Your message dated Fri, 08 May 2026 20:46:34 +0000
with message-id <[email protected]>
and subject line Bug#1135998: fixed in node-ajv 8.20.0~ds+~cs6.1.3-1
has caused the Debian Bug report #1135998,
regarding node-ajv: CVE-2026-6321 CVE-2026-6322
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1135998: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135998
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-ajv
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerabilities were published for node-ajv.
CVE-2026-6321[0]:
| fast-uri decoded percent-encoded path separators and dot segments
| before applying dot-segment removal in its normalize() and equal()
| functions. Encoded path data was treated like real slashes and
| parent-directory references, so distinct URIs could collapse onto
| the same normalized path. Applications that normalize or compare
| attacker-controlled URLs to enforce path-based policy can be
| bypassed, with a path that appears confined under an allowed prefix
| normalizing to a different location. Versions <= 3.1.0 are affected.
| Update to 3.1.1 or later.
https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6
Fixed by:
https://github.com/fastify/fast-uri/commit/876ce79b662c3e5015e4e7dffe6f37752ad34f35
(v3.1.1)
CVE-2026-6322[1]:
| fast-uri normalize() decoded percent-encoded authority delimiters
| inside the host component and then re-emitted them as raw delimiters
| during serialization. A host that combined an allowed domain, an
| encoded at-sign, and a different domain was re-emitted with the at-
| sign as a raw userinfo separator, changing the URI's authority to
| the second domain. Applications that normalize untrusted URLs before
| host allowlist checks, redirect validation, or outbound request
| routing can be steered to a different authority than the input
| appeared to specify. Versions <= 3.1.1 are affected. Update to 3.1.2
| or later.
https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc
https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293
(v3.1.2)
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-6321
https://www.cve.org/CVERecord?id=CVE-2026-6321
[1] https://security-tracker.debian.org/tracker/CVE-2026-6322
https://www.cve.org/CVERecord?id=CVE-2026-6322
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-ajv
Source-Version: 8.20.0~ds+~cs6.1.3-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-ajv, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-ajv package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 08 May 2026 21:28:02 +0200
Source: node-ajv
Architecture: source
Version: 8.20.0~ds+~cs6.1.3-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1135998
Changes:
node-ajv (8.20.0~ds+~cs6.1.3-1) unstable; urgency=medium
.
* Team upload
* New upstream version 8.20.0~ds+~cs6.1.3
(Closes: #1135998, CVE-2026-6321, CVE-2026-6322)
* Refresh patches
Checksums-Sha1:
44d14a397c828d33596b4b527027caf4fce059fb 2995 node-ajv_8.20.0~ds+~cs6.1.3-1.dsc
e9eb88d2d29bd89c0979db3889d2ac01bef8cb29 15784
node-ajv_8.20.0~ds+~cs6.1.3.orig-ajv-formats.tar.xz
ca1f1793d509098245f370abf6591bf9639ab391 24352
node-ajv_8.20.0~ds+~cs6.1.3.orig-fast-uri.tar.xz
252fb7dcb0ee564c8ccca05ce47f18a5869e455e 157948
node-ajv_8.20.0~ds+~cs6.1.3.orig.tar.xz
948dacd7ce68b81ca0b23df2d1ed6ad505a1191b 82624
node-ajv_8.20.0~ds+~cs6.1.3-1.debian.tar.xz
Checksums-Sha256:
47721f6263f3a57fcf64b190d447cc58e79c7b581b26ab88ae30f26b0d218ad9 2995
node-ajv_8.20.0~ds+~cs6.1.3-1.dsc
cb2d4c8318b09e8dc95400cef30007678adde921f2f96e40555186cf0b284795 15784
node-ajv_8.20.0~ds+~cs6.1.3.orig-ajv-formats.tar.xz
8e9334fa040e3f3ca6a4ec1f71ac197bc0752e9c0bdbe17bcc3ed46a1b73f0dd 24352
node-ajv_8.20.0~ds+~cs6.1.3.orig-fast-uri.tar.xz
dc39049f1740e184d79b4ba4d59b804f7c2dee3885e6eda9fbcfdfeb73799d8f 157948
node-ajv_8.20.0~ds+~cs6.1.3.orig.tar.xz
0187c79101564b096fac14cbb15c21869ba99e99bba349d1e4118ef5672d5432 82624
node-ajv_8.20.0~ds+~cs6.1.3-1.debian.tar.xz
Files:
aec1a9d4d109f750ab6ac695a6dea058 2995 javascript optional
node-ajv_8.20.0~ds+~cs6.1.3-1.dsc
d731ebdc55c16ebfc43bac566641a2bb 15784 javascript optional
node-ajv_8.20.0~ds+~cs6.1.3.orig-ajv-formats.tar.xz
a31d8efa428b90507a8bf292b2055f5a 24352 javascript optional
node-ajv_8.20.0~ds+~cs6.1.3.orig-fast-uri.tar.xz
a4bf97e93b7b8a0e274d0267430f0c7b 157948 javascript optional
node-ajv_8.20.0~ds+~cs6.1.3.orig.tar.xz
e313972c86dd17c8a4aedaa0222af70d 82624 javascript optional
node-ajv_8.20.0~ds+~cs6.1.3-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmn+QcoACgkQ9tdMp8mZ
7ulpCA/+JDK9Vikd5M6cix/yfH21hvSRNzu6aE8IaM9ZRw5W49Nlrjek9ApLX8UD
y3jJFbqbSmya8g9MVB11cshIzflIlutkDA/H+9Kv5yv/C6z/lMQADSa/e3jB+nBM
LAQpDgwT60n/beBh2cYH4Rij0Z9qHXfWC6LUTrE6jno5feqTBKOBxd+GfA3t6Wak
wjP5QshDZiAeoAxMYnUaNc/VzJ3Jlb7AHFBdrdjKmWoY+pBpn1HqHCKGb8neoBFB
VLJjanLDeH9cbcDh5TNmqk1XZmW/dGVLhE7TpJzOWnTaAI+JxZWhqCOsVz43o42N
jmLBD2xGeWWm11KjXbzm9KPXSRk9GsVWD4UpL/bnmsWvqf0HN1G62iqU9bWwOEPy
ttliaQtcCRn1WDBTg0zzDBhD/GHzhmlBf8jmQPqrlif/vU9Zsn+mOVdVLlJIxVwm
2cuEWX3529/12RbqorCKgrV0CkpfRvZM95YkFPgLBmu7zcaR5YkyjjIfpIKJbLo0
sIeMyVyPv3/YUvqFfaYGS3mtXVPWMO0R8su6IwiTFo1YcEyLijzlY3VzmABVxGjA
KajaV/3Nd1tOy6Cqj+TAIyQQLyoeTEZvfgW83BM+jzEIeEuBNP83hXtMs5zPDhd2
OX/oCHlXLMjAsU9vSSZl7coSODMBLfHh3ZWTgXPj9X0comdzcAY=
=fuhS
-----END PGP SIGNATURE-----
pgp6XUVIOcaDF.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
