Your message dated Thu, 31 Jul 2025 07:06:00 +0200
with message-id <air5uppzeez2j...@eldamar.lan>
and subject line Re: Bug#1109551: [Pkg-javascript-devel] Bug#1109551:
node-form-data: CVE-2025-7783
has caused the Debian Bug report #1109551,
regarding node-form-data: CVE-2025-7783
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1109551: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109551
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-form-data
Version: 4.0.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-form-data.
CVE-2025-7783[0]:
| Use of Insufficiently Random Values vulnerability in form-data
| allows HTTP Parameter Pollution (HPP). This vulnerability is
| associated with program files lib/form_data.Js. This issue affects
| form-data: < 2.5.4, 3.0.0 - 3.0.3, 4.0.0 - 4.0.3.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-7783
https://www.cve.org/CVERecord?id=CVE-2025-7783
[1]
https://github.com/form-data/form-data/security/advisories/GHSA-fjxv-7rqg-78g4
[2]
https://github.com/form-data/form-data/commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-form-data
Source-Version: 4.0.1-2
On Sun, Jul 27, 2025 at 10:57:44PM +0200, Yadd wrote:
> On 7/27/25 19:29, Pragyansh Chaturvedi wrote:
> > Hi
> >
> > upstream has the fix: https://github.com/form-data/form-data/
> > commit/3d1723080e6577a66f17f163ecd345a21d8d0fd0
> > while debian has the fix: https://salsa.debian.org/js-team/node-form-
> > data/-/commit/cee782f6ff789f389e6ce2f34ae9549d291e85be
> >
> > These fixes are different. The CVE fix in debian does not have a 50
> > character boundary anymore, but a 62 character boundary now.
> > This causes autopkgtest failure in node-superagent: https://
> > ci.debian.net/packages/n/node-superagent/testing/amd64/62420387/, the
> > payload size asserts now fail. This does not allow node-form-data to
> > migrate.
> > Please use the upstream's fix for this CVE instead of
> > crypto.randomUUID() to preserve boundary length and not break other
> > packages.
>
> Upstream added a dependency instead of using built-in module, applying
> upstream dependency is impossible for Trixie.
As confirmed by Yadd the fix is sufficient for the CVE so closing it
again with the given version again.
Regards,
Salvatore
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
