Your message dated Thu, 15 Jan 2026 22:05:52 +0000
with message-id <[email protected]>
and subject line Bug#1125679: fixed in node-undici 7.18.2+dfsg+~cs3.2.0-1
has caused the Debian Bug report #1125679,
regarding node-undici: CVE-2026-22036
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125679: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125679
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-undici
Version: 7.16.0+dfsg+~cs3.2.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-undici.
CVE-2026-22036[0]:
| Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and
| 6.23.0, the number of links in the decompression chain is unbounded
| and the default maxHeaderSize allows a malicious server to insert
| thousands compression steps leading to high CPU usage and excessive
| memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-22036
https://www.cve.org/CVERecord?id=CVE-2026-22036
[1] https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
[2]
https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-undici
Source-Version: 7.18.2+dfsg+~cs3.2.0-1
Done: Jérémy Lal <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-undici, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérémy Lal <[email protected]> (supplier of updated node-undici package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 15 Jan 2026 22:23:32 +0100
Source: node-undici
Architecture: source
Version: 7.18.2+dfsg+~cs3.2.0-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Jérémy Lal <[email protected]>
Closes: 1125679
Changes:
node-undici (7.18.2+dfsg+~cs3.2.0-1) unstable; urgency=medium
.
* New upstream version 7.18.2+dfsg+~cs3.2.0
CVE-2026-22036: Unbounded decompression chain in HTTP responses
via Content-Encoding leads to resource exhaustion. Closes: #1125679.
* Switch to watch 5
* Update salsa-ci.yml
Checksums-Sha1:
cddc9e695b1594b2d2f6b21a90b359349fab4468 2706
node-undici_7.18.2+dfsg+~cs3.2.0-1.dsc
1e975bdeff806d9ffb1cb822539a2d74b6b5ac17 40048
node-undici_7.18.2+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz
2a5fa4c16901be413e9d0a1432af3d7f4bc06e97 533312
node-undici_7.18.2+dfsg+~cs3.2.0.orig.tar.xz
9cd239542fcd79a70b022a656c447b7c29fbd9f6 213460
node-undici_7.18.2+dfsg+~cs3.2.0-1.debian.tar.xz
2a19f38203cef4793a6076341179a55fdc66bbea 9835
node-undici_7.18.2+dfsg+~cs3.2.0-1_source.buildinfo
Checksums-Sha256:
e5515cd003527bd693f248b0649f54c650d1e70858a90b67632d9cd5654b1c55 2706
node-undici_7.18.2+dfsg+~cs3.2.0-1.dsc
38d43f2df5ac3dcf51cc5a9866973fe5951f90bd44d9fab8dbf0dc2ed0f025f3 40048
node-undici_7.18.2+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz
83eff5ad96215ac14c3b50678e8276d00b4512684ab4b805cd530e36b2c37396 533312
node-undici_7.18.2+dfsg+~cs3.2.0.orig.tar.xz
2e6364c459fc3a90c570fa98ce7ecffe0552dd4afbf53951dd5176927cf8eb1e 213460
node-undici_7.18.2+dfsg+~cs3.2.0-1.debian.tar.xz
311ebecccaf9d21142211cf3bad7594ccd7255b8f9735d2aa08e2756b76ceacf 9835
node-undici_7.18.2+dfsg+~cs3.2.0-1_source.buildinfo
Files:
9c1c0c362748c4192f3f2dc57be3e678 2706 javascript optional
node-undici_7.18.2+dfsg+~cs3.2.0-1.dsc
a03285069cc3d8477877fba2f1eabf2f 40048 javascript optional
node-undici_7.18.2+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz
db22716e2d781a1092696d4ee9c8fc45 533312 javascript optional
node-undici_7.18.2+dfsg+~cs3.2.0.orig.tar.xz
996dddb878860c22bd625067ec34675b 213460 javascript optional
node-undici_7.18.2+dfsg+~cs3.2.0-1.debian.tar.xz
2a10dc521a4f8c8d9f71b7d03f71bc9b 9835 javascript optional
node-undici_7.18.2+dfsg+~cs3.2.0-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmlpXF8SHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN03HEQAJ/LjusXfqhMEnExE25kmU+r24rMXu2T
w4Y7edHeuoIbLXqOPD1p8QjEjeKlG8rp9UzalIviyR1PGBgIpozf3K9DgXy7Y8oC
r1g8Hr8tGMv6I5+/OXFslVIMpV7BUG8Ql7bFjFKdZIrt7NEmErAS6PTtxmUF64V9
ZLBj/x5lswrfFX+xaHF1ZeI0Obkk6A956t/TT7+VZsn2LwHKRt72MCxpszluJ6J7
qLYMtT6UmSAmzpjmjhOQ3TSY4ZsJD5p9Zr2nkjMYIsLaqEBrz5V98A2dXwXXkM3g
Y/vLX/pxdSsO69IH1ra21zlgDPFYqxE0WLgVcR5kdBSPEPS20VgBVWnaL8AIfmIU
24hm/7x71TzT0Jz9+NkrU+dyBxlWxgV7PEVyzNkOLjbTqsgonjmHV8rNjjkC4SKh
H3IF1KB4tYf2UtLiz9k+eOs2ojeWxjvBN7DI/xulYqQ806kIro4sU7D44eRgWp62
7kSGxpxZC9sbGigsduC9M+aZNbU+xYZvzk2+T5J6Mfwp21/i4cC60oeXdUqyi+qs
9Oh9PHJZ9reNj0tMc/zM0s/EH4U2Tb1345ioQgba2a5zSn3+u6LMfiDzmxvFYStN
HnYCWCWc+jDt+Ybo7GpkuXgpSlL0K3oH7CA/c7qkqU2aK6IrlCVzcYMxBPPPWTw3
PKwyPJh74vlT
=qvhQ
-----END PGP SIGNATURE-----
pgpKzeOmZgxO4.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
