Bug#927959: unblock: node-fresh/0.2.0-2
Le 26/04/2019 à 17:43, Xavier a écrit : > Le 26/04/2019 à 17:41, Xavier a écrit : >> Le 25/04/2019 à 15:35, Xavier Guimard a écrit : >>> Package: release.debian.org >>> Severity: normal >>> User: release.debian@packages.debian.org >>> Usertags: unblock >>> >>> Please unblock package node-fresh >>> >>> Hi all, >>> >>> node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is >>> due to Node.js regexp parsing DDOS. I imported and adapted upstream >>> patch to workaround this issue and enabled upstream tests in both build >>> and autopkgtest. Full changes: >>> * Declare compliance with policy 4.3.0 >>> * Change section to javascript >>> * Change priority to optional >>> * Add upstream/metadata >>> * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119) >>> * Fix and enable upstream test using pkg-js-tools >>> * Fix VCS fields >>> * Fix copyright format URL >>> >>> Reverse dependencies: >>> - node-serve-favicon >>> - node-send -+ >>>+-> node-serve-static -+ >>> - node-express <-+ >>> >>> I enabled upstream test to verify that there is no regression and tested >>> build and tests of node-serve-static, node-send and node-express (using >>> additional needed modules). I plan to upload a new node-express in >>> experimental with tests enabled to see autopkgtest regression if any. >>> >>> Cheers, >>> Xavier >>> >>> unblock node-fresh/0.2.0-2 >> >> node-express builds well with upstream tests enabled and node-fresh >> 0.2.0-2 (see >> https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html) > > NB: test timeout is too short, so build2 failed sometimes. autopkgtest succeeds also: https://ci.debian.net/data/autopkgtest/unstable/amd64/n/node-express/2303232/log.gz [node-express from experimental with node-fresh 0.2.0-2]
Bug#927959: unblock: node-fresh/0.2.0-2
Le 25/04/2019 à 15:35, Xavier Guimard a écrit : > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package node-fresh > > Hi all, > > node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is > due to Node.js regexp parsing DDOS. I imported and adapted upstream > patch to workaround this issue and enabled upstream tests in both build > and autopkgtest. Full changes: > * Declare compliance with policy 4.3.0 > * Change section to javascript > * Change priority to optional > * Add upstream/metadata > * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119) > * Fix and enable upstream test using pkg-js-tools > * Fix VCS fields > * Fix copyright format URL > > Reverse dependencies: > - node-serve-favicon > - node-send -+ >+-> node-serve-static -+ > - node-express <-+ > > I enabled upstream test to verify that there is no regression and tested > build and tests of node-serve-static, node-send and node-express (using > additional needed modules). I plan to upload a new node-express in > experimental with tests enabled to see autopkgtest regression if any. > > Cheers, > Xavier > > unblock node-fresh/0.2.0-2 node-express builds well with upstream tests enabled and node-fresh 0.2.0-2 (see https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html)
Bug#927959: unblock: node-fresh/0.2.0-2
Le 26/04/2019 à 17:41, Xavier a écrit : > Le 25/04/2019 à 15:35, Xavier Guimard a écrit : >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: unblock >> >> Please unblock package node-fresh >> >> Hi all, >> >> node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is >> due to Node.js regexp parsing DDOS. I imported and adapted upstream >> patch to workaround this issue and enabled upstream tests in both build >> and autopkgtest. Full changes: >> * Declare compliance with policy 4.3.0 >> * Change section to javascript >> * Change priority to optional >> * Add upstream/metadata >> * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119) >> * Fix and enable upstream test using pkg-js-tools >> * Fix VCS fields >> * Fix copyright format URL >> >> Reverse dependencies: >> - node-serve-favicon >> - node-send -+ >>+-> node-serve-static -+ >> - node-express <-+ >> >> I enabled upstream test to verify that there is no regression and tested >> build and tests of node-serve-static, node-send and node-express (using >> additional needed modules). I plan to upload a new node-express in >> experimental with tests enabled to see autopkgtest regression if any. >> >> Cheers, >> Xavier >> >> unblock node-fresh/0.2.0-2 > > node-express builds well with upstream tests enabled and node-fresh > 0.2.0-2 (see > https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html) NB: test timeout is too short, so build2 failed sometimes.
Bug#927959: unblock: node-fresh/0.2.0-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package node-fresh Hi all, node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is due to Node.js regexp parsing DDOS. I imported and adapted upstream patch to workaround this issue and enabled upstream tests in both build and autopkgtest. Full changes: * Declare compliance with policy 4.3.0 * Change section to javascript * Change priority to optional * Add upstream/metadata * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119) * Fix and enable upstream test using pkg-js-tools * Fix VCS fields * Fix copyright format URL Reverse dependencies: - node-serve-favicon - node-send -+ +-> node-serve-static -+ - node-express <-+ I enabled upstream test to verify that there is no regression and tested build and tests of node-serve-static, node-send and node-express (using additional needed modules). I plan to upload a new node-express in experimental with tests enabled to see autopkgtest regression if any. Cheers, Xavier unblock node-fresh/0.2.0-2 diff --git a/debian/changelog b/debian/changelog index e827b8b..6a067b4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +node-fresh (0.2.0-2) unstable; urgency=medium + + * Team upload + * Declare compliance with policy 4.3.0 + * Change section to javascript + * Change priority to optional + * Add upstream/metadata + * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119) + * Fix and enable upstream test using pkg-js-tools + * Fix VCS fields + * Fix copyright format URL + + -- Xavier Guimard Thu, 25 Apr 2019 12:23:28 +0200 + node-fresh (0.2.0-1) unstable; urgency=low * Initial release (Closes: #727797) diff --git a/debian/control b/debian/control index ebd5a5e..efddc65 100644 --- a/debian/control +++ b/debian/control @@ -1,16 +1,19 @@ Source: node-fresh -Section: web -Priority: extra +Section: javascript +Priority: optional Maintainer: Debian Javascript Maintainers Uploaders: Jérémy Lal +Testsuite: autopkgtest-pkg-nodejs Build-Depends: debhelper (>= 8.0.0) , dh-buildinfo + , mocha , nodejs -Standards-Version: 3.9.4 + , pkg-js-tools +Standards-Version: 4.3.0 +Vcs-Browser: https://salsa.debian.org/js-team/node-fresh +Vcs-Git: https://salsa.debian.org/js-team/node-fresh.git Homepage: https://github.com/visionmedia/node-fresh -Vcs-Git: git://anonscm.debian.org/collab-maint/node-fresh.git -Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/node-fresh.git Package: node-fresh Architecture: all @@ -23,4 +26,3 @@ Description: Check client cache staleness using HTTP headers - Node.js module determine if the client requesting the resource has a stale or fresh cache. . Node.js is an event-based server-side javascript engine. - diff --git a/debian/copyright b/debian/copyright index 0c7fd09..af7dcf0 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,4 +1,4 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: fresh Files: * @@ -25,4 +25,3 @@ License: Expat ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - diff --git a/debian/patches/CVE-2017-16119.diff b/debian/patches/CVE-2017-16119.diff new file mode 100644 index 000..6461542 --- /dev/null +++ b/debian/patches/CVE-2017-16119.diff @@ -0,0 +1,85 @@ +Description: Fix for CVE-2017-16119 +Author: Xavier Guimard +Origin: upstream, https://github.com/jshttp/fresh/commit/21a0f0c2a5f447e0d40bc16be0c23fa98a7b46ec +Bug: https://www.npmjs.com/advisories/526 +Bug-Debian: https://bugs.debian.org/927715 +Forwarded: not-needed +Last-Update: 2019-04-25 + +--- a/index.js b/index.js +@@ -36,11 +36,27 @@ + // check for no-cache cache request directive + if (cc && cc.indexOf('no-cache') !== -1) return false; + +- // parse if-none-match +- if (noneMatch) noneMatch = noneMatch.split(/ *, */); ++ // parse if-none-match and etag ++ if (noneMatch && noneMatch !== '*') { + +- // if-none-match +- if (noneMatch) etagMatches = ~noneMatch.indexOf(etag) || '*' == noneMatch[0]; ++if (!etag) { ++ return false ++} ++ ++var etagStale = true ++var matches = parseTokenList(noneMatch) ++for (var i = 0; i < matches.length; i++) { ++ var match = matches[i] ++ if (match === etag || match === 'W/' + etag || 'W/' + match === etag) { ++etagStale = false ++break ++ } ++} ++ ++if (etagStale) { ++ return false ++} ++ } + + // if-modified-since + if (modifiedSince) { +@@ -50,4 +66,40 @@ + } + + return !! (etagMatches && notModified); +-} +\ No newline at end of file ++} ++ ++/** ++ * Parse a HTTP token list. ++ * ++ * @param {string} str ++ * @private ++ */ ++ ++function