Your message dated Tue, 17 Jun 2014 21:54:27 +0000 with message-id <e1wx1kl-0000aq...@franck.debian.org> and subject line Bug#744374: fixed in node-connect 3.0.0-1 has caused the Debian Bug report #744374, regarding node-connect: methodOverride middleware reflected cross-site scripting (CVE-2013-7370 CVE-2013-7371) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 744374: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=744374 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: node-connect Severity: serious Tags: security fixed-upstream The Node Security Project discovered an XSS vulnerability in the node connect module, please fix this bug by upgrading node-connect. Vulnerable: <=2.8.0 Patched: >=2.8.1 Report: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting Upstream bug report: https://github.com/senchalabs/connect/issues/831 First fix: https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135 Second fix: https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a -- bye, pabs http://wiki.debian.org/PaulWise
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---Source: node-connect Source-Version: 3.0.0-1 We believe that the bug you reported is fixed in the latest version of node-connect, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 744...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Leo Iannacone <l...@ubuntu.com> (supplier of updated node-connect package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 17 Jun 2014 21:47:22 +0200 Source: node-connect Binary: node-connect Architecture: source all Version: 3.0.0-1 Distribution: unstable Urgency: low Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Leo Iannacone <l...@ubuntu.com> Description: node-connect - extensible HTTP server framework - Node.js module Closes: 744374 Changes: node-connect (3.0.0-1) unstable; urgency=low . * New upstream release (closes: #744374) * debian/watch: update to check github repository * debian/copyright: + replace MIT license name with Expat + set copyright-format 1.0 + add Upstream-Contact field + add Source field * debian/control: + update dependencies according with package.json + add nodejs as Build-Depends, avoids availability on platforms nodejs isn't built + add binary dependencies, mocha, node-should and node-supertest as Build-Depends - required for running tests + bump Standards-Version 3.9.5 + update package description + update VCS-* urls to be under pkg-javascript in alioth * debian/install: + do not change module path tree - install whole lib/ directory + install index.js and package.json * debian/links: no longer needed - remove * debian/docs: install Readme.md as doc * debian/rules: + install History.md as upstream changelog + remove override_dh_autoinstall - no longer needed + enable tests * debian/patches: deleted, no longer needed * debian/NEWS: add NEWS file documenting why middlewares are no longer included in Connect. Checksums-Sha1: 99bae72e4a6f5a620ff4c21b9d4a5b86953c17f8 2114 node-connect_3.0.0-1.dsc 0050ddc61016b093f85e9bdf37022abad963ece3 19790 node-connect_3.0.0.orig.tar.gz e520336de2ba57625aec2aac1fdbc3f004b63ca5 2760 node-connect_3.0.0-1.debian.tar.xz 6d732046cd121b195d2f8d22dcfa7b168165f201 20610 node-connect_3.0.0-1_all.deb Checksums-Sha256: 6d2d836c2289c8feddf58762740ba4248eae02bf240bf1249c5b7dba15051cdf 2114 node-connect_3.0.0-1.dsc d15faa09eda7da629fd8b116bc4c12232850853191b50b6207700983b2539935 19790 node-connect_3.0.0.orig.tar.gz fb9019ad27cdfff4957945af39ddc3046aed4585e9d266079711697637814975 2760 node-connect_3.0.0-1.debian.tar.xz a91241d666a38be6a0e65ada55d16e809e2b3f8779e541a0474f565d07d8b42e 20610 node-connect_3.0.0-1_all.deb Files: d36f3b869b00eb07380e9bc346afcdbd 20610 web extra node-connect_3.0.0-1_all.deb 33259316965b24c2da6fb23d3e3b2482 2114 web extra node-connect_3.0.0-1.dsc 3bde0ea55516dd2782c90e1dfc0b330c 19790 web extra node-connect_3.0.0.orig.tar.gz 903c6b8b29b1133b31a1368c6687a00b 2760 web extra node-connect_3.0.0-1.debian.tar.xz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJToJvhAAoJEGYRwF7dOfN0C54P/As6X/e3B4LRf07lxHfQAPvX M1fBM8Eli63TWt9+yUHDWZ0yZAZLfBuHrHdHo2Oxjx/gTnU0x954oSeZbb/8jEZs bHVlL0UW/3tze6uiRxjxMIQtbGAuZqZyCBmEaRC4ohU0dk4ASZBu9yl+x1RxoMZ9 snHnUuHdob+mUizssLPUpjXd3JGyZl4CiADpFVzVL7cGd2i7N+ivO8w33kU0GCQ6 illBdUgDLX7QvNLelWpHKvihL6+6pizVs2syJ9V78iBREuEzY1DDj7Zag0hgdIQ3 3xyBG8s0pylExaVCWfywGRX46uWG+58G31MsFvwmn8V+mOtJI8N3fqWfeAf0613L s/Cf9rCImOBZwf9txNndcc0KZVEioRmMyNsxjSl+QFcTc1g3C7JCx8oU8Y5xjPWx nmvQm3bnpSNnzteqoyuO/Ou1mCrLe8RlB9hVvhusJs5MnBCzCGLOhwvpiWmUVSuK qhk+jLQw4p8piNeKVhDY3Vtv9nH4wrNfm0wgMNyZPAs7MZ1TOYpnfY9eSbTNAM0u qhjNiuQQL2fRxC30BPK/fZjj+GZiRZ4B8gVFcXb74nXCmRayFDQ9Kmzc+M8fttHm 1YU+Ng3U8Sb+YwoiDlO8GdrKqics6DFe/30gofsodO1uOkVil221zKe8fnn+gw5I pz+RJPGKMExsuwMH4wjd =or1f -----END PGP SIGNATURE-----
--- End Message ---
