Your message dated Mon, 15 Sep 2025 10:35:14 +0000
with message-id <e1uy6ye-00beye...@fasolo.debian.org>
and subject line Bug#1104246: fixed in node-form-data 4.0.4+~2.1.0-1
has caused the Debian Bug report #1104246,
regarding node-formidable: CVE-2025-46653
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1104246: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104246
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-formidable
Version: 3.2.5+20221017git493ec88+~cs4.0.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-formidable.
CVE-2025-46653[0]:
| Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3
| relies on hexoid to prevent guessing of filenames for untrusted
| executable content; however, hexoid is documented as not
| "cryptographically secure." (Also, there is a scenario in which only
| the last two characters of a hexoid string need to be guessed, but
| this is not often relevant.) NOTE: this does not imply that, in a
| typical use case, attackers will be able to exploit any hexoid
| behavior to upload and execute their own content.
Since the upstream fix is to switch from hexoid to cuid2, I guess the
fix to backport this to older versions is too intrusive and we might
ignore it. Please comment how you see the problem.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-46653
https://www.cve.org/CVERecord?id=CVE-2025-46653
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-form-data
Source-Version: 4.0.4+~2.1.0-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-form-data, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1104...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-form-data package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 15 Sep 2025 12:13:13 +0200
Source: node-form-data
Architecture: source
Version: 4.0.4+~2.1.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1104246
Changes:
node-form-data (4.0.4+~2.1.0-1) unstable; urgency=medium
.
* Team upload
* debian/watch version 5
* Embed es-set-tostringtag
* New upstream version (Closes: #1104246, CVE-2025-46653)
* Drop CVE-2025-7783, now included in upstream
* Update copyright
* Add dependencies to node-es-errors, node-hasown
* Add lintian-overrides
Checksums-Sha1:
d848687d92986737122064161825f0f190013442 2589 node-form-data_4.0.4+~2.1.0-1.dsc
7fa1bd307044f7d678f0de318f06df2a756e9a94 7160
node-form-data_4.0.4+~2.1.0.orig-es-set-tostringtag.tar.gz
545fc4bbfcff3d346107b490d835b97ed375284c 59717
node-form-data_4.0.4+~2.1.0.orig.tar.gz
4388aba66bbd3ff0a05958272b5451b3aa55463e 9892
node-form-data_4.0.4+~2.1.0-1.debian.tar.xz
Checksums-Sha256:
a3aa7f615be1556184b4f1198b0d3ec7ccc538725c259214f704e8604ffe74d6 2589
node-form-data_4.0.4+~2.1.0-1.dsc
76e10cc4411e9ebcab6c3e31a88d13ce67247a325df83780ee74e208acd5ae39 7160
node-form-data_4.0.4+~2.1.0.orig-es-set-tostringtag.tar.gz
c76908d488b77818c6d5344c80c1e7c20d9615a89711b3906d667bf0d02575df 59717
node-form-data_4.0.4+~2.1.0.orig.tar.gz
76936e1e7ab7d573b41b3ff51148612f09146f53ce3462d07db95f809573fe95 9892
node-form-data_4.0.4+~2.1.0-1.debian.tar.xz
Files:
fc62ca73f0f42957ed0c4ead14cacad6 2589 javascript optional
node-form-data_4.0.4+~2.1.0-1.dsc
7f9fa9e1fec55df4c05c87c7168921fe 7160 javascript optional
node-form-data_4.0.4+~2.1.0.orig-es-set-tostringtag.tar.gz
f929fa16c95d20768a05331ee0d4310d 59717 javascript optional
node-form-data_4.0.4+~2.1.0.orig.tar.gz
b90776e029b6e256414f170a93ba14c3 9892 javascript optional
node-form-data_4.0.4+~2.1.0-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmjH6KMACgkQ9tdMp8mZ
7umNeQ//ZPSR32JpQzrGCgE13i15SolsxAi2tAzG3qXqB6REWGv3n70UkeFrcEUs
aYJyL7aRJPgTc+tmmkTlMozcJrWsrcLTge5jpM25SxDY5si68yT6/W5oiNl/RYXR
yxqudMNWLp7cIeipjHzOG8nh0734nh8IME20k21ixdXD9EWUmnlhp1ZpU/3K+ygb
88zY3xMmqSW7DsePd37OWZV2JjKiYyuK/Rsi6RTqxoZAbZM7xtEC6RjyK0+ni5Oa
aIZS3yk/uo0RaP/47aGewZk+EUXao5ozuiP91ejuUy+RFVFwR0vfDnEydW9M+M69
N+I3NsZhxhtfKqNn/YoORXVCrLdSsx8CTkF3EOFKKKr7KKjdLYhEOn843DmQGIcS
aSdj/YramB0ZHxFvSfc5Ite9Wng9o+kGYGQo4INzz+6muZuKK6xR2W+dTJNsNycM
WePvr8iqE8Hgr073cGJL2fGBLOl4Ko3o1x+n62dR6a850Gk/B9L9pTJEV8K2yD4e
opRMkNNbrMjqrlpiyBtrCgn4n/bXsO9CQSkjhgfZHT6yYJaNZZj6OfV/qL0b9lSb
FH6hFmlYYd2BkDIvrZ786ZMzrfQjcYzYICEOMcYayvZ0FPzUpUny2OQTaztKUPsk
GFmrV/uo6qtAgEJzaWLpIneASWLSzOyaTfcO3uSsXXxCqm4TpCw=
=hTLu
-----END PGP SIGNATURE-----
pgp4kMe4mKkMV.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
