Your message dated Mon, 03 Feb 2025 17:17:09 +0000
with message-id <e1tf04l-00fxpa...@fasolo.debian.org>
and subject line Bug#1056099: fixed in node-axios 1.2.1+dfsg-1+deb12u1
has caused the Debian Bug report #1056099,
regarding node-axios: CVE-2023-45857
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1056099: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056099
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-axios
Version: 1.5.1+dfsg-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/axios/axios/issues/6006
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-axios.
CVE-2023-45857[0]:
| An issue discovered in Axios 1.5.1 inadvertently reveals the
| confidential XSRF-TOKEN stored in cookies by including it in the
| HTTP header X-XSRF-TOKEN for every request made to any host allowing
| attackers to view sensitive information.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45857
https://www.cve.org/CVERecord?id=CVE-2023-45857
[1] https://github.com/axios/axios/issues/6006
[2]
https://github.com/axios/axios/commit/96ee232bd3ee4de2e657333d4d2191cd389e14d0
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-axios
Source-Version: 1.2.1+dfsg-1+deb12u1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-axios, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1056...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-axios package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 02 Feb 2025 11:35:52 +0100
Source: node-axios
Architecture: source
Version: 1.2.1+dfsg-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1056099 1094731
Changes:
node-axios (1.2.1+dfsg-1+deb12u1) bookworm; urgency=medium
.
* Team upload
* Fix CSRF vulnerability (Closes: #1056099, CVE-2023-45857)
* Fix potential vulnerability in URL when determining an origin
(Closes: #1094731, CVE-2024-57965)
Checksums-Sha1:
8b0186f63b1d617daac2732e00b1e9e85907640d 2618
node-axios_1.2.1+dfsg-1+deb12u1.dsc
d72e0b47e2bfe394b7098324f7a731bd00e4075e 22968
node-axios_1.2.1+dfsg-1+deb12u1.debian.tar.xz
Checksums-Sha256:
1654b843c1a6c47b0de27dd7e682ea32375d346ecf3e1ff4c11526c5d55f42bf 2618
node-axios_1.2.1+dfsg-1+deb12u1.dsc
28652cd1f6e5058b53e4ee80cde544203f206d17564fe228a9be353e915063f2 22968
node-axios_1.2.1+dfsg-1+deb12u1.debian.tar.xz
Files:
836084311e484cd7cfc2cf85e58fc66a 2618 javascript optional
node-axios_1.2.1+dfsg-1+deb12u1.dsc
752a7fd7c9409c8acd966af8194a4b7a 22968 javascript optional
node-axios_1.2.1+dfsg-1+deb12u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmefSwsACgkQ9tdMp8mZ
7umPsA/+McHiFo+W6+Fqyyn2OYoged+UGjpYBBxT5JuDsgUY0SzJskag5t+HL7mi
/5IQLZnxseofPJbSmcgwAjuYdjD1kyWuqYlJfxZJj3heyljrLgL18xPnfz+0fWpF
9I6pVF8gZOvjGI7Yt4coK651QIKzfnG2Jgtf/i9P/UB+fQK9O/gFONvBMLr1qCw9
Li0xBT/dBTt6crpaOYTBQIuTHOWWdpHYlSRhxz9stP0NRCpHOSVcqDQ3uX20pH0N
Pww0xZFhwi9M0jPnpryv67ay5I5lezd75H1HNb3/THxOBXG7RBStuceHLMxOIR7x
asuzLpLlgwtJQ3iQ5uqnNEuVKjnZXRi4lTZM59Vz4a8XP9Ny6yhQWPh8VBW6TGja
BY1inVZfmQkwsBdHhvh++1qElhUD5TXkOAEtVpqk8NpyayJhf9G93f93hlvhunPz
Vcfcv6wZZUSZnVG0vRUQv8e2+829I5IGNTKM3z2Fru3mawNJR94X3QJu0+oVLyK2
LUHuz4spahRREauCRIHo0c/P9NpGX0U9HKi+yp3aPu51M7nc9LoRTdH9yLkQk7XN
N+/VgRJrcg3mZ8XYkXZ2nSF1Lqa83icJQtRW7wWAu3oRLZuOUTyOQNS3Mbl2HFH0
86UjopvFIYNNxHqBWvVJ5R84LIAH1zPt7O+xukY9rwpgX7wqvuI=
=N7t5
-----END PGP SIGNATURE-----
pgpvFk7xd4y2f.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
