Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-fetch is vulnerable to privacy breach (CVE-2022-0235)
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed
[ Risks ]
Low risk, patch just cleans headers
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Clean headers before request
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 7f3da38..31eb312 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-fetch (2.6.1-5+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Don't forward secure headers to 3th party (Closes: CVE-2022-0235)
+
+ -- Yadd Wed, 19 Jan 2022 16:46:28 +0100
+
node-fetch (2.6.1-5) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-0235.patch
b/debian/patches/CVE-2022-0235.patch
new file mode 100644
index 000..d97cd7a
--- /dev/null
+++ b/debian/patches/CVE-2022-0235.patch
@@ -0,0 +1,22 @@
+Description: don't forward secure headers to 3th party
+Author: Jimmy Wärting
+Origin: upstream, https://github.com/node-fetch/node-fetch/commit/f5d3cf5e
+Bug: https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-01-19
+
+--- a/src/index.js
b/src/index.js
+@@ -170,6 +170,11 @@
+ requestOpts.body =
undefined;
+
requestOpts.headers.delete('content-length');
+ }
++if (!isDomainOrSubdomain(request.url, locationURL)) {
++ for (const name of
['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
++
requestOptions.headers.delete(name);
++ }
++ }
+
+ // HTTP-redirect fetch step 15
+ resolve(fetch(new
Request(locationURL, requestOpts)));
diff --git a/debian/patches/series b/debian/patches/series
index 882f8ed..20c4319 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
babelrc.patch
fix-default-export.diff
drop-legacy-rollup-babel-plugin.patch
+CVE-2022-0235.patch