CTJH58H9fihcDas7IiYpGZbswGJGwtgOzNJEJcCBuH1
McRAdXoo7l64w1J0UPPiA8wX6KBpLhiFR+K9f0xuoy/S5BfbNEOAxxSMxLbIxaN9
vU8iEsdGX8eNRij1AS60v+fFHcDaD/r+dVqoClKMwuDghpDFFwWpC3OM0dxcxiEK
dnhQvg1cTIannRTcHCuadjGIleML8iFx96xdHCv94OV+g76GbILUZ/BGlS+L+oyE
AsVw/+mMQ/a7nDRJZcje9dOFLti89fcfvWsFgg4EiunmW+BsHoPEOkEIKk5Fp4Pt
MR90cVT72P95++B8w6higOd+mLxUxt46F3nbRlkIBtIMNWSgXM9kovmg6BjEQM1K
0b2fJZjfCuKXUfQD/u4sB8safUin9vmXmn1I1S7az4dXAsAqr11HFTnG0lyRs40h
Zod/zVqaNcB6LhGU4VPoL0+beaY2iAgjBGwFNDYG07TtozGo5RY=
=tJLd
-----END PGP SIGNATURE-----
pgpnOtyLi6xXY.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
