Bug#994583: buster-pu: package node-axios/0.17.1+dfsg-2+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu [ Reason ] Another regex denial of service [ Impact ] Medium vulnerability [ Tests ] test passed [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Use trim() instead of a regex Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 88ae229..d73d015 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-axios (0.17.1+dfsg-2+deb10u1) buster; urgency=medium + + * Team upload + * Fix reDoS (Closes: CVE-2021-3749) + + -- Yadd Sat, 18 Sep 2021 07:31:53 +0200 + node-axios (0.17.1+dfsg-2) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-3749.patch b/debian/patches/CVE-2021-3749.patch new file mode 100644 index 000..802174f --- /dev/null +++ b/debian/patches/CVE-2021-3749.patch @@ -0,0 +1,19 @@ +Description: fix ReDoS +Author: ready-research <72916209+ready-resea...@users.noreply.github.com> +Origin: upstream, https://github.com/axios/axios/commit/eef56014 +Bug: https://github.com/axios/axios/pull/3980 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2021-09-18 + +--- a/lib/utils.js b/lib/utils.js +@@ -162,7 +162,7 @@ + * @returns {String} The String freed of excess whitespace + */ + function trim(str) { +- return str.replace(/^\s*/, '').replace(/\s*$/, ''); ++return str.trim ? str.trim() : str.replace(/^\s+|\s+$/g, ''); + } + + /** diff --git a/debian/patches/series b/debian/patches/series index 877fd7a..1f39c51 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,4 @@ skip-unneeded-modules.patch use-webpack3.patch CVE-2019-10742.diff +CVE-2021-3749.patch diff --git a/debian/patches/skip-unneeded-modules.patch b/debian/patches/skip-unneeded-modules.patch index 9c63950..6f69f30 100644 --- a/debian/patches/skip-unneeded-modules.patch +++ b/debian/patches/skip-unneeded-modules.patch @@ -2,7 +2,7 @@ These are optional modules --- a/package.json +++ b/package.json -@@ -38,10 +38,6 @@ +@@ -39,10 +39,6 @@ "grunt-cli": "^1.2.0", "grunt-contrib-clean": "^1.0.0", "grunt-contrib-nodeunit": "^1.0.0", diff --git a/debian/patches/use-webpack3.patch b/debian/patches/use-webpack3.patch index 43e264b..8f140f7 100644 --- a/debian/patches/use-webpack3.patch +++ b/debian/patches/use-webpack3.patch @@ -10,7 +10,7 @@ Subject: [PATCH] Updating webpack to v3.x --- a/package.json +++ b/package.json -@@ -38,7 +38,7 @@ +@@ -39,7 +39,7 @@ "grunt-cli": "^1.2.0", "grunt-contrib-clean": "^1.0.0", "grunt-contrib-nodeunit": "^1.0.0", @@ -19,7 +19,7 @@ Subject: [PATCH] Updating webpack to v3.x "istanbul-instrumenter-loader": "^1.0.0", "jasmine-core": "^2.4.1", "karma": "^1.3.0", -@@ -58,10 +58,10 @@ +@@ -59,10 +59,10 @@ "minimist": "^1.2.0", "phantomjs-prebuilt": "^2.1.7", "sinon": "^1.17.4",
Bug#992563: transition: gdal
On 9/12/21 7:54 PM, Sebastiaan Couwenberg wrote: > grass & otb in experiment still need to be rebuilt. grass had a source upload, only otb in experimental needs a binNMU now. Quite a few packages on mipsel may need a binNMU for the recent glibc changes, it allowed libgdal-grass to migrate, but there a still quite a few packages with remaining issues: https://linuxminded.nl/debian/gis-transitions/testing/html/gdal.html Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Bug#987372: buster-pu: package distro-info-data/0.41+deb10u3 OR (distro-info/1.0~deb10u1 AND distro-info-data/0.47~deb10u1)
Hi SRMs (2021.04.22_09:57:49_-0700) Given the lack of reply here, let's stick with the minimal option. There have been more changes since the last patch, so here's an updated debdiff. Uploaded to buster-proposed-updates. > [ Checklist ] > [x] *all* changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in stable > [x] the issue is verified as fixed in unstable Still true. Changes: distro-info-data (0.41+deb10u4) buster; urgency=medium * Update data to 0.51, without new columns: - Add estimated date for Buster EOL. - Correct the EOL date for Debian Jessie. - Add Debian 13 "Trixie", with a rough date. - Add Ubuntu 21.10, Impish Indri. - Move Ubuntu EoLs off weekends. - Validate that Ubuntu EoLs occur during the week. - Set bullseye's release date, bookworm's creation date, and buster's EoL date based on the updated planned bullseye release date. -- Stefano Rivera Fri, 17 Sep 2021 15:30:21 -0700 SR -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272 diff -Nru distro-info-data-0.41+deb10u3/debian/changelog distro-info-data-0.41+deb10u4/debian/changelog --- distro-info-data-0.41+deb10u3/debian/changelog 2020-11-02 12:44:14.0 -0800 +++ distro-info-data-0.41+deb10u4/debian/changelog 2021-09-17 15:30:21.0 -0700 @@ -1,3 +1,17 @@ +distro-info-data (0.41+deb10u4) buster; urgency=medium + + * Update data to 0.51, without new columns: +- Add estimated date for Buster EOL. +- Correct the EOL date for Debian Jessie. +- Add Debian 13 "Trixie", with a rough date. +- Add Ubuntu 21.10, Impish Indri. +- Move Ubuntu EoLs off weekends. +- Validate that Ubuntu EoLs occur during the week. +- Set bullseye's release date, bookworm's creation date, and buster's EoL + date based on the updated planned bullseye release date. + + -- Stefano Rivera Fri, 17 Sep 2021 15:30:21 -0700 + distro-info-data (0.41+deb10u3) buster; urgency=medium * Update data to 0.45: diff -Nru distro-info-data-0.41+deb10u3/debian.csv distro-info-data-0.41+deb10u4/debian.csv --- distro-info-data-0.41+deb10u3/debian.csv2020-11-02 12:44:14.0 -0800 +++ distro-info-data-0.41+deb10u4/debian.csv2021-09-17 15:30:21.0 -0700 @@ -11,10 +11,11 @@ 5.0,Lenny,lenny,2007-04-08,2009-02-14,2012-02-06 6.0,Squeeze,squeeze,2009-02-14,2011-02-06,2014-05-31 7,Wheezy,wheezy,2011-02-06,2013-05-04,2016-04-26 -8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-06 +8,Jessie,jessie,2013-05-04,2015-04-25,2018-06-17 9,Stretch,stretch,2015-04-25,2017-06-17,2020-07-06 -10,Buster,buster,2017-06-17,2019-07-06 -11,Bullseye,bullseye,2019-07-06 -12,Bookworm,bookworm,2021-08-01 +10,Buster,buster,2017-06-17,2019-07-06,2022-08-14 +11,Bullseye,bullseye,2019-07-06,2021-08-14,2024-08-14 +12,Bookworm,bookworm,2021-08-14 +13,Trixie,trixie,2023-08-01 ,Sid,sid,1993-08-16 ,Experimental,experimental,1993-08-16 diff -Nru distro-info-data-0.41+deb10u3/ubuntu.csv distro-info-data-0.41+deb10u4/ubuntu.csv --- distro-info-data-0.41+deb10u3/ubuntu.csv2020-11-02 12:44:14.0 -0800 +++ distro-info-data-0.41+deb10u4/ubuntu.csv2021-09-17 15:30:21.0 -0700 @@ -32,4 +32,5 @@ 19.10,Eoan Ermine,eoan,2019-04-18,2019-10-17,2020-07-17 20.04 LTS,Focal Fossa,focal,2019-10-17,2020-04-23,2025-04-23 20.10,Groovy Gorilla,groovy,2020-04-23,2020-10-22,2021-07-22 -21.04,Hirsute Hippo,hirsute,2020-10-22,2021-04-22,2022-01-22 +21.04,Hirsute Hippo,hirsute,2020-10-22,2021-04-22,2022-01-20 +21.10,Impish Indri,impish,2021-04-22,2021-10-14,2022-07-14 diff -Nru distro-info-data-0.41+deb10u3/validate-csv-data distro-info-data-0.41+deb10u4/validate-csv-data --- distro-info-data-0.41+deb10u3/validate-csv-data 2020-11-02 12:44:14.0 -0800 +++ distro-info-data-0.41+deb10u4/validate-csv-data 2021-09-17 15:30:21.0 -0700 @@ -21,6 +21,7 @@ import optparse import os import sys +from datetime import date _COLUMNS = { "debian": ("version", "codename", "series", "created", "release", "eol"), @@ -121,6 +122,17 @@ "to the given date in column `%s'") error(filename, csvreader.line_num, msg, date1, date2) failures += 1 +# Check that Ubuntu EOL lands on a weekday +if distro == 'ubuntu': +for column, eol_date in row.items(): +if not column.startswith('eol'): +continue +if not eol_date: +continue +if eol_date.weekday() > 5 and eol_date >= date(2021, 1, 1): +msg = '%s for %s lands on a weekend (%s)' +error(filename, csvreader.line_num, msg, column, + row['codename'], date) return failures == 0
NEW changes in stable-new
Processing changes file: freeradius_3.0.21+dfsg-2.2+deb11u1_mipsel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: freeradius_3.0.21+dfsg-2.2+deb11u1_mips64el-buildd.changes ACCEPT
Bug#992870: transition: GNOME 40 (libmutter-8-0 and friends)
On Fri, 17 Sep 2021 at 22:52:45 +0200, Sebastian Ramacher wrote: > glibc is still not able to migrate, but I have scheduled binNMUs of > packages involved against the version with the fixed symbols files. > mutter should be able to migrate in the next run. > > If there are other uploads blocked by glibc and I missed to binNMU them, > please let me know. I think gnome-settings-daemon:mipsel and gnome-shell:mipsel would also benefit from binNMUs: nmu gnome-settings-daemon_40.0.1-2 gnome-shell_40.4-3 . mipsel . -m 'Rebuild against glibc with #994232 fixed' and while you're there, there seems to be an extension containing architecture-specific code that isn't critical for the transition but does need an update for the new Shell, which might as well skip past glibc as well: nmu gnome-shell-mailnag_40.0-1 . mipsel . -m 'Rebuild against glibc with #994232 fixed' Thanks, smcv signature.asc Description: PGP signature
NEW changes in stable-new
Processing changes file: freeradius_3.0.21+dfsg-2.2+deb11u1_armel-buildd.changes ACCEPT
NEW changes in stable-new
Processing changes file: freeradius_3.0.21+dfsg-2.2+deb11u1_all-buildd.changes ACCEPT Processing changes file: freeradius_3.0.21+dfsg-2.2+deb11u1_amd64-buildd.changes ACCEPT Processing changes file: freeradius_3.0.21+dfsg-2.2+deb11u1_arm64-buildd.changes ACCEPT Processing changes file: freeradius_3.0.21+dfsg-2.2+deb11u1_armhf-buildd.changes ACCEPT Processing changes file: freeradius_3.0.21+dfsg-2.2+deb11u1_i386-buildd.changes ACCEPT Processing changes file: freeradius_3.0.21+dfsg-2.2+deb11u1_ppc64el-buildd.changes ACCEPT Processing changes file: freeradius_3.0.21+dfsg-2.2+deb11u1_s390x-buildd.changes ACCEPT
Bug#992870: transition: GNOME 40 (libmutter-8-0 and friends)
On 2021-09-15 20:09:26 +0200, Sebastian Ramacher wrote: > On 2021-09-14 09:12:34 +0100, Simon McVittie wrote: > > On Sun, 12 Sep 2021 at 20:17:36 +0100, Simon McVittie wrote: > > > According to > > > https://release.debian.org/transitions/html/auto-upperlimit-gnome-shell.html > > > it might be necessary to remove > > > gnome-shell-extension-easyscreencast_1.1.0+git20210116.3252312-1 from > > > testing if #993061 cannot be fixed soon. The other packages with an upper > > > limit have already been uploaded to unstable and will hopefully transition > > > reasonably smoothly. > > > > Looking at the migration excuses for gnome-shell, I think we will need > > something more like this: > > > > remove gnome-shell-extension-dashtodock/69-1 > > remove gnome-shell-extension-desktop-icons/20.04.0+git20200908-8 > > remove gnome-shell-extension-easyscreencast/1.1.0+git20210116.3252312-1 > > Removal hints added > > > > > I'm not sure why the first two would block migration since they don't have > > an upper limit on their version numbers, but those extensions haven't been > > ported to gnome-shell 40, so they aren't going to work in practice anyway. > > > > Unfortunately this transition has got caught behind glibc, so will likely > > take a while to migrate. This seems to be a bug in glibc's mipsel symbols > > file (I'll open a bug for that). > > Thanks. The latest upload of glibc looks like it would soon be able to > migrate and fixed the symbols file. If there are new regressions that > prevent migration of some of the ongoing transtions, I will look at some > additional binNMUs glibc is still not able to migrate, but I have scheduled binNMUs of packages involved against the version with the fixed symbols files. mutter should be able to migrate in the next run. If there are other uploads blocked by glibc and I missed to binNMU them, please let me know. Cheers > > Cheers > > > > > smcv > > > > -- > Sebastian Ramacher -- Sebastian Ramacher signature.asc Description: PGP signature
Bug#994574: bullseye-pu: package dazzdb/1.0+git20201103.8d98c37-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: sramac...@debian.org, daz...@packages.debian.org [ Reason ] glibc 2.32 uncovered a use-after-free issue in dazzdb (#993770). While dazzdb technically does not crash on bullseye, a fix for the issue helps us in avoiding a Breaks in glibc for bullseye -> bookworm upgrades. [ Tests ] The code is covered by autopkgtests [ Risks ] It's the exact same patch as in unstable. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable Cheers -- Sebastian Ramacher diff -Nru dazzdb-1.0+git20201103.8d98c37/debian/changelog dazzdb-1.0+git20201103.8d98c37/debian/changelog --- dazzdb-1.0+git20201103.8d98c37/debian/changelog 2021-01-19 10:02:03.0 +0100 +++ dazzdb-1.0+git20201103.8d98c37/debian/changelog 2021-09-17 20:48:03.0 +0200 @@ -1,3 +1,10 @@ +dazzdb (1.0+git20201103.8d98c37-1+deb11u1) bullseye; urgency=medium + + [ Aurelien Jarno ] + * Fix a use-after-free in DBstats (Closes: #993770) + + -- Sebastian Ramacher Fri, 17 Sep 2021 20:48:03 +0200 + dazzdb (1.0+git20201103.8d98c37-1) unstable; urgency=medium * New upstream version diff -Nru dazzdb-1.0+git20201103.8d98c37/debian/patches/series dazzdb-1.0+git20201103.8d98c37/debian/patches/series --- dazzdb-1.0+git20201103.8d98c37/debian/patches/series2021-01-19 10:02:03.0 +0100 +++ dazzdb-1.0+git20201103.8d98c37/debian/patches/series2021-09-14 20:49:54.0 +0200 @@ -2,3 +2,4 @@ compiler-flags.patch destdir.patch cross.patch +use-after-free.patch diff -Nru dazzdb-1.0+git20201103.8d98c37/debian/patches/use-after-free.patch dazzdb-1.0+git20201103.8d98c37/debian/patches/use-after-free.patch --- dazzdb-1.0+git20201103.8d98c37/debian/patches/use-after-free.patch 1970-01-01 01:00:00.0 +0100 +++ dazzdb-1.0+git20201103.8d98c37/debian/patches/use-after-free.patch 2021-09-14 20:49:57.0 +0200 @@ -0,0 +1,16 @@ +Description: fix a use-after-free causing a segmentation fault with glibc 2.32 +Author: Aurelien Jarno +Forwarded: https://github.com/thegenemyers/DAZZ_DB/issues/41 +Last-Update: 2021-09-14 + +--- dazzdb-1.0+git20201103.8d98c37.orig/DBstats.c dazzdb-1.0+git20201103.8d98c37/DBstats.c +@@ -346,8 +346,6 @@ int main(int argc, char *argv[]) + } + } + printf("\n"); +- +-Close_Track(db,track); + } + } + signature.asc Description: PGP signature
Processed: Re: Bug#994097: bullseye-pu: package osmpbf/1.5.0-1+deb11u1
Processing control commands: > tag -1 moreinfo Bug #994097 [release.debian.org] bullseye-pu: package osmpbf/1.5.0-1+deb11u1 Added tag(s) moreinfo. -- 994097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994097 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#994097: bullseye-pu: package osmpbf/1.5.0-1+deb11u1
Control: tag -1 moreinfo On Sat, Sep 11, 2021 at 07:34:27PM +0200, Bas Couwenberg wrote: > [ Reason ] > As reported in #993895, the update of protobuf to 3.12.4 requires > regenerating the header files. > > [ Impact ] > Headers provided by libosmpbf-dev are unusuable. Is that the only package affected? If so (i.e. no arch-indep packages need rebuilding) we can deal with it through a binNMU instead. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 signature.asc Description: PGP signature
Processed: Re: Bug#993899: bullseye-pu: package btrbk/0.27.1-1.1+deb11u1
Processing control commands: > tag -1 confirmed moreinfo Bug #993899 [release.debian.org] bullseye-pu: package btrbk/0.27.1-1.1+deb11u1 Added tag(s) confirmed and moreinfo. -- 993899: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993899 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#993899: bullseye-pu: package btrbk/0.27.1-1.1+deb11u1
Control: tag -1 confirmed moreinfo On Tue, Sep 07, 2021 at 09:09:33PM +, Thorsten Alteholz wrote: > The attached debdiff for btrbk fixes CVE-2021-38173 in Bullseye. > > This CVE is marked as no-dsa by the security team. > > The same patch was already uploaded to unstable with version 0.27.1-2. Please go ahead, and remove the moreinfo tag from this bug when uploaded. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 signature.asc Description: PGP signature
Processed: Re: Bug#993523: bullseye-pu: package osmcoastline/2.3.0-1+deb11u1
Processing control commands: > tag -1 confirmed moreinfo Bug #993523 [release.debian.org] bullseye-pu: package osmcoastline/2.3.0-1+deb11u1 Added tag(s) moreinfo and confirmed. -- 993523: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993523 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#993523: bullseye-pu: package osmcoastline/2.3.0-1+deb11u1
Control: tag -1 confirmed moreinfo On Thu, Sep 02, 2021 at 04:04:32PM +0200, Bas Couwenberg wrote: > [ Reason ] > As reported on the GIS list by the upstream author, osmcoastline in > bullseye doesn't work with projections other than WGS84. Please go ahead, and remove the moreinfo tag from this bug when uploaded. Thanks, -- Jonathan Wiltshire j...@debian.org Debian Developer http://people.debian.org/~jmw 4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51 signature.asc Description: PGP signature
Bug#993523: bullseye-pu: package osmcoastline/2.3.0-1+deb11u1
Control: tags -1 - moreinfo On 9/17/21 7:46 PM, Jonathan Wiltshire wrote: > On Thu, Sep 02, 2021 at 04:04:32PM +0200, Bas Couwenberg wrote: >> [ Reason ] >> As reported on the GIS list by the upstream author, osmcoastline in >> bullseye doesn't work with projections other than WGS84. > > Please go ahead, and remove the moreinfo tag from this bug when uploaded. Done, thanks! Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
Processed: Re: Bug#993523: bullseye-pu: package osmcoastline/2.3.0-1+deb11u1
Processing control commands: > tags -1 - moreinfo Bug #993523 [release.debian.org] bullseye-pu: package osmcoastline/2.3.0-1+deb11u1 Ignoring request to alter tags of bug #993523 to the same tags previously set -- 993523: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993523 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#994560: transition: libffi
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Update libffi to version 3.4.2. The transition was done for Ubuntu, a handful of bugs regarding build failures (mostly due to GCC 11) are filed in Debian. I would like to get this done before the ghc version in unstable changes, due to the rather large number of ghc related no-change uploads.
Processed: Re: Bug#994097: bullseye-pu: package osmpbf/1.5.0-1+deb11u1
Processing control commands: > tags -1 - moreinfo Bug #994097 [release.debian.org] bullseye-pu: package osmpbf/1.5.0-1+deb11u1 Ignoring request to alter tags of bug #994097 to the same tags previously set -- 994097: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994097 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#994097: bullseye-pu: package osmpbf/1.5.0-1+deb11u1
Control: tags -1 - moreinfo On 9/17/21 7:56 PM, Jonathan Wiltshire wrote: > On Sat, Sep 11, 2021 at 07:34:27PM +0200, Bas Couwenberg wrote: >> [ Reason ] >> As reported in #993895, the update of protobuf to 3.12.4 requires >> regenerating the header files. >> >> [ Impact ] >> Headers provided by libosmpbf-dev are unusuable. > > Is that the only package affected? If so (i.e. no arch-indep packages need > rebuilding) we can deal with it through a binNMU instead. libosmpbf-java seems fine, mkgmap-splitter in bullseye was able to parse a pbf file and osmosis was able to read and write pbf files too. Kind Regards, Bas -- GPG Key ID: 4096R/6750F10AE88D4AF1 Fingerprint: 8182 DE41 7056 408D 6146 50D1 6750 F10A E88D 4AF1
NEW changes in stable-new
Processing changes file: freeradius_3.0.21+dfsg-2.2+deb11u1_source.changes ACCEPT
Processed: freeradius 3.0.21+dfsg-2.2+deb11u1 flagged for acceptance
Processing commands for cont...@bugs.debian.org: > package release.debian.org Limiting to bugs with field 'package' containing at least one of 'release.debian.org' Limit currently set to 'package':'release.debian.org' > tags 993604 = bullseye pending Bug #993604 [release.debian.org] bullseye-pu: package freeradius/3.0.21+dfsg-2.2+deb11u1 Added tag(s) pending; removed tag(s) confirmed. > thanks Stopping processing here. Please contact me if you need assistance. -- 993604: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993604 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#993604: freeradius 3.0.21+dfsg-2.2+deb11u1 flagged for acceptance
package release.debian.org tags 993604 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: freeradius Version: 3.0.21+dfsg-2.2+deb11u1 Explanation: fix thread crash, sample configuration
Bug#994555: bullseye-pu: package node-object-path/0.11.5-3+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-object-path is vulnerable to prototye pollution (CVE-2021-23434 and CVE-2021-3805 [ Impact ] Medium vulnerability [ Tests ] Test passed with these patches, including new checks [ Risks ] Low risk, package is not really different than the one pushed to unstable (only doc differs). [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Better checks [ Other info ] Note that we could upload a 0.11.8-1~deb11u1: there is no differences except a documentation update. If you agree, I prefer this way. Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index f1e6929..ce9339e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-object-path (0.11.5-3+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: CVE-2021-23434) + * Fix prototype pollution (Closes: CVE-2021-3805) + + -- Yadd Fri, 17 Sep 2021 18:38:10 +0200 + node-object-path (0.11.5-3) unstable; urgency=medium * Team upload diff --git a/debian/gbp.conf b/debian/gbp.conf index b713356..e11bcb5 100644 --- a/debian/gbp.conf +++ b/debian/gbp.conf @@ -1,5 +1,6 @@ [DEFAULT] pristine-tar = True +debian-branch = bullseye [import-orig] filter = [ '.gitignore', '.travis.yml', '.git*' ] diff --git a/debian/patches/CVE-2021-23434.patch b/debian/patches/CVE-2021-23434.patch new file mode 100644 index 000..8d08d2e --- /dev/null +++ b/debian/patches/CVE-2021-23434.patch @@ -0,0 +1,67 @@ +Description: Fix prototype pollution when path components are not strings +Author: Mario Casciaro https://github.com/mariocasciaro/object-path/commit/7bdf4abef +Bug: https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2021-09-17 + +--- a/index.js b/index.js +@@ -111,6 +111,9 @@ + return set(obj, path.split('.').map(getKey), value, doNotReplace); + } + var currentPath = path[0]; ++ if (typeof currentPath !== 'string' && typeof currentPath !== 'number') { ++currentPath = String(currentPath) ++ } + var currentValue = getShallowProperty(obj, currentPath); + if (options.includeInheritedProps && (currentPath === '__proto__' || + (currentPath === 'constructor' && typeof currentValue === 'function'))) { +--- a/test.js b/test.js +@@ -241,12 +241,18 @@ + objectPath.set({}, '__proto__.injected', 'this is bad') + expect(Object.prototype.injected).to.be.undefined + ++objectPath.set({}, [['__proto__'], 'injected'], 'this is bad') ++expect(Object.prototype.injected).to.be.undefined ++ + function Clazz() {} + Clazz.prototype.test = 'original' + + objectPath.set(new Clazz(), '__proto__.test', 'this is bad') + expect(Clazz.prototype.test).to.be.equal('original') + ++objectPath.set(new Clazz(), [['__proto__'], 'test'], 'this is bad') ++expect(Clazz.prototype.test).to.be.equal('original') ++ + objectPath.set(new Clazz(), 'constructor.prototype.test', 'this is bad') + expect(Clazz.prototype.test).to.be.equal('original') + }) +@@ -256,6 +262,11 @@ + .to.throw('For security reasons') + expect(Object.prototype.injected).to.be.undefined + ++expect(function() { ++ objectPath.withInheritedProps.set({}, [['__proto__'], 'injected'], 'this is bad') ++ expect(Object.prototype.injected).to.be.undefined ++}).to.throw('For security reasons') ++ + function Clazz() {} + Clazz.prototype.test = 'original' + +@@ -267,8 +278,11 @@ + .to.throw('For security reasons') + expect(Clazz.prototype.test).to.be.equal('original') + +-const obj = {} +-expect(function() {objectPath.withInheritedProps.set(obj, 'constructor.prototype.injected', 'this is OK')}) ++expect(function() {objectPath.withInheritedProps.set({}, 'constructor.prototype.injected', 'this is OK')}) ++ .to.throw('For security reasons') ++expect(Object.prototype.injected).to.be.undefined ++ ++expect(function() {objectPath.withInheritedProps.set({}, [['constructor'], 'prototype', 'injected'], 'this is bad')}) + .to.throw('For security reasons') + expect(Object.prototype.injected).to.be.undefined + }) diff --git a/debian/patches/CVE-2021-3805.patch b/debian/patches/CVE-2021-3805.patch new file mode 100644 index 000..daa56ff --- /dev/null +++ b/debian/patches/CVE-2021-3805.patch @@ -0,0 +1,837 @@ +Description: Fix prototype pollution vulnerability +Author: Mario Casciaro +Origin: upstream, https://github.com/mariocasciaro/object-path/commit/4f0903fd7 +Bug: https://huntr.dev/bounties/571e3baf-7c46-46e3-9003-ba7e4e623053 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2021-09-17 + +--- a/README.md
Bug#994540: transition: imagemagick
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: transition Imagemagick changes some internal structures. Upstream bump so (safe), so ask for a rebuilt. Ben file: title = "imagemagick"; is_affected = .depends ~ "(?:libmagickcore-6.q[^-]+-6|libmagickwand-6.q[^-]+-6|libmagick++-6.q[^-]+-8)" | .depends ~ "(?:libmagickcore-6.q[^-]+-7|libmagickwand-6.q[^-]+-7|libmagick++-6.q[^-]+-9)"; is_good = .depends ~ "(?:libmagickcore-6.q[^-]+-7|libmagickwand-6.q[^-]+-7|libmagick++-6.q[^-]+-9)"; is_bad = .depends ~ "(?:libmagickcore-6.q[^-]+-6|libmagickwand-6.q[^-]+-6|libmagick++-6.q[^-]+-8)";