Re: [Pkg-javascript-devel] Bug#863481: Bug#863481: [node-concat-stream] Uninitialized Memory Exposure
Hi Bastien, On 05/27/2017 09:47 PM, roucaries bastien wrote: > I can do it but I do not know that is the best: > - let 1.6 go to unstable > - patch old version > > Could you ask release team. > > The debdiff between the two version is so small that I have doubt > I had almost finished the email to the release team, when I did some final checks. And whilst I agree the unrelated changes upstream are very small, I unfortunately enabled the testsuite in 1.6 (in experimental) now that node-tape is available in unstable. As node-tape is not available in testing (stretch), I would have to disable the tests when moving to unstable. All in all, I think it will be easier to create a stretch branch in git & add a patch which will also make the unblocking process easier. I will work on that today. But if I run out of time, please feel free to take it forward. Regards, Ross -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processing of node-readable-stream_2.2.9-1_amd64.changes
node-readable-stream_2.2.9-1_amd64.changes uploaded successfully to localhost along with the files: node-readable-stream_2.2.9-1.dsc node-readable-stream_2.2.9.orig.tar.gz node-readable-stream_2.2.9-1.debian.tar.xz node-readable-stream_2.2.9-1_all.deb node-readable-stream_2.2.9-1_amd64.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-create-hmac_1.1.4-2_source.changes REJECTED
node-create-hmac_1.1.4-2.dsc: Invalid size hash for node-create-hmac_1.1.4.orig.tar.gz: According to the control file the size hash should be 1990, but node-create-hmac_1.1.4.orig.tar.gz has 1978. If you did not include node-create-hmac_1.1.4.orig.tar.gz in your upload, a different version might already be known to the archive software. === Please feel free to respond to this email if you don't understand why your files were rejected, or if you upload new files which address our concerns. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-readable-stream_2.2.9-1_amd64.changes is NEW
binary:node-readable-stream is NEW. binary:node-readable-stream is NEW. source:node-readable-stream is NEW. Your package has been put into the NEW queue, which requires manual action from the ftpteam to process. The upload was otherwise valid (it had a good OpenPGP signature and file hashes are valid), so please be patient. Packages are routinely processed through to the archive, and do feel free to browse the NEW queue[1]. If there is an issue with the upload, you will receive an email from a member of the ftpteam. If you have any questions, you may reply to this email. [1]: https://ftp-master.debian.org/new.html or https://ftp-master.debian.org/backports-new.html for *-backports -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processing of node-create-hmac_1.1.4-2_source.changes
node-create-hmac_1.1.4-2_source.changes uploaded successfully to localhost along with the files: node-create-hmac_1.1.4-2.dsc node-create-hmac_1.1.4-2.debian.tar.xz node-create-hmac_1.1.4-2_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processing of node-create-hmac_1.1.4-2_source.changes
node-create-hmac_1.1.4-2_source.changes uploaded successfully to localhost along with the files: node-create-hmac_1.1.4-2.dsc node-create-hmac_1.1.4-2.debian.tar.xz node-create-hmac_1.1.4-2_amd64.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] RFS: node-raw-loader -- raw loader module for webpack
Hello, I've finished packaging node-raw-loader (a dependency of webpack; ITP #863466), and I'm currently looking for a sponsor for it. If anyone is interested, please let me know! Alioth SCM: https://anonscm.debian.org/cgit/pkg-javascript/node-raw-loader.git/ Package DSC (mentors.debian.net): https://mentors.debian.net/debian/pool/main/n/node-raw-loader/node-raw-loader_0.5.1-1.dsc Sincerely, Daniel Ring -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Bug#863575: unblock: node-concat-stream/1.5.1-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package node-concat-stream Node-concat-stream is vunerable to Uninitialized Memory Exposure (CWE-201). This was reported in bug https://bugs.debian.org/cgi- bin/bugreport.cgi?archive=no=863481. This was fixed upstream, and a version of the fixing commit is included in this version as a patch. The patch has been tested with the upstream testsuite, which unfortunately has to be disabled as the testing framework (node-tape) does not exist in testing. More information can be found in the attached debdiff (between tesing & unstable), in the patch description. unblock node-concat-stream/1.5.1-2 -- System Information: Debian Release: stretch/sid APT prefers yakkety-updates APT policy: (500, 'yakkety-updates'), (500, 'yakkety-security'), (500, 'yakkety'), (100, 'yakkety-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.4.0-24-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) diff -Nru node-concat-stream-1.5.1/debian/changelog node-concat-stream-1.5.1/debian/changelog --- node-concat-stream-1.5.1/debian/changelog 2015-11-08 17:03:58.0 +0100 +++ node-concat-stream-1.5.1/debian/changelog 2017-05-28 16:19:49.0 +0200 @@ -1,3 +1,12 @@ +node-concat-stream (1.5.1-2) unstable; urgency=high + + * Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201 +(Closes: #863481) + * Use stretch git branch + * Use Ubuntu email address + + -- Ross GammonSun, 28 May 2017 16:19:49 +0200 + node-concat-stream (1.5.1-1) unstable; urgency=low * Initial release (Closes: #796351) diff -Nru node-concat-stream-1.5.1/debian/control node-concat-stream-1.5.1/debian/control --- node-concat-stream-1.5.1/debian/control 2015-11-08 17:03:58.0 +0100 +++ node-concat-stream-1.5.1/debian/control 2017-05-28 16:19:49.0 +0200 @@ -2,13 +2,13 @@ Section: web Priority: optional Maintainer: Debian Javascript Maintainers -Uploaders: Ross Gammon +Uploaders: Ross Gammon Build-Depends: debhelper (>= 9), dh-buildinfo, nodejs Standards-Version: 3.9.6 Homepage: https://github.com/maxogden/concat-stream#readme -Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git +Vcs-Git: git://anonscm.debian.org/pkg-javascript/node-concat-stream.git -b stretch Vcs-Browser: https://anonscm.debian.org/cgit/pkg-javascript/node-concat-stream.git Package: node-concat-stream diff -Nru node-concat-stream-1.5.1/debian/gbp.conf node-concat-stream-1.5.1/debian/gbp.conf --- node-concat-stream-1.5.1/debian/gbp.conf 2015-11-08 17:03:58.0 +0100 +++ node-concat-stream-1.5.1/debian/gbp.conf 2017-05-28 16:19:49.0 +0200 @@ -6,7 +6,7 @@ # The default name for the Debian branch is "master". # Change it if the name is different (for instance, "debian/unstable"). -debian-branch = master +debian-branch = stretch # git-import-orig uses the following names for the upstream tags. # Change the value if you are not using git-import-orig diff -Nru node-concat-stream-1.5.1/debian/patches/series node-concat-stream-1.5.1/debian/patches/series --- node-concat-stream-1.5.1/debian/patches/series 2015-11-08 17:03:58.0 +0100 +++ node-concat-stream-1.5.1/debian/patches/series 2017-05-28 16:19:49.0 +0200 @@ -1 +1,2 @@ readable-stream.patch +to-string_numbers.patch diff -Nru node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch --- node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch 1970-01-01 01:00:00.0 +0100 +++ node-concat-stream-1.5.1/debian/patches/to-string_numbers.patch 2017-05-28 16:19:49.0 +0200 @@ -0,0 +1,81 @@ +Description: to-string numbers written to the stream + Node-concat-stream is vulnerable to Uninitialized Memory Exposure. This + possible memory disclosure vulnerability exists when a value of type number + is provided to the stringConcat() method and results in concatination of + uninitialized memory to the stream collection. + This is a result of unobstructed use of the Buffer constructor, whose + insecure default constructor increases the odds of memory leakage. + See https://snyk.io/vuln/npm:concat-stream:20160901 for further details. +Origin: upstream, https://github.com/maxogden/concat-stream/ +Bug: https://github.com/maxogden/concat-stream/issues/55 +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863481 +Applied-Upstream: https://github.com/maxogden/concat-stream/pull/47/commits/3e285ba5e5b10b7c98552217f5c1023829efe69e +Last-Update: 2017-05-28 +--- +This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ +--- node-concat-stream.orig/index.js node-concat-stream/index.js +@@ -73,6 +73,10 @@ + return
[Pkg-javascript-devel] Bug#863481: marked as done ([node-concat-stream] Uninitialized Memory Exposure)
Your message dated Sun, 28 May 2017 18:18:33 + with message-idand subject line Bug#863481: fixed in node-concat-stream 1.5.1-2 has caused the Debian Bug report #863481, regarding [node-concat-stream] Uninitialized Memory Exposure to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 863481: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863481 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: node-concat-stream Version: 1.5.1-1 Severity: grave Tags: patch security fixed-upstream fixed-in-experimental X-Debbugs-CC: secure-testing-t...@lists.alioth.debian.org forwarded: https://snyk.io/vuln/npm:concat-stream:20160901 Overview concat-stream is writable stream that concatenates strings or binary data and calls a callback with the result. Affected versions of the package are vulnerable to Uninitialized Memory Exposure. A possible memory disclosure vulnerability exists when a value of type number is provided to the stringConcat() method and results in concatination of uninitialized memory to the stream collection. This is a result of unobstructed use of the Buffer constructor, whose insecure default constructor increases the odds of memory leakage. signature.asc Description: This is a digitally signed message part. --- End Message --- --- Begin Message --- Source: node-concat-stream Source-Version: 1.5.1-2 We believe that the bug you reported is fixed in the latest version of node-concat-stream, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 863...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Ross Gammon (supplier of updated node-concat-stream package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 28 May 2017 16:19:49 +0200 Source: node-concat-stream Binary: node-concat-stream Architecture: source Version: 1.5.1-2 Distribution: unstable Urgency: high Maintainer: Debian Javascript Maintainers Changed-By: Ross Gammon Description: node-concat-stream - writable stream that concatenates strings Closes: 863481 Changes: node-concat-stream (1.5.1-2) unstable; urgency=high . * Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201 (Closes: #863481) * Use stretch git branch * Use Ubuntu email address Checksums-Sha1: 7f4787bb95c36d6f76ea569a31afd81db798adfb 2086 node-concat-stream_1.5.1-2.dsc f87920b89e12d1c2612f6112ea5b7589e45f8c05 3688 node-concat-stream_1.5.1-2.debian.tar.xz 613ca2b2000d4e010bdc22d60cef4d956a0f2b60 4470 node-concat-stream_1.5.1-2_source.buildinfo Checksums-Sha256: 3e6a7e63ac32de60027497a65fd4381a75a628c6d0ab3850835abcc648f3ad14 2086 node-concat-stream_1.5.1-2.dsc c9e4aee1134fa86470d33cd96f23142856ec97cf66c792aa66845399c9f3f5ec 3688 node-concat-stream_1.5.1-2.debian.tar.xz 6b4269f8e7cf5004a381760d6c13601c78e25480fe85515e3792c7182c60b819 4470 node-concat-stream_1.5.1-2_source.buildinfo Files: 37f094fe1d17acfd9cebf4d100448267 2086 web optional node-concat-stream_1.5.1-2.dsc 998cd9f11f3789a60911885de84acfa2 3688 web optional node-concat-stream_1.5.1-2.debian.tar.xz 2d7cf31b12bebbbf04c740ae22950b31 4470 web optional node-concat-stream_1.5.1-2_source.buildinfo -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJZKw1ZAAoJEHM+a/k86PbZ4bIP/i0wRHAMIDp4VhfDkSp4nEMC onjNF1AuuSB1FH52EgTORIsvbi3FKeZMgXL2fzSp9n/OjZUUFhb7hdEPQSSYSU4N w0rOW15fj4tA1Jw/900cr2zigMkcQF+m+HYp8Zt4yEWTG0tOdvnR8FV7GG+bcERt P16Agka91uHuw+sKuWBnjHXkfipMXi+S33iO1noaWotGa0CY+ftE5yqYcIc1KMet kjZgIrBswjgGYwA+77Rvfw38VbKAxhXtwF2fqAMmz8PSLorK+9dg4GEsl3ATZZmF HNsFmovEr5M7ULn19/bo+zeTRkGG/I8hXohYR1rqTU9hwB9aLSlPJPyLt0kT5E3h m/6MCIq5sl8hs/YYPfRkLAqGh8qOlAJfwkXQdgPY1u39OCEMXcLPStq5vtMJ1gpL PcSH7o/6g3v6CuLKaR1mTFBbeXZdDOjGEup89ByC1xhC/XVTziuYhsWUN0m8xTEM 8FqZrKO9hutGFjhSdfzdD58i2oISewuRxrIDFJ58U0WX6W5zb14zLNfLHFsR3pXK YDZFG8SsDtuFZrLioS4gt9MdTpGyzPleJHn9p0Gt/2mYC/KZJrRNLXvlXHe/2++v ui260xlF9z/lBre16g2Kj3QqkNN0iWSiGefS0cxg4EBDbOAVqqeFhumoqQWoH7j7 dLfPfvURcnumTQ0E8+uz =cL0d -END PGP SIGNATURE End Message --- --
[Pkg-javascript-devel] Processing of node-concat-stream_1.5.1-2_source.changes
node-concat-stream_1.5.1-2_source.changes uploaded successfully to localhost along with the files: node-concat-stream_1.5.1-2.dsc node-concat-stream_1.5.1-2.debian.tar.xz node-concat-stream_1.5.1-2_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] node-concat-stream_1.5.1-2_source.changes ACCEPTED into unstable
Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 28 May 2017 16:19:49 +0200 Source: node-concat-stream Binary: node-concat-stream Architecture: source Version: 1.5.1-2 Distribution: unstable Urgency: high Maintainer: Debian Javascript MaintainersChanged-By: Ross Gammon Description: node-concat-stream - writable stream that concatenates strings Closes: 863481 Changes: node-concat-stream (1.5.1-2) unstable; urgency=high . * Apply upstream fix for Uninitialized Memory Exposure weakness CWE-201 (Closes: #863481) * Use stretch git branch * Use Ubuntu email address Checksums-Sha1: 7f4787bb95c36d6f76ea569a31afd81db798adfb 2086 node-concat-stream_1.5.1-2.dsc f87920b89e12d1c2612f6112ea5b7589e45f8c05 3688 node-concat-stream_1.5.1-2.debian.tar.xz 613ca2b2000d4e010bdc22d60cef4d956a0f2b60 4470 node-concat-stream_1.5.1-2_source.buildinfo Checksums-Sha256: 3e6a7e63ac32de60027497a65fd4381a75a628c6d0ab3850835abcc648f3ad14 2086 node-concat-stream_1.5.1-2.dsc c9e4aee1134fa86470d33cd96f23142856ec97cf66c792aa66845399c9f3f5ec 3688 node-concat-stream_1.5.1-2.debian.tar.xz 6b4269f8e7cf5004a381760d6c13601c78e25480fe85515e3792c7182c60b819 4470 node-concat-stream_1.5.1-2_source.buildinfo Files: 37f094fe1d17acfd9cebf4d100448267 2086 web optional node-concat-stream_1.5.1-2.dsc 998cd9f11f3789a60911885de84acfa2 3688 web optional node-concat-stream_1.5.1-2.debian.tar.xz 2d7cf31b12bebbbf04c740ae22950b31 4470 web optional node-concat-stream_1.5.1-2_source.buildinfo -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJZKw1ZAAoJEHM+a/k86PbZ4bIP/i0wRHAMIDp4VhfDkSp4nEMC onjNF1AuuSB1FH52EgTORIsvbi3FKeZMgXL2fzSp9n/OjZUUFhb7hdEPQSSYSU4N w0rOW15fj4tA1Jw/900cr2zigMkcQF+m+HYp8Zt4yEWTG0tOdvnR8FV7GG+bcERt P16Agka91uHuw+sKuWBnjHXkfipMXi+S33iO1noaWotGa0CY+ftE5yqYcIc1KMet kjZgIrBswjgGYwA+77Rvfw38VbKAxhXtwF2fqAMmz8PSLorK+9dg4GEsl3ATZZmF HNsFmovEr5M7ULn19/bo+zeTRkGG/I8hXohYR1rqTU9hwB9aLSlPJPyLt0kT5E3h m/6MCIq5sl8hs/YYPfRkLAqGh8qOlAJfwkXQdgPY1u39OCEMXcLPStq5vtMJ1gpL PcSH7o/6g3v6CuLKaR1mTFBbeXZdDOjGEup89ByC1xhC/XVTziuYhsWUN0m8xTEM 8FqZrKO9hutGFjhSdfzdD58i2oISewuRxrIDFJ58U0WX6W5zb14zLNfLHFsR3pXK YDZFG8SsDtuFZrLioS4gt9MdTpGyzPleJHn9p0Gt/2mYC/KZJrRNLXvlXHe/2++v ui260xlF9z/lBre16g2Kj3QqkNN0iWSiGefS0cxg4EBDbOAVqqeFhumoqQWoH7j7 dLfPfvURcnumTQ0E8+uz =cL0d -END PGP SIGNATURE- Thank you for your contribution to Debian. -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processed: limit package to libjs-jquery-tablesorter, found 731095 in 11-3
Processing commands for cont...@bugs.debian.org: > limit package libjs-jquery-tablesorter Limiting to bugs with field 'package' containing at least one of 'libjs-jquery-tablesorter' Limit currently set to 'package':'libjs-jquery-tablesorter' > # The version of this package in Debian fails for me because > jquery.tablesorter.pager.js in Debian's tablesorter is not compatible with > Debian's jquery (3.1.1-2) > found 731095 11-3 Bug #731095 [libjs-jquery-tablesorter] Please consider switching tablesorter to alternate upstream Marked as found in versions jquery-goodies/11-3. > thanks Stopping processing here. Please contact me if you need assistance. -- 731095: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=731095 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel