Bug#927959: unblock: node-fresh/0.2.0-2
Le 26/04/2019 à 17:43, Xavier a écrit : > Le 26/04/2019 à 17:41, Xavier a écrit : >> Le 25/04/2019 à 15:35, Xavier Guimard a écrit : >>> Package: release.debian.org >>> Severity: normal >>> User: release.debian@packages.debian.org >>> Usertags: unblock >>> >>> Please unblock package node-fresh >>> >>> Hi all, >>> >>> node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is >>> due to Node.js regexp parsing DDOS. I imported and adapted upstream >>> patch to workaround this issue and enabled upstream tests in both build >>> and autopkgtest. Full changes: >>> * Declare compliance with policy 4.3.0 >>> * Change section to javascript >>> * Change priority to optional >>> * Add upstream/metadata >>> * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119) >>> * Fix and enable upstream test using pkg-js-tools >>> * Fix VCS fields >>> * Fix copyright format URL >>> >>> Reverse dependencies: >>> - node-serve-favicon >>> - node-send -+ >>>+-> node-serve-static -+ >>> - node-express <-+ >>> >>> I enabled upstream test to verify that there is no regression and tested >>> build and tests of node-serve-static, node-send and node-express (using >>> additional needed modules). I plan to upload a new node-express in >>> experimental with tests enabled to see autopkgtest regression if any. >>> >>> Cheers, >>> Xavier >>> >>> unblock node-fresh/0.2.0-2 >> >> node-express builds well with upstream tests enabled and node-fresh >> 0.2.0-2 (see >> https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html) > > NB: test timeout is too short, so build2 failed sometimes. autopkgtest succeeds also: https://ci.debian.net/data/autopkgtest/unstable/amd64/n/node-express/2303232/log.gz [node-express from experimental with node-fresh 0.2.0-2]
Bug#927959: unblock: node-fresh/0.2.0-2
Le 25/04/2019 à 15:35, Xavier Guimard a écrit : > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package node-fresh > > Hi all, > > node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is > due to Node.js regexp parsing DDOS. I imported and adapted upstream > patch to workaround this issue and enabled upstream tests in both build > and autopkgtest. Full changes: > * Declare compliance with policy 4.3.0 > * Change section to javascript > * Change priority to optional > * Add upstream/metadata > * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119) > * Fix and enable upstream test using pkg-js-tools > * Fix VCS fields > * Fix copyright format URL > > Reverse dependencies: > - node-serve-favicon > - node-send -+ >+-> node-serve-static -+ > - node-express <-+ > > I enabled upstream test to verify that there is no regression and tested > build and tests of node-serve-static, node-send and node-express (using > additional needed modules). I plan to upload a new node-express in > experimental with tests enabled to see autopkgtest regression if any. > > Cheers, > Xavier > > unblock node-fresh/0.2.0-2 node-express builds well with upstream tests enabled and node-fresh 0.2.0-2 (see https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html)
Bug#927959: unblock: node-fresh/0.2.0-2
Le 26/04/2019 à 17:41, Xavier a écrit : > Le 25/04/2019 à 15:35, Xavier Guimard a écrit : >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: unblock >> >> Please unblock package node-fresh >> >> Hi all, >> >> node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is >> due to Node.js regexp parsing DDOS. I imported and adapted upstream >> patch to workaround this issue and enabled upstream tests in both build >> and autopkgtest. Full changes: >> * Declare compliance with policy 4.3.0 >> * Change section to javascript >> * Change priority to optional >> * Add upstream/metadata >> * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119) >> * Fix and enable upstream test using pkg-js-tools >> * Fix VCS fields >> * Fix copyright format URL >> >> Reverse dependencies: >> - node-serve-favicon >> - node-send -+ >>+-> node-serve-static -+ >> - node-express <-+ >> >> I enabled upstream test to verify that there is no regression and tested >> build and tests of node-serve-static, node-send and node-express (using >> additional needed modules). I plan to upload a new node-express in >> experimental with tests enabled to see autopkgtest regression if any. >> >> Cheers, >> Xavier >> >> unblock node-fresh/0.2.0-2 > > node-express builds well with upstream tests enabled and node-fresh > 0.2.0-2 (see > https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html) NB: test timeout is too short, so build2 failed sometimes.
Bug#927959: unblock: node-fresh/0.2.0-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package node-fresh
Hi all,
node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is
due to Node.js regexp parsing DDOS. I imported and adapted upstream
patch to workaround this issue and enabled upstream tests in both build
and autopkgtest. Full changes:
* Declare compliance with policy 4.3.0
* Change section to javascript
* Change priority to optional
* Add upstream/metadata
* Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119)
* Fix and enable upstream test using pkg-js-tools
* Fix VCS fields
* Fix copyright format URL
Reverse dependencies:
- node-serve-favicon
- node-send -+
+-> node-serve-static -+
- node-express <-+
I enabled upstream test to verify that there is no regression and tested
build and tests of node-serve-static, node-send and node-express (using
additional needed modules). I plan to upload a new node-express in
experimental with tests enabled to see autopkgtest regression if any.
Cheers,
Xavier
unblock node-fresh/0.2.0-2
diff --git a/debian/changelog b/debian/changelog
index e827b8b..6a067b4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+node-fresh (0.2.0-2) unstable; urgency=medium
+
+ * Team upload
+ * Declare compliance with policy 4.3.0
+ * Change section to javascript
+ * Change priority to optional
+ * Add upstream/metadata
+ * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119)
+ * Fix and enable upstream test using pkg-js-tools
+ * Fix VCS fields
+ * Fix copyright format URL
+
+ -- Xavier Guimard Thu, 25 Apr 2019 12:23:28 +0200
+
node-fresh (0.2.0-1) unstable; urgency=low
* Initial release (Closes: #727797)
diff --git a/debian/control b/debian/control
index ebd5a5e..efddc65 100644
--- a/debian/control
+++ b/debian/control
@@ -1,16 +1,19 @@
Source: node-fresh
-Section: web
-Priority: extra
+Section: javascript
+Priority: optional
Maintainer: Debian Javascript Maintainers
Uploaders: Jérémy Lal
+Testsuite: autopkgtest-pkg-nodejs
Build-Depends:
debhelper (>= 8.0.0)
, dh-buildinfo
+ , mocha
, nodejs
-Standards-Version: 3.9.4
+ , pkg-js-tools
+Standards-Version: 4.3.0
+Vcs-Browser: https://salsa.debian.org/js-team/node-fresh
+Vcs-Git: https://salsa.debian.org/js-team/node-fresh.git
Homepage: https://github.com/visionmedia/node-fresh
-Vcs-Git: git://anonscm.debian.org/collab-maint/node-fresh.git
-Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/node-fresh.git
Package: node-fresh
Architecture: all
@@ -23,4 +26,3 @@ Description: Check client cache staleness using HTTP headers
- Node.js module
determine if the client requesting the resource has a stale or fresh cache.
.
Node.js is an event-based server-side javascript engine.
-
diff --git a/debian/copyright b/debian/copyright
index 0c7fd09..af7dcf0 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: fresh
Files: *
@@ -25,4 +25,3 @@ License: Expat
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
-
diff --git a/debian/patches/CVE-2017-16119.diff
b/debian/patches/CVE-2017-16119.diff
new file mode 100644
index 000..6461542
--- /dev/null
+++ b/debian/patches/CVE-2017-16119.diff
@@ -0,0 +1,85 @@
+Description: Fix for CVE-2017-16119
+Author: Xavier Guimard
+Origin: upstream,
https://github.com/jshttp/fresh/commit/21a0f0c2a5f447e0d40bc16be0c23fa98a7b46ec
+Bug: https://www.npmjs.com/advisories/526
+Bug-Debian: https://bugs.debian.org/927715
+Forwarded: not-needed
+Last-Update: 2019-04-25
+
+--- a/index.js
b/index.js
+@@ -36,11 +36,27 @@
+ // check for no-cache cache request directive
+ if (cc && cc.indexOf('no-cache') !== -1) return false;
+
+- // parse if-none-match
+- if (noneMatch) noneMatch = noneMatch.split(/ *, */);
++ // parse if-none-match and etag
++ if (noneMatch && noneMatch !== '*') {
+
+- // if-none-match
+- if (noneMatch) etagMatches = ~noneMatch.indexOf(etag) || '*' ==
noneMatch[0];
++if (!etag) {
++ return false
++}
++
++var etagStale = true
++var matches = parseTokenList(noneMatch)
++for (var i = 0; i < matches.length; i++) {
++ var match = matches[i]
++ if (match === etag || match === 'W/' + etag || 'W/' + match === etag) {
++etagStale = false
++break
++ }
++}
++
++if (etagStale) {
++ return false
++}
++ }
+
+ // if-modified-since
+ if (modifiedSince) {
+@@ -50,4 +66,40 @@
+ }
+
+ return !! (etagMatches && notModified);
+-}
+\ No newline at end of file
++}
++
++/**
++ * Parse a HTTP token list.
++ *
++ * @param {string} str
++ * @private
++ */
++
++function
