Bug#1053895: bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-und...@packages.debian.org Control: affects -1 + src:node-undici [ Reason ] node-undici doesn't clear Cookie and Host headers on cross-origin redirect. [ Impact ] Medium security issue [ Tests ] No new test here [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Drop headers Host/Cookie unless same-origin Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 92c0de8..168ee34 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2) bookworm; urgency=medium + + * Delete cookie and host headers on cross-origin redirect +(Closes: #1053879, CVE-2023-45143) + + -- Yadd Fri, 13 Oct 2023 22:14:45 +0400 + node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium * Fix security issues (Closes: #1031418): diff --git a/debian/patches/CVE-2023-45143.patch b/debian/patches/CVE-2023-45143.patch new file mode 100644 index 000..c196bd2 --- /dev/null +++ b/debian/patches/CVE-2023-45143.patch @@ -0,0 +1,24 @@ +Description: delete 'cookie' and 'host' headers on cross-origin redirect +Author: Khafra +Origin: upstream, https://github.com/nodejs/undici/commit/e041de35 +Bug: https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g + https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp +Bug-Debian: https://bugs.debian.org/1053879 +Forwarded: not-needed +Applied-Upstream: 5.26.2, commit:e041de35 +Reviewed-By: Yadd +Last-Update: 2023-10-13 + +--- a/lib/fetch/index.js b/lib/fetch/index.js +@@ -1204,6 +1204,10 @@ + if (!sameOrigin(requestCurrentURL(request), locationURL)) { + // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name + request.headersList.delete('authorization') ++ ++// "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. ++request.headersList.delete('cookie') ++request.headersList.delete('host') + } + + // 14. If request’s body is non-null, then set request’s body to the first return diff --git a/debian/patches/series b/debian/patches/series index ce1440a..297000a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ drop-ssl-tests.patch CVE-2023-23936.patch CVE-2023-24807.patch update-httpbin.org-test-timeout.patch +CVE-2023-45143.patch
Bug#1040679: bullseye-pu: package node-dottie/2.0.2-4+deb11u1
On 10/8/23 16:10, Jonathan Wiltshire wrote: Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? Sorry, I was travelling. I just pushed the update Thanks!
Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
On 10/8/23 16:04, Jonathan Wiltshire wrote: Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? Sorry, I was travelling. I just pushed the update Thanks!
Bug#1036975: bullseye-pu: package node-url-parse/1.5.3-1+deb11u2
On 10/8/23 16:03, Jonathan Wiltshire wrote: Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? Sorry, I was travelling. I just pushed the update Thanks!
Bug#1034665: bullseye-pu: package node-xml2js/0.2.8-1+deb11u1
On 10/8/23 15:55, Jonathan Wiltshire wrote: Hi, This request was approved but not uploaded in time for the previous point release (11.8). Should it be included in 11.9, or should this request be abandoned and closed? Sorry, I was travelling. I just pushed the update Thanks!
Bug#1053220: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u5
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org Control: affects -1 + src:lemonldap-ng [ Reason ] Two new vulnerabilities have been dicovered and fixed in lemonldap-ng: - an open redirection due to incorrect escape handling - an open redirection only when configuration is edited by hand and doesn't follow OIDC specifications - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol: A little-know feature of OIDC allows the OpenID Provider to fetch the Authorization request parameters itself by indicating a request_uri parameter. This feature is now restricted to a white list using this patch [ Impact ] Two low and one medium security issue. [ Tests ] Patches includes test updates [ Risks ] Outside of test changes, patches are not so big and the test coverage provided by upstream is good, so risk is moderate. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] - open redirection patch: use `URI->new($url)->as_string` in each redirections - OIDC open redirection patch: just rejects requests with `redirect_uri` if relying party configuration has no declared redirect URIs. - SSRF patch: * add new configuration parameter to list authorized "request_uris" * change the algorithm that manage request_uri parameter Cheers, Yadd diff --git a/debian/NEWS b/debian/NEWS index c4d7ee951..ba4a14a12 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium + + A little-know feature of OIDC allows the OpenID Provider to fetch the + Authorization request parameters itself by indicating a request_uri + parameter. + By default, this feature is now restricted to a white list. See + Relying-Party security option to fill this field. + + -- Yadd Fri, 29 Sep 2023 17:38:51 +0400 + lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium AuthBasic now enforces 2FA activation (CVE-2023-28862): diff --git a/debian/changelog b/debian/changelog index 5d2c62ac0..35d5599a4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +lemonldap-ng (2.0.11+ds-4+deb11u5) bullseye; urgency=medium + + * Fix open redirection when OIDC RP has no redirect uris + * Fix open redirection due to incorrect escape handling + * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469) + + -- Yadd Fri, 29 Sep 2023 16:35:14 +0400 + lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium * Fix 2FA issue when using AuthBasic handler (CVE-2023-28862) @@ -19,7 +27,7 @@ lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium - * Fix auth process in password-testing plugins (Closes: CVE-2021-20874) + * Fix auth process in password-testing plugins (Closes: #1005302, CVE-2021-40874) -- Yadd Thu, 24 Feb 2022 15:16:09 +0100 diff --git a/debian/clean b/debian/clean index 73f167814..cdb4a5ae4 100644 --- a/debian/clean +++ b/debian/clean @@ -1,3 +1,4 @@ +doc/pages/documentation/current/.buildinfo lemonldap-ng-manager/site/htdocs/static/js/conftree.js lemonldap-ng-manager/site/htdocs/static/struct.json lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch new file mode 100644 index 0..dce756430 --- /dev/null +++ b/debian/patches/SSRF-issue.patch @@ -0,0 +1,627 @@ +Description: fix SSRF vulnerability + Issue described here: https://security.lauritz-holtmann.de/post/sso-security-ssrf/ +Author: Maxime Besson +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998 +Forwarded: not-needed +Applied-Upstream: 2.17.1, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs +Reviewed-By: Yadd +Last-Update: 2023-09-23 + +--- a/doc/sources/admin/idpopenidconnect.rst b/doc/sources/admin/idpopenidconnect.rst +@@ -278,6 +278,11 @@ + the Session Browser. +- **Allow OAuth2.0 Password Grant** (since version ``2.0.8``): Allow the use of the :ref:`Resource Owner Password Credentials Grant ` by this client. This feature only works if you have configured a form-based authentication module. +- **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): Allow the use of the :ref:`Resource Owner Password Credentials Grant ` by this client. ++ - **Allowed URLs for fetching Request Object**: (since version ``2.17.1``): ++ which URLs may be called by the portal to fetch the request object (see ++ `request_uri ++ <https://openid.net/specs/openid-connect-core-1_0.html#
Bug#1053219: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u2
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: lemonldap...@packages.debian.org, y...@debian.org Control: affects -1 + src:lemonldap-ng [ Reason ] Two new vulnerabilities have been dicovered and fixed in lemonldap-ng: - an open redirection only when configuration is edited by hand and doesn't follow OIDC specifications - a server-side-request-forgery (CVE-2023-44469) in OIDC protocol: A little-know feature of OIDC allows the OpenID Provider to fetch the Authorization request parameters itself by indicating a request_uri parameter. This feature is now restricted to a white list using this patch [ Impact ] One low and one medium security issue. [ Tests ] Patches includes test updates [ Risks ] Outside of test changes, patches are not so big and the test coverage provided by upstream is good, so risk is moderate. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] - open redirection patch: just rejects requests with `redirect_uri` if relying party configuration has no declared redirect URIs. - SSRF patch: * add new configuration parameter to list authorized "request_uris" * change the algorithm that manage request_uri parameter Cheers, Xavier diff --git a/debian/NEWS b/debian/NEWS index b8955920b..5295a3cbb 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,13 @@ +lemonldap-ng (2.16.1+ds-deb12u2) bullseye; urgency=medium + + A little-know feature of OIDC allows the OpenID Provider to fetch the + Authorization request parameters itself by indicating a request_uri + parameter. + By default, this feature is now restricted to a white list. See + Relying-Party security option to fill this field. + + -- Yadd Fri, 29 Sep 2023 17:15:03 +0400 + lemonldap-ng (2.0.9+ds-1) unstable; urgency=medium CVE-2020-24660 diff --git a/debian/changelog b/debian/changelog index cd4c8a023..148164a94 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (2.16.1+ds-deb12u2) bookworm; urgency=medium + + * Fix open redirection when OIDC RP has no redirect uris + * Fix Server-Side-Request-Forgery issue in OIDC (CVE-2023-44469) + + -- Yadd Fri, 29 Sep 2023 17:18:12 +0400 + lemonldap-ng (2.16.1+ds-deb12u1) bookworm; urgency=medium * Apply login control to auth-slave requests diff --git a/debian/patches/SSRF-issue.patch b/debian/patches/SSRF-issue.patch new file mode 100644 index 0..3c6ca8b51 --- /dev/null +++ b/debian/patches/SSRF-issue.patch @@ -0,0 +1,795 @@ +Description: fix SSRF vulnerability + Issue described here: https://security.lauritz-holtmann.de/post/sso-security-ssrf/ +Author: Maxime Besson +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2998 +Forwarded: not-needed +Applied-Upstream: 2.17.1, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/383/diffs +Reviewed-By: Yadd +Last-Update: 2023-09-22 + +--- a/doc/sources/admin/idpopenidconnect.rst b/doc/sources/admin/idpopenidconnect.rst +@@ -247,6 +247,11 @@ + This feature only works if you have configured a form-based authentication module. +- **Allow OAuth2.0 Client Credentials Grant** (since version ``2.0.11``): Allow the use of the + :ref:`Client Credentials Grant ` by this client. ++ - **Allowed URLs for fetching Request Object**: (since version ``2.17.1``): ++ which URLs may be called by the portal to fetch the request object (see ++ `request_uri ++ <https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter>`__ ++ in OIDC specifications). These URLs may use wildcards (``https://app.example.com/*``). +- **Authentication level**: Required authentication level to access this application +- **Access rule**: Lets you specify a :doc:`Perl rule` to restrict access to this client + +--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm +@@ -4656,6 +4656,7 @@ + oidcRPMetaDataOptionsComment => { type => 'longtext' }, + oidcRPMetaDataOptionsOfflineSessionExpiration => { type => 'int' }, + oidcRPMetaDataOptionsRedirectUris => { type => 'text', }, ++oidcRPMetaDataOptionsRequestUris => { type => 'text', }, + oidcRPMetaDataOptionsExtraClaims => { + type=> 'keyTextContainer', + keyTest => qr/^[\x21\x23-\x5B\x5D-\x7E]+$/, +--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/CTrees.pm b/lemonldap-ng-manager/lib/Lemon
Bug#1050997: bookworm-pu: package lemonldap-ng/2.16.1+ds-deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: lemonldap...@packages.debian.org Control: affects -1 + src:lemonldap-ng [ Reason ] Version 2.17.0 of lemonldap-ng fixes two low-level security issues: * the "login" security regex wasn't applied when using AuthSlave * lemonldap-ng portal can be used as open-redirection due to incorrect escape handling This proposal includes these 2 patches for Bookworm [ Impact ] Low security issues [ Tests ] Test updated, passed both with autopkgtest and build [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * check if login value respects the config when login comes from AuthSlave * Sanitize URLs used in redirections * Tests Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 8de0d083f..268c0d993 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (2.16.1+ds-deb12u1) UNRELEASED; urgency=medium + + * Apply login control to auth-slave requests + * Fix open redirection due to incorrect escape handling + + -- Yadd Fri, 01 Sep 2023 10:11:50 +0400 + lemonldap-ng (2.16.1+ds-2) unstable; urgency=medium * Fix incorrect parsing of OP-provided acr diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml index 33c3a640d..756ccd252 100644 --- a/debian/gitlab-ci.yml +++ b/debian/gitlab-ci.yml @@ -1,4 +1,6 @@ --- +variables: + RELEASE: 'bookworm' include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml diff --git a/debian/patches/apply-user-control-to-authslave.patch b/debian/patches/apply-user-control-to-authslave.patch new file mode 100644 index 0..df0ceca39 --- /dev/null +++ b/debian/patches/apply-user-control-to-authslave.patch @@ -0,0 +1,83 @@ +Description: [Security] apply user-control to authSlave +Author: Christophe Maudoux +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/351/diffs +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2946 +Forwarded: not-needed +Applied-Upstream: 2.17.0, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/351 +Reviewed-By: Yadd +Last-Update: 2023-09-01 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Slave.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/Slave.pm +@@ -8,6 +8,7 @@ + PE_OK + PE_FORBIDDENIP + PE_USERNOTFOUND ++ PE_MALFORMEDUSER + ); + + our $VERSION = '2.0.12'; +@@ -37,11 +38,15 @@ + $user_header = 'HTTP_' . uc($user_header); + $user_header =~ s/\-/_/g; + +-unless ( $req->{user} = $req->env->{$user_header} ) { ++unless ( $req->env->{$user_header} ) { + $self->userLogger->error( + "No header " . $self->conf->{slaveUserHeader} . " found" ); + return PE_USERNOTFOUND; + } ++return PE_MALFORMEDUSER ++ unless ( $req->env->{$user_header} =~ /$self->{conf}->{userControl}/o ); ++ ++$req->{user} = $req->env->{$user_header}; + return PE_OK; + } + +--- a/lemonldap-ng-portal/t/25-AuthSlave-with-Credentials.t b/lemonldap-ng-portal/t/25-AuthSlave-with-Credentials.t +@@ -2,7 +2,7 @@ + use Test::More; + use strict; + use JSON; +-use Lemonldap::NG::Portal::Main::Constants qw(PE_FORBIDDENIP PE_USERNOTFOUND); ++use Lemonldap::NG::Portal::Main::Constants qw(PE_FORBIDDENIP PE_USERNOTFOUND PE_MALFORMEDUSER); + + require 't/test-lib.pm'; + +@@ -17,6 +17,7 @@ + securedCookie => 3, + authentication => 'Slave', + userDB => 'Same', ++userControl=> '^\w{4}$', + slaveUserHeader=> 'My-Test', + slaveHeaderName=> 'Check-Slave', + slaveHeaderContent => 'Password', +@@ -91,6 +92,27 @@ + or explain( $json, "error => 4" ); + count(4); + ++# Good credentials with an unauthorized login ++ok( ++$res = $client->_get( ++'/', ++ip => '127.0.0.1', ++custom => { ++HTTP_MY_TEST => 'dwhoo', ++HTTP_NAME=> 'Dr Who', ++HTTP_CHECK_SLAVE => 'Password', ++} ++ ++), ++'Auth query' ++); ++ok( $res->[0] == 401, 'Get 401' ) or explain( $res->[0], 401 ); ++ok( $json = eval { from_json( $res->[2]->[0] ) }, 'Response is JSON' ) ++ or print STDERR "$@\n" . Dumper($res); ++ok( $json->{error} == PE_MALFORMEDUSER, 'Response is PE_MALFORMEDUSER' ) ++ or explain( $json, "error => 40" ); ++count(4); ++ + # Good credentials with acredited IP + ok( + $
Bug#1050730: bookworm-pu: package cyrus-imapd/3.6.1-4+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: cyrus-im...@packages.debian.org Control: affects -1 + src:cyrus-imapd [ Reason ] I entered a patch some months ago in Bullseye to permits migration to Cyrus-Imapd 3.6 (Bookworm): without this patch, mailboxes maybe corrupted. I added also a postinst check to refuse upgrades if previous version wasn't > 3.2.6-2+deb11u2. However, I did a mistake in this patch and migrations are not blocked. So user that didn't follow Bullseye upgrades are loosing their mailboxes during Bopokworm upgrades (see #1037346). [ Impact ] Data loose risk for users that didn't migrate from 3.2.6-2+deb11u2. [ Risks ] No risk here, it just fixes the major risk on upgrades [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] * fix dpkg --compare-versions use * update doc to replace minimal 3.2.10 by 3.2.6-2+deb11u2 Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index a6d3c31a..56cfb114 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +cyrus-imapd (3.6.1-4+deb12u1) UNRELEASED; urgency=medium + + * Doc: add patch to fix minimal version needed before upgrade +(see #1037346) + * Fix postint version check (see #1037346) + + -- Yadd Sat, 26 Aug 2023 07:06:45 +0400 + cyrus-imapd (3.6.1-4) unstable; urgency=medium * Update copyright diff --git a/debian/cyrus-common.postinst b/debian/cyrus-common.postinst index 86eb6f0a..10a36946 100755 --- a/debian/cyrus-common.postinst +++ b/debian/cyrus-common.postinst @@ -60,7 +60,7 @@ upgradesieve () { case "$1" in configure) # Refuse to update if previous version is lower than 3.2.6-2+deb11u2~ - if [ -z "$1" ] || $(dpkg --compare-versions $1 lt '3.2.6-2+deb11u2~'); then + if [ -z "$2" ] || $(dpkg --compare-versions $2 lt '3.2.6-2+deb11u2~'); then echo "You must update cyrus-imapd to at least version 3.2.6-2+deb11u2~" >&2 echo "before updating it to version 3.6.x and run it, else your mailboxes" >&2 echo "may be corrupted" >&2 diff --git a/debian/patches/fix-upgrade-versions.patch b/debian/patches/fix-upgrade-versions.patch new file mode 100644 index ..9d0bb2f9 --- /dev/null +++ b/debian/patches/fix-upgrade-versions.patch @@ -0,0 +1,37 @@ +Description: fix the minimal version needed to update +Author: Yadd +Bug-Debian: https://bugs.debian.org/1037346 +Forwarded: not-needed +Last-Update: 2023-07-19 + +--- a/doc/html/_sources/imap/download/upgrade.rst.txt b/doc/html/_sources/imap/download/upgrade.rst.txt +@@ -25,10 +25,9 @@ + Versions to upgrade from + + +-Before upgrading to 3.6, your deployment should be running either: ++Before upgrading to 3.6, your deployment should be running: + +-* 3.2.10 (or later), or +-* 3.4.4 (or later) ++* 3.2.6-2+deb11u2 (or later) + + If your existing deployment predates these releases, you should first upgrade + to one of these versions, let it run for a while, resolve any issues that +--- a/doc/text/imap/download/upgrade.txt b/doc/text/imap/download/upgrade.txt +@@ -59,11 +59,9 @@ + Versions to upgrade from + + +-Before upgrading to 3.6, your deployment should be running either: ++Before upgrading to 3.6, your deployment should be running: + +-* 3.2.10 (or later), or +- +-* 3.4.4 (or later) ++* 3.2.6-2+deb11u2 (or later) + + If your existing deployment predates these releases, you should first + upgrade to one of these versions, let it run for a while, resolve any diff --git a/debian/patches/series b/debian/patches/series index b33e49ac..353fb72b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ 0018-increase-test-timeout.patch #0019-propagate-XXFLAGS.patch 0020_fix-cyr_cd-shebang.patch +fix-upgrade-versions.patch diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml index 33c3a640..6a91c217 100644 --- a/debian/salsa-ci.yml +++ b/debian/salsa-ci.yml @@ -1,4 +1,7 @@ --- +variables: + RELEASE: 'bookworm' + include: - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
Bug#1040679: bullseye-pu: package node-dottie/2.0.2-4+deb11u1
Control: tags -1 - moreinfo On 7/25/23 11:40, Jonathan Wiltshire wrote: Control: tag -1 = bullseye moreinfo On Mon, Jul 24, 2023 at 09:37:58PM +0100, Adam D. Barratt wrote: On Mon, 2023-07-24 at 21:27 +0100, Jonathan Wiltshire wrote: Control: tag -1 confirmed On Sun, Jul 09, 2023 at 09:11:26AM +0400, Yadd wrote: [ Reason ] node-dottie is vulnerable to prototype pollution (#1040592, CVE-2023-26132) By all means go ahead, but it can't be accepted until the situation in testing is fixed up (unless we propogate the version from bookworm-proposed-updates to testing). The provided diff appears to be against the package in bookworm. bullseye has 2.0.2-1. Euf, right - sorry (too many releases started 'b'...) Please revise the debdiff. Thanks, Sorry, here is the new debdiffdiff --git a/debian/changelog b/debian/changelog index d790b40..59ef133 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-dottie (2.0.2-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #1040592, CVE-2023-26132) + + -- Yadd Sun, 09 Jul 2023 08:46:31 +0400 + node-dottie (2.0.2-1) unstable; urgency=medium * New upstream version 2.0.2 diff --git a/debian/patches/CVE-2023-26132.patch b/debian/patches/CVE-2023-26132.patch new file mode 100644 index 000..5186407 --- /dev/null +++ b/debian/patches/CVE-2023-26132.patch @@ -0,0 +1,76 @@ +Description: rudimentary __proto__ guarding +Author: Mick Hansen +Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c +Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763 +Bug-Debian: https://bugs.debian.org/1040592 +Forwarded: not-needed +Applied-Upstream: 2.0.6, commit:7d3aee1c +Reviewed-By: Yadd +Last-Update: 2023-07-09 + +--- a/README.md b/README.md +@@ -42,6 +42,8 @@ + }); + ``` + ++If you accept arbitrary/user-defined paths to `set` you should call `Object.preventExtensions(values)` first to guard against potential pollution. ++ + ### Transform object + Transform object from keys with dottie notation to nested objects + +--- a/dottie.js b/dottie.js +@@ -72,6 +72,7 @@ + // Set nested value + Dottie.set = function(object, path, value, options) { + var pieces = Array.isArray(path) ? path : path.split('.'), current = object, piece, length = pieces.length; ++if (pieces[0] === '__proto__') return; + + if (typeof current !== 'object') { + throw new Error('Parent is not an object.'); +@@ -137,6 +138,9 @@ + + if (key.indexOf(options.delimiter) !== -1) { + pieces = key.split(options.delimiter); ++ ++if (pieces[0] === '__proto__') break; ++ + piecesLength = pieces.length; + current = transformed; + +--- a/test/set.test.js b/test/set.test.js +@@ -45,4 +45,12 @@ + }); + expect(data.foo.bar.baz).to.equal('someValue'); + }); ++ ++ it('should not attempt to set __proto__', function () { ++var data = {}; ++ ++dottie.set(data, '__proto__.pollution', 'polluted'); ++ ++expect(data.__proto__.pollution).to.be.undefined; ++ }); + }); +\ No newline at end of file +--- a/test/transform.test.js b/test/transform.test.js +@@ -145,4 +145,16 @@ + expect(transformed.user.location.city).to.equal('Zanzibar City'); + expect(transformed.project.title).to.equal('dottie'); + }); ++ ++ it("should guard against prototype pollution", function () { ++var values = { ++ 'user.name': 'John Doe', ++ '__proto__.pollution': 'pollution' ++}; ++ ++var transformed = dottie.transform(values); ++expect(transformed.user).not.to.equal(undefined); ++expect(transformed.user.name).to.equal('John Doe'); ++expect(transformed.__proto__.pollution).to.be.undefined; ++ }); + }); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..e86da5e --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-26132.patch diff --git a/debian/tests/pkg-js/enable_proto b/debian/tests/pkg-js/enable_proto new file mode 100644 index 000..e69de29
Bug#1034665: bullseye-pu: package node-xml2js/0.2.8-1+deb11u1
Control: tags -1 - moreinfo On 7/25/23 21:02, Jonathan Wiltshire wrote: Control: tag -1 moreinfo On Fri, Apr 21, 2023 at 11:36:54AM +0400, Yadd wrote: diff --git a/debian/changelog b/debian/changelog index 628f69a..106d13b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-xml2js (0.2.8-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842) + + -- Yadd Fri, 21 Apr 2023 11:33:31 +0400 + node-xml2js (0.2.8-1) unstable; urgency=low * Upstream update bullseye has 0.2.8-1.1, please ensure you base the proposed debdiff off that. Remove the moreinfo tag when you are ready for further review. Thanks, Hi, here is the new debdiff Best regards, Yadddiff --git a/debian/changelog b/debian/changelog index fa373bf..22806aa 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-xml2js (0.2.8-1.1+deb11u1) bullseye; urgency=medium + + * Team upload + * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842) + + -- Yadd Wed, 26 Jul 2023 08:27:13 +0400 + node-xml2js (0.2.8-1.1) unstable; urgency=medium * Non maintainer upload by the Reproducible Builds team. diff --git a/debian/patches/CVE-2023-0842.patch b/debian/patches/CVE-2023-0842.patch new file mode 100644 index 000..cd03e08 --- /dev/null +++ b/debian/patches/CVE-2023-0842.patch @@ -0,0 +1,46 @@ +Description: use Object.create(null) to create all parsed objects + (prevent prototype replacement) +Author: James Crosby +Origin: upstream, commit:581b19a6 +Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc +Bug-Debian: https://bugs.debian.org/1034148 +Forwarded: not-needed +Applied-Upstream: 0.5.0, commit:581b19a6 +Reviewed-By: Yadd +Last-Update: 2023-04-21 + +--- a/src/xml2js.coffee b/src/xml2js.coffee +@@ -105,12 +105,12 @@ + charkey = @options.charkey + + @saxParser.onopentag = (node) => +- obj = {} ++ obj = Object.create(null) + obj[charkey] = "" + unless @options.ignoreAttrs + for own key of node.attributes + if attrkey not of obj and not @options.mergeAttrs +-obj[attrkey] = {} ++obj[attrkey] = Object.create(null) + if @options.mergeAttrs + obj[key] = node.attributes[key] + else +@@ -158,7 +158,7 @@ + + # put children into property and unfold chars if necessary + if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object' +-node = {} ++node = Object.create(null) + # separate attributes + if @options.attrkey of obj + node[@options.attrkey] = obj[@options.attrkey] +@@ -193,7 +193,7 @@ + if @options.explicitRoot + # avoid circular references + old = obj +- obj = {} ++ obj = Object.create(null) + obj[nodeName] = old + + @resultObject = obj diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..6b5589b --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-0842.patch
Bug#1040563: bookworm-pu: package node-tough-cookie/4.0.0-2+deb12u1
On 7/7/23 21:43, Jonathan Wiltshire wrote: Control: tag -1 moreinfo On Fri, Jul 07, 2023 at 09:01:40PM +0400, Yadd wrote: [ Reason ] node-tough-cookie is vulnerable to prototype pollution How has this been fixed in unstable? You'll need an upload there anyway for version ordering. Thanks, Hi, upload already done in unstable Cheers,
Bug#1040683: bookworm-pu: package node-webpack/5.75.0+dfsg+~cs17.16.14-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-webp...@packages.debian.org Control: affects -1 + src:node-webpack [ Reason ] node-webpack is vulnerable to cross-realm object access (#1032904, CVE-2023-28154). [ Impact ] Medium security issue [ Tests ] Test updated, passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable Regards, Yadd diff --git a/debian/changelog b/debian/changelog index 0053d7ee..a07dd9d4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium + + * Team upload + * Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154) + + -- Yadd Mon, 29 May 2023 07:53:16 +0400 + node-webpack (5.75.0+dfsg+~cs17.16.14-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-28154.patch b/debian/patches/CVE-2023-28154.patch new file mode 100644 index ..2f651167 --- /dev/null +++ b/debian/patches/CVE-2023-28154.patch @@ -0,0 +1,80 @@ +Description: avoid cross-realm objects +Author: Jack Works +Origin: upstream, https://github.com/webpack/webpack/commit/4b4ca3bb +Bug: https://www.cve.org/CVERecord?id=CVE-2023-28154 +Bug-Debian: https://bugs.debian.org/1032904 +Forwarded: not-needed +Applied-Upstream: 5.76.1, commit:4b4ca3bb +Reviewed-By: Yadd +Last-Update: 2023-05-29 + +--- a/lib/dependencies/ImportParserPlugin.js b/lib/dependencies/ImportParserPlugin.js +@@ -137,7 +137,7 @@ + if (importOptions.webpackInclude !== undefined) { + if ( + !importOptions.webpackInclude || +- importOptions.webpackInclude.constructor.name !== "RegExp" ++ !(importOptions.webpackInclude instanceof RegExp) + ) { + parser.state.module.addWarning( + new UnsupportedFeatureWarning( +@@ -146,13 +146,13 @@ + ) + ); + } else { +- include = new RegExp(importOptions.webpackInclude); ++ include = importOptions.webpackInclude; + } + } + if (importOptions.webpackExclude !== undefined) { + if ( + !importOptions.webpackExclude || +- importOptions.webpackExclude.constructor.name !== "RegExp" ++ !(importOptions.webpackExclude instanceof RegExp) + ) { + parser.state.module.addWarning( + new UnsupportedFeatureWarning( +@@ -161,7 +161,7 @@ + ) + ); + } else { +- exclude = new RegExp(importOptions.webpackExclude); ++ exclude = importOptions.webpackExclude; + } + } + if (importOptions.webpackExports !== undefined) { +--- a/lib/javascript/JavascriptParser.js b/lib/javascript/JavascriptParser.js +@@ -3635,17 +3635,27 @@ + return EMPTY_COMMENT_OPTIONS; + } + let options = {}; ++ /** @type {unknown[]} */ + let errors = []; + for (const comment of comments) { + const { value } = comment; + if (value && webpackCommentRegExp.test(value)) { + // try compile only if webpack options comment is present + try { +- const val = vm.runInNewContext(`(function(){return {${value}};})()`); +- Object.assign(options, val); ++ for (let [key, val] of Object.entries( ++ vm.runInNewContext(
Bug#1040680: bookworm-pu: package node-openpgp-seek-bzip/1.0.5-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-openpgp-seek-b...@packages.debian.org Control: affects -1 + src:node-openpgp-seek-bzip [ Reason ] src:node-openpgp-seek-bzip provides: * a Node.js module (node-openpgp-seek-bzip) * command-line scripts (seek-bzip) This second package is unusable due to missing files and broken links. [ Impact ] /usr/bin/seek-bunzip and /usr/bin/seek-table are unusable [ Tests ] No changes [ Risks ] No risk, this just fix install [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Install missing /usr/share/nodejs/seek-bzip/bin files and fix links in /usr/bin Regards, Yadd diff --git a/debian/changelog b/debian/changelog index daa35de..20dc0b2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-openpgp-seek-bzip (1.0.5-2+deb12u1) bookworm; urgency=medium + + * Team upload + * Fix seek-bzip install (Closes: #1040584) + + -- Yadd Sun, 09 Jul 2023 09:29:47 +0400 + node-openpgp-seek-bzip (1.0.5-2) unstable; urgency=medium * Team upload diff --git a/debian/nodejs/links b/debian/nodejs/links index 0ff514c..6c89a6e 100644 --- a/debian/nodejs/links +++ b/debian/nodejs/links @@ -1,2 +1,2 @@ -@openpgp/seek-bzip/bin/seek-bunzip /usr/bin/seek-bunzip -@openpgp/seek-bzip/bin/seek-bzip-table /usr/bin/seek-table +seek-bzip/bin/seek-bunzip /usr/bin/seek-bunzip +seek-bzip/bin/seek-bzip-table /usr/bin/seek-table diff --git a/debian/seek-bzip.install b/debian/seek-bzip.install index e772481..8bbbe8d 100644 --- a/debian/seek-bzip.install +++ b/debian/seek-bzip.install @@ -1 +1,2 @@ usr/bin +usr/share/nodejs/seek-bzip/bin
Bug#1040679: bullseye-pu: package node-dottie/2.0.2-4+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-dot...@packages.debian.org Control: affects -1 + src:node-dottie [ Reason ] node-dottie is vulnerable to prototype pollution (#1040592, CVE-2023-26132) [ Impact ] Medium security issue [ Tests ] Test updated passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Don't allow __proto__ modifications. Patch includes also debian/tests/pkg-js/enable_proto file to allow __proto__ calls during autopkgtest (forbidden by default) because patch includes a prototype-pollution test Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 9edf53f..5c9d435 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-dottie (2.0.2-4+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #1040592, CVE-2023-26132) + + -- Yadd Sun, 09 Jul 2023 08:46:31 +0400 + node-dottie (2.0.2-4) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-26132.patch b/debian/patches/CVE-2023-26132.patch new file mode 100644 index 000..5186407 --- /dev/null +++ b/debian/patches/CVE-2023-26132.patch @@ -0,0 +1,76 @@ +Description: rudimentary __proto__ guarding +Author: Mick Hansen +Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c +Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763 +Bug-Debian: https://bugs.debian.org/1040592 +Forwarded: not-needed +Applied-Upstream: 2.0.6, commit:7d3aee1c +Reviewed-By: Yadd +Last-Update: 2023-07-09 + +--- a/README.md b/README.md +@@ -42,6 +42,8 @@ + }); + ``` + ++If you accept arbitrary/user-defined paths to `set` you should call `Object.preventExtensions(values)` first to guard against potential pollution. ++ + ### Transform object + Transform object from keys with dottie notation to nested objects + +--- a/dottie.js b/dottie.js +@@ -72,6 +72,7 @@ + // Set nested value + Dottie.set = function(object, path, value, options) { + var pieces = Array.isArray(path) ? path : path.split('.'), current = object, piece, length = pieces.length; ++if (pieces[0] === '__proto__') return; + + if (typeof current !== 'object') { + throw new Error('Parent is not an object.'); +@@ -137,6 +138,9 @@ + + if (key.indexOf(options.delimiter) !== -1) { + pieces = key.split(options.delimiter); ++ ++if (pieces[0] === '__proto__') break; ++ + piecesLength = pieces.length; + current = transformed; + +--- a/test/set.test.js b/test/set.test.js +@@ -45,4 +45,12 @@ + }); + expect(data.foo.bar.baz).to.equal('someValue'); + }); ++ ++ it('should not attempt to set __proto__', function () { ++var data = {}; ++ ++dottie.set(data, '__proto__.pollution', 'polluted'); ++ ++expect(data.__proto__.pollution).to.be.undefined; ++ }); + }); +\ No newline at end of file +--- a/test/transform.test.js b/test/transform.test.js +@@ -145,4 +145,16 @@ + expect(transformed.user.location.city).to.equal('Zanzibar City'); + expect(transformed.project.title).to.equal('dottie'); + }); ++ ++ it("should guard against prototype pollution", function () { ++var values = { ++ 'user.name': 'John Doe', ++ '__proto__.pollution': 'pollution' ++}; ++ ++var transformed = dottie.transform(values); ++expect(transformed.user).not.to.equal(undefined); ++expect(transformed.user.name).to.equal('John Doe'); ++expect(transformed.__proto__.pollution).to.be.undefined; ++ }); + }); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..e86da5e --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-26132.patch diff --git a/debian/tests/pkg-js/enable_proto b/debian/tests/pkg-js/enable_proto new file mode 100644 index 000..e69de29
Bug#1040678: bookworm-pu: package node-dottie/2.0.2-4+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-dot...@packages.debian.org Control: affects -1 + src:node-dottie [ Reason ] node-dottie is vulnerable to prototype pollution (#1040592, CVE-2023-26132) [ Impact ] Medium security issue [ Tests ] Test updated passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Don't allow __proto__ modifications. Patch includes also debian/tests/pkg-js/enable_proto file to allow __proto__ calls during autopkgtest (forbidden by default) because patch includes a prototype-pollution test Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 9edf53f..a6edff9 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-dottie (2.0.2-4+deb12u1) bookworm; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #1040592, CVE-2023-26132) + + -- Yadd Sun, 09 Jul 2023 08:43:00 +0400 + node-dottie (2.0.2-4) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-26132.patch b/debian/patches/CVE-2023-26132.patch new file mode 100644 index 000..5186407 --- /dev/null +++ b/debian/patches/CVE-2023-26132.patch @@ -0,0 +1,76 @@ +Description: rudimentary __proto__ guarding +Author: Mick Hansen +Origin: upstream, https://github.com/mickhansen/dottie.js/commit/7d3aee1c +Bug: https://security.snyk.io/vuln/SNYK-JS-DOTTIE-3332763 +Bug-Debian: https://bugs.debian.org/1040592 +Forwarded: not-needed +Applied-Upstream: 2.0.6, commit:7d3aee1c +Reviewed-By: Yadd +Last-Update: 2023-07-09 + +--- a/README.md b/README.md +@@ -42,6 +42,8 @@ + }); + ``` + ++If you accept arbitrary/user-defined paths to `set` you should call `Object.preventExtensions(values)` first to guard against potential pollution. ++ + ### Transform object + Transform object from keys with dottie notation to nested objects + +--- a/dottie.js b/dottie.js +@@ -72,6 +72,7 @@ + // Set nested value + Dottie.set = function(object, path, value, options) { + var pieces = Array.isArray(path) ? path : path.split('.'), current = object, piece, length = pieces.length; ++if (pieces[0] === '__proto__') return; + + if (typeof current !== 'object') { + throw new Error('Parent is not an object.'); +@@ -137,6 +138,9 @@ + + if (key.indexOf(options.delimiter) !== -1) { + pieces = key.split(options.delimiter); ++ ++if (pieces[0] === '__proto__') break; ++ + piecesLength = pieces.length; + current = transformed; + +--- a/test/set.test.js b/test/set.test.js +@@ -45,4 +45,12 @@ + }); + expect(data.foo.bar.baz).to.equal('someValue'); + }); ++ ++ it('should not attempt to set __proto__', function () { ++var data = {}; ++ ++dottie.set(data, '__proto__.pollution', 'polluted'); ++ ++expect(data.__proto__.pollution).to.be.undefined; ++ }); + }); +\ No newline at end of file +--- a/test/transform.test.js b/test/transform.test.js +@@ -145,4 +145,16 @@ + expect(transformed.user.location.city).to.equal('Zanzibar City'); + expect(transformed.project.title).to.equal('dottie'); + }); ++ ++ it("should guard against prototype pollution", function () { ++var values = { ++ 'user.name': 'John Doe', ++ '__proto__.pollution': 'pollution' ++}; ++ ++var transformed = dottie.transform(values); ++expect(transformed.user).not.to.equal(undefined); ++expect(transformed.user.name).to.equal('John Doe'); ++expect(transformed.__proto__.pollution).to.be.undefined; ++ }); + }); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..e86da5e --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-26132.patch diff --git a/debian/tests/pkg-js/enable_proto b/debian/tests/pkg-js/enable_proto new file mode 100644 index 000..e69de29
Bug#1040677: bullseye-pu: package node-tough-cookie/4.0.0-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-tough-coo...@packages.debian.org Control: affects -1 + src:node-tough-cookie [ Reason ] node-tough-cookie is vulnerable to prototype pollution [ Impact ] Littel security issue [ Tests ] Test updated, passed [ Risks ] No risk, patch is trivial and tested [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Create new object instead of using default {} Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 3652359..84339cf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-tough-cookie (4.0.0-2+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: CVE-2023-26136) + + -- Yadd Sun, 09 Jul 2023 08:32:32 +0400 + node-tough-cookie (4.0.0-2) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-26136.patch b/debian/patches/CVE-2023-26136.patch new file mode 100644 index 000..05e6372 --- /dev/null +++ b/debian/patches/CVE-2023-26136.patch @@ -0,0 +1,71 @@ +Description: Fix prototype pollution + CVE-2023-26136 +Author: Yadd +Forwarded: not-needed +Last-Update: 2023-07-07 + +--- a/lib/memstore.js b/lib/memstore.js +@@ -39,7 +39,7 @@ + constructor() { + super(); + this.synchronous = true; +-this.idx = {}; ++this.idx = Object.create(null); + if (util.inspect.custom) { + this[util.inspect.custom] = this.inspect; + } +@@ -109,10 +109,10 @@ + + putCookie(cookie, cb) { + if (!this.idx[cookie.domain]) { +- this.idx[cookie.domain] = {}; ++ this.idx[cookie.domain] = Object.create(null); + } + if (!this.idx[cookie.domain][cookie.path]) { +- this.idx[cookie.domain][cookie.path] = {}; ++ this.idx[cookie.domain][cookie.path] = Object.create(null); + } + this.idx[cookie.domain][cookie.path][cookie.key] = cookie; + cb(null); +@@ -144,7 +144,7 @@ + return cb(null); + } + removeAllCookies(cb) { +-this.idx = {}; ++this.idx = Object.create(null); + return cb(null); + } + getAllCookies(cb) { +--- a/test/cookie_jar_test.js b/test/cookie_jar_test.js +@@ -669,4 +669,29 @@ + } + } + }) ++ .addBatch({ ++"Issue #282 - Prototype pollution": { ++ "when setting a cookie with the domain __proto__": { ++topic: function() { ++ const jar = new tough.CookieJar(undefined, { ++rejectPublicSuffixes: false ++ }); ++ // try to pollute the prototype ++ jar.setCookieSync( ++"Slonser=polluted; Domain=__proto__; Path=/notauth", ++"https://__proto__/admin; ++ ); ++ jar.setCookieSync( ++"Auth=Lol; Domain=google.com; Path=/notauth", ++"https://google.com/; ++ ); ++ this.callback(); ++}, ++"results in a cookie that is not affected by the attempted prototype pollution": function() { ++ const pollutedObject = {}; ++ assert(pollutedObject["/notauth"] === undefined); ++} ++ } ++} ++ }) + .export(module); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..67af372 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-26136.patch
Bug#1040563: bookworm-pu: package node-tough-cookie/4.0.0-2+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-tough-coo...@packages.debian.org Control: affects -1 + src:node-tough-cookie [ Reason ] node-tough-cookie is vulnerable to prototype pollution [ Impact ] Littel security issue [ Tests ] Test updated, passed [ Risks ] No risk, patch is trivial and tested [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Create new object instead of using default {} Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 3652359..a8e8b7e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-tough-cookie (4.0.0-2+deb12u1) bookworm; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: CVE-2023-26136) + + -- Yadd Fri, 07 Jul 2023 20:57:36 +0400 + node-tough-cookie (4.0.0-2) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-26136.patch b/debian/patches/CVE-2023-26136.patch new file mode 100644 index 000..05e6372 --- /dev/null +++ b/debian/patches/CVE-2023-26136.patch @@ -0,0 +1,71 @@ +Description: Fix prototype pollution + CVE-2023-26136 +Author: Yadd +Forwarded: not-needed +Last-Update: 2023-07-07 + +--- a/lib/memstore.js b/lib/memstore.js +@@ -39,7 +39,7 @@ + constructor() { + super(); + this.synchronous = true; +-this.idx = {}; ++this.idx = Object.create(null); + if (util.inspect.custom) { + this[util.inspect.custom] = this.inspect; + } +@@ -109,10 +109,10 @@ + + putCookie(cookie, cb) { + if (!this.idx[cookie.domain]) { +- this.idx[cookie.domain] = {}; ++ this.idx[cookie.domain] = Object.create(null); + } + if (!this.idx[cookie.domain][cookie.path]) { +- this.idx[cookie.domain][cookie.path] = {}; ++ this.idx[cookie.domain][cookie.path] = Object.create(null); + } + this.idx[cookie.domain][cookie.path][cookie.key] = cookie; + cb(null); +@@ -144,7 +144,7 @@ + return cb(null); + } + removeAllCookies(cb) { +-this.idx = {}; ++this.idx = Object.create(null); + return cb(null); + } + getAllCookies(cb) { +--- a/test/cookie_jar_test.js b/test/cookie_jar_test.js +@@ -669,4 +669,29 @@ + } + } + }) ++ .addBatch({ ++"Issue #282 - Prototype pollution": { ++ "when setting a cookie with the domain __proto__": { ++topic: function() { ++ const jar = new tough.CookieJar(undefined, { ++rejectPublicSuffixes: false ++ }); ++ // try to pollute the prototype ++ jar.setCookieSync( ++"Slonser=polluted; Domain=__proto__; Path=/notauth", ++"https://__proto__/admin; ++ ); ++ jar.setCookieSync( ++"Auth=Lol; Domain=google.com; Path=/notauth", ++"https://google.com/; ++ ); ++ this.callback(); ++}, ++"results in a cookie that is not affected by the attempted prototype pollution": function() { ++ const pollutedObject = {}; ++ assert(pollutedObject["/notauth"] === undefined); ++} ++ } ++} ++ }) + .export(module); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..67af372 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-26136.patch
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
On 6/1/23 13:44, Paul Gevers wrote: control: tags -1 moreinfo Hi Yadd, On 29-05-2023 05:58, Yadd wrote: On 5/28/23 10:29, Graham Inggs wrote: On Wed, 3 May 2023 at 04:51, Yadd wrote: How about reverting and providing a fix only for that CVE please? instead of reverting and have a too long version (5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1), if upload to bookworm is allowed, I'm able to push this debdiff. Please upload this debdiff to unstable ASAP. I'm not aware of limitations for the version number that you would trigger with that. tpu is not meant for this purpose (it doesn't have any QA). Mind you, the closing window for uploads was last weekend, so we're extremely late. Otherwise we'll have to do this via the security archive or a point release update. Paul Hi, I can't upload this debdiff to unstable because version in unstable is 5.76.1+dfsg1+~cs17.16.16-1. If we can't upload to bookworm without using unstable, let's wait for Debian/12.1. Else, version would be: - 5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1 and then later fixes will look like - 5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1+deb12u1 I don't want to be the author of such version.
Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
On 5/31/23 23:30, Salvatore Bonaccorso wrote: Hi Yadd, On Wed, May 31, 2023 at 03:13:06PM +0400, Yadd wrote: Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: jquer...@packages.debian.org Control: affects -1 + src:jqueryui [ Reason ] jqueryui is potentially vulnerable to cross-site scripting (CVE-2022-31160) [ Impact ] Low security issue [ Tests ] Sadly tests are minimal in this package. Anyway passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Don't accept label outside of the root element Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 3a6a587..9b1e9cc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium + + * Team upload + * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: CVE-2022-31160) + + -- Yadd Wed, 31 May 2023 15:08:55 +0400 Minor thing, you could as well close #1015982 with the upload. Hi, sure, here is the new debdiffdiff --git a/debian/changelog b/debian/changelog index 3a6a587..dc02159 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium + + * Team upload + * Checkboxradio: Don't re-evaluate text labels as HTML +(Closes: #1015982, CVE-2022-31160) + + -- Yadd Thu, 01 Jun 2023 06:50:09 +0400 + jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-31160.patch b/debian/patches/CVE-2022-31160.patch new file mode 100644 index 000..8f5238d --- /dev/null +++ b/debian/patches/CVE-2022-31160.patch @@ -0,0 +1,157 @@ +Description: Checkboxradio: Don't re-evaluate text labels as HTML +Author: Michał Gołębiowski-Owczarek +Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1 +Bug: https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9 +Bug-Debian: https://bugs.debian.org/1015982 +Forwarded: not-needed +Applied-Upstream: 1.13.2, commit:8cc5bae1 +Reviewed-By: Yadd +Last-Update: 2023-05-31 + +--- a/tests/unit/checkboxradio/checkboxradio.html b/tests/unit/checkboxradio/checkboxradio.html +@@ -64,6 +64,18 @@ + + + ++ ++ ++ Hi, I'm a label ++ ++ ++ ++ Hi, I'm a label ++ ++ ++ ++ emHi, I'm a label/em ++ + + + +--- a/tests/unit/checkboxradio/core.js b/tests/unit/checkboxradio/core.js +@@ -135,4 +135,41 @@ + ); + } ); + ++QUnit.test( "Inheriting label from initial HTML", function( assert ) { ++ var tests = [ ++ { ++ id: "label-with-no-for-with-html", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-text", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-html-like-text", ++ expectedLabel: "emHi, I'm a label/em" ++ } ++ ]; ++ ++ assert.expect( tests.length ); ++ ++ tests.forEach( function( testData ) { ++ var id = testData.id; ++ var expectedLabel = testData.expectedLabel; ++ var inputElem = $( "#" + id ); ++ var labelElem = inputElem.parent(); ++ ++ inputElem.checkboxradio( { icon: false } ); ++ ++ var labelWithoutInput = labelElem.clone(); ++ labelWithoutInput.find( "input" ).remove(); ++ ++ assert.strictEqual( ++ labelWithoutInput.html().trim(), ++ expectedLabel.trim(), ++ "Label correct [" + id + "]" ++ ); ++ } ); ++} ); ++ + } ); +--- a/tests/unit/checkboxradio/methods.js b/tests/unit/checkboxradio/methods.js +@@ -94,4 +94,42 @@ + assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input preserved" ); + } ); + ++QUnit.test( "Initial text label not turned to HTML on refresh", function( assert ) { ++ var tests = [ ++ { ++ id: "label-with-no-for-with-html", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-text", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-html-like-text", ++ expectedLabel: "emHi, I'm a la
Bug#1036980: unblock: jquery-minicolors/2.3.5+dfsg-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: jquery-minicol...@packages.debian.org Control: affects -1 + src:jquery-minicolors Please unblock package jquery-minicolors [ Reason ] jquery-minicolor is vulnerable to a cross-site scripting (CVE-2021-32850) [ Impact ] Low security issue [ Tests ] No test here [ Risks ] Low risk, patch is trivial [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock jquery-minicolors/2.3.5+dfsg-4 diff --git a/debian/changelog b/debian/changelog index 1e959f0..dcf5b2f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +jquery-minicolors (2.3.5+dfsg-4) unstable; urgency=medium + + * Team upload + * Declare compliance with policy 4.6.2 + * Fix cross-site scripting issue (Closes: CVE-2021-32850) + + -- Yadd Wed, 31 May 2023 16:44:37 +0400 + jquery-minicolors (2.3.5+dfsg-3) unstable; urgency=medium [ Debian Janitor ] diff --git a/debian/control b/debian/control index 3dcf29b..66693e1 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Debian JavaScript Maintainers Uploaders: Yadd Build-Depends: debhelper-compat (= 13), uglifyjs -Standards-Version: 4.6.0 +Standards-Version: 4.6.2 Homepage: https://github.com/jquery-minicolors Vcs-Git: https://salsa.debian.org/js-team/jquery-minicolors.git Vcs-Browser: https://salsa.debian.org/js-team/jquery-minicolors diff --git a/debian/patches/CVE-2021-32850.patch b/debian/patches/CVE-2021-32850.patch new file mode 100644 index 000..5e54e6d --- /dev/null +++ b/debian/patches/CVE-2021-32850.patch @@ -0,0 +1,21 @@ +Description: fix XSS vuln +Author: Cory LaViska +Origin: upstream, https://github.com/claviska/jquery-minicolors/commit/ef134824 +Bug: https://securitylab.github.com/advisories/GHSL-2021-1045_jQuery_MiniColors_Plugin/ +Forwarded: not-needed +Applied-Upstream: 2.3.6, commit:ef134824 +Reviewed-By: Yadd +Last-Update: 2023-05-31 + +--- a/jquery.minicolors.js b/jquery.minicolors.js +@@ -226,7 +226,8 @@ + } + swatchString = swatch; + swatch = isRgb(swatch) ? parseRgb(swatch, true) : hex2rgb(parseHex(swatch, true)); +-$('') ++$('') ++ .attr("title", name) + .appendTo(swatches) + .data('swatch-color', swatchString) + .find('.minicolors-swatch-color') diff --git a/debian/patches/series b/debian/patches/series index 7ba3ddc..b5c3525 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ 0001-Use-local-CSS-and-JavaScript-in-examples.patch +CVE-2021-32850.patch
Bug#1036978: bookworm-pu: package node-undici/5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1
Package: release.debian.org Severity: normal Tags: bookworm User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-und...@packages.debian.org Control: affects -1 + src:node-undici [ Reason ] node-undici is vulnerable to: * CVE-2023-23936: "Host" HTTP header isn't protected against CLRF injection * CVE-2023-24807: Regex Denial of Service on headers set/append [ Impact ] Medium security issues [ Tests ] Test updated, passed [ Risks ] Low risk, patches are trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just new little checks Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 3a69b63..92c0de8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium + + * Fix security issues (Closes: #1031418): +- Protect "Host" HTTP header from CLRF injection (Closes: CVE-2023-23936) +- Fix potential ReDoS on Headers.set and Headers.append + (Closes: CVE-2023-24807) + * Increase httpbin.org test timeout + + -- Yadd Wed, 31 May 2023 15:52:45 +0400 + node-undici (5.15.0+dfsg1+~cs20.10.9.3-1) unstable; urgency=medium * Update standards version to 4.6.2, no changes needed. diff --git a/debian/patches/CVE-2023-23936.patch b/debian/patches/CVE-2023-23936.patch new file mode 100644 index 000..e6fbb0f --- /dev/null +++ b/debian/patches/CVE-2023-23936.patch @@ -0,0 +1,62 @@ +Description: Protect "Host" HTTP header from CLRF injection +Author: Yadd +Origin: upstream, https://github.com/nodejs/undici/commit/a2eff054 +Bug: https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff +Bug-Debian: https://bugs.debian.org/1031418 +Forwarded: not-needed +Applied-Upstream: 5.19.1, commit:a2eff054 +Reviewed-By: Yadd +Last-Update: 2023-05-31 + +--- a/lib/core/request.js b/lib/core/request.js +@@ -299,6 +299,9 @@ + key.length === 4 && + key.toLowerCase() === 'host' + ) { ++if (headerCharRegex.exec(val) !== null) { ++ throw new InvalidArgumentError(`invalid ${key} header`) ++} + // Consumed by Client + request.host = val + } else if ( +--- /dev/null b/test/headers-crlf.js +@@ -0,0 +1,37 @@ ++'use strict' ++ ++const { test } = require('tap') ++const { Client } = require('..') ++const { createServer } = require('http') ++const EE = require('events') ++ ++test('CRLF Injection in Nodejs ‘undici’ via host', (t) => { ++ t.plan(1) ++ ++ const server = createServer(async (req, res) => { ++res.end() ++ }) ++ t.teardown(server.close.bind(server)) ++ ++ server.listen(0, async () => { ++const client = new Client(`http://localhost:${server.address().port}`) ++t.teardown(client.close.bind(client)) ++ ++const unsanitizedContentTypeInput = '12 \r\n\r\naaa:aaa' ++ ++try { ++ const { body } = await client.request({ ++path: '/', ++method: 'POST', ++headers: { ++ 'content-type': 'application/json', ++ 'host': unsanitizedContentTypeInput ++}, ++body: 'asd' ++ }) ++ await body.dump() ++} catch (err) { ++ t.same(err.code, 'UND_ERR_INVALID_ARG') ++} ++ }) ++}) diff --git a/debian/patches/CVE-2023-24807.patch b/debian/patches/CVE-2023-24807.patch new file mode 100644 index 000..986fb16 --- /dev/null +++ b/debian/patches/CVE-2023-24807.patch @@ -0,0 +1,46 @@ +Description: fix potential ReDoS on Headers.set and Headers.append +Author: Rich Trott +Origin: upstream, https://github.com/nodejs/undici/commit/f2324e54 +Bug: https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w +Bug-Debian: https://bugs.debian.org/1031418 +Forwarded: not-needed +Applied-Upstream: 5.19.1, commit:f2324e54 +Reviewed-By: Yadd +Last-Update: 2023-05-31 + +--- a/lib/fetch/headers.js b/lib/fetch/headers.js +@@ -23,10 +23,12 @@ + // To normalize a byte sequence potentialValue, remove + // any leading and trailing HTTP whitespace bytes from + // potentialValue. +- return potentialValue.replace( +-/^[\r\n\t ]+|[\r\n\t ]+$/g, +-'' +- ) ++ ++ // Trimming the end with `.replace()` and a RegExp is typically subject to ++ // ReDoS. This is safer and faster. ++ let i = potentialValue.length ++ while (/[\r\n\t ]/.test(potentialValue.charAt(--i))); ++ return potentialValue.slice(0, i + 1).replace(/^[\r\n\t ]+/, '') + } + + function fill (headers, object) { +--- a/test/fetch/headers.js b/test/fetch/headers.js +@@ -665,3 +665,14 @@ + + t.end() + }) ++ ++tap.test('headers that might cause a ReDoS', (t) => { ++ t.doesNotThrow(() => { ++// This test will time out if the ReDoS attack is successful. ++const headers = new Headers() ++const attack = 'a' + '\t'.repeat(500_
Bug#1036977: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: jquer...@packages.debian.org Control: affects -1 + src:jqueryui [ Reason ] jqueryui is potentially vulnerable to cross-site scripting (CVE-2022-31160) [ Impact ] Low security issue [ Tests ] Sadly tests are minimal in this package. Anyway passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Don't accept label outside of the root element Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 3a6a587..9b1e9cc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +jqueryui (1.12.1+dfsg-8+deb11u2) bullseye; urgency=medium + + * Team upload + * Checkboxradio: Don't re-evaluate text labels as HTML (Closes: CVE-2022-31160) + + -- Yadd Wed, 31 May 2023 15:08:55 +0400 + jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-31160.patch b/debian/patches/CVE-2022-31160.patch new file mode 100644 index 000..11d7baa --- /dev/null +++ b/debian/patches/CVE-2022-31160.patch @@ -0,0 +1,156 @@ +Description: Checkboxradio: Don't re-evaluate text labels as HTML +Author: Michał Gołębiowski-Owczarek +Origin: upstream, https://github.com/jquery/jquery-ui/commit/8cc5bae1 +Bug: https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9 +Forwarded: not-needed +Applied-Upstream: 1.13.2, commit:8cc5bae1 +Reviewed-By: Yadd +Last-Update: 2023-05-31 + +--- a/tests/unit/checkboxradio/checkboxradio.html b/tests/unit/checkboxradio/checkboxradio.html +@@ -64,6 +64,18 @@ + + + ++ ++ ++ Hi, I'm a label ++ ++ ++ ++ Hi, I'm a label ++ ++ ++ ++ emHi, I'm a label/em ++ + + + +--- a/tests/unit/checkboxradio/core.js b/tests/unit/checkboxradio/core.js +@@ -135,4 +135,41 @@ + ); + } ); + ++QUnit.test( "Inheriting label from initial HTML", function( assert ) { ++ var tests = [ ++ { ++ id: "label-with-no-for-with-html", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-text", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-html-like-text", ++ expectedLabel: "emHi, I'm a label/em" ++ } ++ ]; ++ ++ assert.expect( tests.length ); ++ ++ tests.forEach( function( testData ) { ++ var id = testData.id; ++ var expectedLabel = testData.expectedLabel; ++ var inputElem = $( "#" + id ); ++ var labelElem = inputElem.parent(); ++ ++ inputElem.checkboxradio( { icon: false } ); ++ ++ var labelWithoutInput = labelElem.clone(); ++ labelWithoutInput.find( "input" ).remove(); ++ ++ assert.strictEqual( ++ labelWithoutInput.html().trim(), ++ expectedLabel.trim(), ++ "Label correct [" + id + "]" ++ ); ++ } ); ++} ); ++ + } ); +--- a/tests/unit/checkboxradio/methods.js b/tests/unit/checkboxradio/methods.js +@@ -94,4 +94,42 @@ + assert.strictEqual( input.parent()[ 0 ], element[ 0 ], "Input preserved" ); + } ); + ++QUnit.test( "Initial text label not turned to HTML on refresh", function( assert ) { ++ var tests = [ ++ { ++ id: "label-with-no-for-with-html", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-text", ++ expectedLabel: "Hi, I'm a label" ++ }, ++ { ++ id: "label-with-no-for-with-html-like-text", ++ expectedLabel: "emHi, I'm a label/em" ++ } ++ ]; ++ ++ assert.expect( tests.length ); ++ ++ tests.forEach( function( testData ) { ++ var id = testData.id; ++ var expectedLabel = testData.expectedLabel; ++ var inputElem = $( "#" + id ); ++ var labelElem = inputElem.parent(); ++ ++ inputElem.checkboxradio( { icon: false } ); ++ inputElem.checkboxradio( "refresh" ); ++ ++ var labelWithoutInput = labelElem.clone(); ++ labelWithoutInput.find( "input" ).remove(); ++ ++ assert.strictEqual( ++
Bug#1036976: bullseye-pu: package grunt/1.3.0-1+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: gr...@packages.debian.org Control: affects -1 + src:grunt [ Reason ] file.copy operations in GruntJS are vulnerable to a TOCTOU race condition leading to arbitrary file write in GitHub repository gruntjs/grunt prior to 1.5.3. This vulnerability is capable of arbitrary file writes which can lead to local privilege escalation to the GruntJS user if a lower-privileged user has write access to both source and destination directories as the lower-privileged user can create a symlink to the GruntJS user's .bashrc file or replace /etc/shadow file if the GruntJS user is root. [ Impact ] Medium security issue [ Tests ] Test updated, passed [ Risks ] Low risk: patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Refuse to copy a file if destination is a symlink Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 23c3145..dcebea4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +grunt (1.3.0-1+deb11u2) bullseye; urgency=medium + + * Team upload + * Patch up race condition in symlink copying (Closes: CVE-2022-1537) + + -- Yadd Wed, 31 May 2023 14:59:30 +0400 + grunt (1.3.0-1+deb11u1) bullseye; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-1537.patch b/debian/patches/CVE-2022-1537.patch new file mode 100644 index 000..19c750b --- /dev/null +++ b/debian/patches/CVE-2022-1537.patch @@ -0,0 +1,39 @@ +Description: Patch up race condition in symlink copying +Author: Vlad Filippov +Origin: upstream, https://github.com/gruntjs/grunt/commit/58016ffa +Bug: https://huntr.dev/bounties/0179c3e5-bc02-4fc9-8491-a1a319b51b4d/ +Forwarded: not-needed +Applied-Upstream: 1.5.3, commit:58016ffa +Reviewed-By: Yadd +Last-Update: 2023-05-31 + +--- a/lib/grunt/file.js b/lib/grunt/file.js +@@ -333,8 +333,8 @@ + } + } + // Abort copy if the process function returns false. +- if (contents === false) { +-grunt.verbose.writeln('Write aborted.'); ++ if (contents === false || file.isLink(destpath)) { ++grunt.verbose.writeln('Write aborted. Either the process function returned false or the destination is a symlink'); + } else { + file.write(destpath, contents, readWriteOptions); + } +--- a/test/grunt/file_test.js b/test/grunt/file_test.js +@@ -916,5 +916,13 @@ + test.ok(fs.lstatSync(path.join(destdir.path, path.basename(fixtures))).isSymbolicLink()); + test.done(); + }, +- } ++ }, ++ 'symbolicLinkDestError': function(test) { ++test.expect(1); ++var tmpfile = new Tempdir(); ++fs.symlinkSync(path.resolve('test/fixtures/octocat.png'), path.join(tmpfile.path, 'octocat.png'), 'file'); ++grunt.file.copy(path.resolve('test/fixtures/octocat.png'), path.join(tmpfile.path, 'octocat.png')); ++test.ok(fs.lstatSync(path.join(tmpfile.path, 'octocat.png')).isSymbolicLink()); ++test.done(); ++ }, + }; diff --git a/debian/patches/series b/debian/patches/series index 24fd9f9..6231471 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ add-root-variable.patch fix-for-coffescript.diff adapt-gruntfile.patch CVE-2022-0436.patch +CVE-2022-1537.patch
Bug#1036975: bullseye-pu: package node-url-parse/1.5.3-1+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-url-pa...@packages.debian.org Control: affects -1 + src:node-url-parse [ Reason ] node-url-parse is vulnerable to authorization bypass through user-controlled key prior version 1.5.6 [ Impact ] Medium security issue [ Tests ] Test updated, passed [ Risks ] Low risk, the non-test part of the patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Update URL split to fix user and password values if any Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 842b4ff..c261d0e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-url-parse (1.5.3-1+deb11u2) bullseye; urgency=medium + + * Team upload + * Correctly handle userinfo containing the at sign (Closes: CVE-2022-0512) + + -- Yadd Wed, 31 May 2023 14:43:23 +0400 + node-url-parse (1.5.3-1+deb11u1) bullseye; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-0512.patch b/debian/patches/CVE-2022-0512.patch new file mode 100644 index 000..9b3caed --- /dev/null +++ b/debian/patches/CVE-2022-0512.patch @@ -0,0 +1,135 @@ +Description: Correctly handle userinfo containing the at sign +Author: Luigi Pinca +Origin: upstream, https://github.com/unshiftio/url-parse/commit/9be7ee88 +Bug: https://huntr.dev/bounties/6d1bc51f-1876-4f5b-a2c2-734e09e8e05b +Forwarded: not-needed +Applied-Upstream: 1.5.6, commit:9be7ee88 +Reviewed-By: Yadd +Last-Update: 2023-05-31 + +--- a/index.js b/index.js +@@ -306,7 +306,11 @@ + if (parse !== parse) { + url[key] = address; + } else if ('string' === typeof parse) { +- if (~(index = address.indexOf(parse))) { ++ index = parse === '@' ++? address.lastIndexOf(parse) ++: address.indexOf(parse); ++ ++ if (~index) { + if ('number' === typeof instruction[2]) { + url[key] = address.slice(0, index); + address = address.slice(index + instruction[2]); +@@ -373,9 +377,19 @@ + // + url.username = url.password = ''; + if (url.auth) { +-instruction = url.auth.split(':'); +-url.username = instruction[0] || ''; +-url.password = instruction[1] || ''; ++index = url.auth.indexOf(':'); ++ ++if (~index) { ++ url.username = url.auth.slice(0, index); ++ url.username = encodeURIComponent(decodeURIComponent(url.username)); ++ ++ url.password = url.auth.slice(index + 1); ++ url.password = encodeURIComponent(decodeURIComponent(url.password)) ++} else { ++ url.username = encodeURIComponent(decodeURIComponent(url.auth)); ++} ++ ++url.auth = url.password ? url.username +':'+ url.password : url.username; + } + + url.origin = url.protocol !== 'file:' && isSpecial(url.protocol) && url.host +--- a/test/test.js b/test/test.js +@@ -712,6 +712,54 @@ + }); + }); + ++ it('handles @ in username', function () { ++ var url = 'http://user@@www.example.com/' ++, parsed = parse(url); ++ ++ assume(parsed.protocol).equals('http:'); ++ assume(parsed.auth).equals('user%40'); ++ assume(parsed.username).equals('user%40'); ++ assume(parsed.password).equals(''); ++ assume(parsed.hostname).equals('www.example.com'); ++ assume(parsed.pathname).equals('/'); ++ assume(parsed.href).equals('http://user...@www.example.com/'); ++ ++ url = 'http://user...@www.example.com/'; ++ parsed = parse(url); ++ ++ assume(parsed.protocol).equals('http:'); ++ assume(parsed.auth).equals('user%40'); ++ assume(parsed.username).equals('user%40'); ++ assume(parsed.password).equals(''); ++ assume(parsed.hostname).equals('www.example.com'); ++ assume(parsed.pathname).equals('/'); ++ assume(parsed.href).equals('http://user...@www.example.com/'); ++}); ++ ++it('handles @ in password', function () { ++ var url = 'http://user@:pas:s@@www.example.com/' ++, parsed = parse(url); ++ ++ assume(parsed.protocol).equals('http:'); ++ assume(parsed.auth).equals('user%40:pas%3As%40'); ++ assume(parsed.username).equals('user%40'); ++ assume(parsed.password).equals('pas%3As%40'); ++ assume(parsed.hostname).equals('www.example.com'); ++ assume(parsed.pathname).equals('/'); ++ assume(parsed.href).equals('http://user%40:pas%3as...@www.example.com/'); ++ ++ url = 'http://user%40:pas%3as...@www.example.com/' ++ parsed = parse(url); ++ ++ assume(parsed.protocol).equals('http:'); ++ assume(parsed.auth).equals('user%40:pas%3As%40'); ++ assume(parsed.username).equals('user%40'); ++ assume(parsed.password).equals('pas%3As%40'); ++ assume(parsed.hostname).equals('www.example.com')
Bug#1036944: unblock: node-babel7/7.20.15+ds1+~cs214.269.168-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-bab...@packages.debian.org Control: affects -1 + src:node-babel7 Please unblock package node-babel7 [ Reason ] Upgrades from Buster to Bookworm via Bullseye are broken due to a missing Breaks/Replaces [ Impact ] Upgrades may fail [ Tests ] No changes [ Risks ] No risk, node-babel-code-frame < 7 has been removed before Bullseye [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-babel7/7.20.15+ds1+~cs214.269.168-3 diff --git a/debian/changelog b/debian/changelog index d445ccc55..f0ff6d95f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-babel7 (7.20.15+ds1+~cs214.269.168-3) unstable; urgency=medium + + * Team upload + * Add Breaks+Replaces against node-babel-code-frame << 7 +(Closes: #1036942) + + -- Yadd Tue, 30 May 2023 12:24:08 +0400 + node-babel7 (7.20.15+ds1+~cs214.269.168-2) unstable; urgency=medium * Update minimum version of node-regexpu-core to 5.2.1~. diff --git a/debian/control b/debian/control index ff31d4894..e5dba9547 100644 --- a/debian/control +++ b/debian/control @@ -120,6 +120,8 @@ Depends: ${misc:Depends} Suggests: node-babel-plugin-polyfill-es-shims , node-babel7-debug Breaks: node-babel-core (<< 6.26.0+repack-3~) + , node-babel-code-frame (<< 7) +Replaces: node-babel-code-frame (<< 7) Provides: ${nodeBabel7:Provides} , babeljs (= ${binary:Version}) X-Javascript-Built-Using: ${nodejs:BuiltUsing}
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
On 5/28/23 10:29, Graham Inggs wrote: tags -1 + moreinfo Hi Yadd On Wed, 3 May 2023 at 04:51, Yadd wrote: here is the current debdiff (without the big removal of useless discoveryjs-json-ext/benchmarks) I removed the moreinfo tag before realizing this is exactly the same as the first debdiff. You seem to have missed this comment: On Wed, 15 Mar 2023 at 22:15, Paul Gevers wrote: This doesn't look like a targeted fix, but rather seems to include much more. How about reverting and providing a fix only for that CVE please? Hi, instead of reverting and have a too long version (5.76.1+dfsg1+~cs17.16.16+really-5.75.0+dfsg+~cs17.16.14-1), if upload to bookworm is allowed, I'm able to push this debdiff. Cheers, Yadddiff --git a/debian/changelog b/debian/changelog index 0053d7ee..a07dd9d4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-webpack (5.75.0+dfsg+~cs17.16.14-1+deb12u1) bookworm; urgency=medium + + * Team upload + * Avoid cross-realm objects (Closes: #1032904, CVE-2023-28154) + + -- Yadd Mon, 29 May 2023 07:53:16 +0400 + node-webpack (5.75.0+dfsg+~cs17.16.14-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-28154.patch b/debian/patches/CVE-2023-28154.patch new file mode 100644 index ..2f651167 --- /dev/null +++ b/debian/patches/CVE-2023-28154.patch @@ -0,0 +1,80 @@ +Description: avoid cross-realm objects +Author: Jack Works +Origin: upstream, https://github.com/webpack/webpack/commit/4b4ca3bb +Bug: https://www.cve.org/CVERecord?id=CVE-2023-28154 +Bug-Debian: https://bugs.debian.org/1032904 +Forwarded: not-needed +Applied-Upstream: 5.76.1, commit:4b4ca3bb +Reviewed-By: Yadd +Last-Update: 2023-05-29 + +--- a/lib/dependencies/ImportParserPlugin.js b/lib/dependencies/ImportParserPlugin.js +@@ -137,7 +137,7 @@ + if (importOptions.webpackInclude !== undefined) { + if ( + !importOptions.webpackInclude || +- importOptions.webpackInclude.constructor.name !== "RegExp" ++ !(importOptions.webpackInclude instanceof RegExp) + ) { + parser.state.module.addWarning( + new UnsupportedFeatureWarning( +@@ -146,13 +146,13 @@ + ) + ); + } else { +- include = new RegExp(importOptions.webpackInclude); ++ include = importOptions.webpackInclude; + } + } + if (importOptions.webpackExclude !== undefined) { + if ( + !importOptions.webpackExclude || +- importOptions.webpackExclude.constructor.name !== "RegExp" ++ !(importOptions.webpackExclude instanceof RegExp) + ) { + parser.state.module.addWarning( + new UnsupportedFeatureWarning( +@@ -161,7 +161,7 @@ + ) + ); + } else { +- exclude = new RegExp(importOptions.webpackExclude); ++ exclude = importOptions.webpackExclude; + } + } + if (importOptions.webpackExports !== undefined) { +--- a/lib/javascript/JavascriptParser.js b/lib/javascript/JavascriptParser.js +@@ -3635,17 +3635,27 @@ + return EMPTY_COMMENT_OPTIONS; + } + let options = {}; ++ /** @type {unknown[]} */ + let errors = []; + for (const comment of comments) { + const { value } = comment; + if (value && webpackCommentRegExp.test(value)) { + // try compile only if webpack options comment is present + try { +- const val = vm.runInNewContext(`(function(){return {${value}};})()`); +- Object.assign(options, val); ++ for (let [key, val] of Object.entries( ++ v
Bug#1036660: unblock: node-socket.io-parser/4.2.1+~3.1.0-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-socket.io-par...@packages.debian.org Control: affects -1 + src:node-socket.io-parser Please unblock package node-socket.io-parser [ Reason ] node-socket.io-parser is vulnerable to CVE-2023-32695: a malformet packet can trigger an uncaught exception on the Socket.IO server, thus killing the Node.js process. [ Impact ] Medium security issue [ Tests ] Test updated, passed [ Risks ] No risk: * patch is trivial * the patch is a revert, version 4.0.2 (Bullseye) isn't vulnerable even if included in the report (see https://github.com/socketio/socket.io/discussions/4721) [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-socket.io-parser/4.2.1+~3.1.0-2
Bug#1036605: New debdiff
Control: retitle -1 unblock: node-is-docker/3.0.0-6 Hi, a dependency to nodejs:any was missing, here is a new debdiff Cheers, Yadd unblock node-is-docker/3.0.0-6diff --git a/debian/changelog b/debian/changelog index 5270a2c..0f4d72d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +node-is-docker (3.0.0-6) unstable; urgency=medium + + * Team upload + * Add dependency to nodejs:any + + -- Yadd Tue, 23 May 2023 12:38:31 +0400 + +node-is-docker (3.0.0-5) unstable; urgency=medium + + * Team upload + * Declare compliance with policy 4.6.2 + * Fix /usr/bin/is-docker link (Closes: #1036579) + + -- Yadd Tue, 23 May 2023 12:15:54 +0400 + node-is-docker (3.0.0-4) unstable; urgency=medium * team upload diff --git a/debian/control b/debian/control index e6a687b..4511ede 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ Build-Depends: debhelper-compat (= 13) , dh-sequence-nodejs (>= 0.14.12~) , rollup -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Homepage: https://github.com/sindresorhus/is-docker#readme Vcs-Git: https://salsa.debian.org/js-team/node-is-docker.git Vcs-Browser: https://salsa.debian.org/js-team/node-is-docker @@ -17,6 +17,7 @@ Rules-Requires-Root: no Package: node-is-docker Architecture: all Depends: ${misc:Depends} + , nodejs:any Multi-Arch: foreign Description: Check if the process is running inside a Docker container Node.js is an event-based server-side JavaScript engine. diff --git a/debian/links b/debian/links deleted file mode 100644 index b9973ef..000 --- a/debian/links +++ /dev/null @@ -1 +0,0 @@ -usr/lib/nodejs/is-docker/cli.js usr/bin/is-docker diff --git a/debian/nodejs/links b/debian/nodejs/links new file mode 100644 index 000..6016422 --- /dev/null +++ b/debian/nodejs/links @@ -0,0 +1 @@ +is-docker/cli.js /usr/bin/is-docker diff --git a/debian/rules b/debian/rules index b6e6027..ee9210e 100755 --- a/debian/rules +++ b/debian/rules @@ -10,3 +10,7 @@ override_dh_auto_build: mjs2cjs index.js perl -i -pe 's/node://' index.cjs + +override_dh_fixperms: + dh_fixperms + chmod +x debian/node-is-docker/usr/share/nodejs/is-docker/cli.js
Bug#1036615: [Pkg-javascript-devel] Bug#1036615: unblock: node-isomorphic-fetch/3.0.0-3
On 5/23/23 13:25, Yadd wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-isomorphic-fe...@packages.debian.org Control: affects -1 + src:node-isomorphic-fetch Please unblock package node-isomorphic-fetch [ Reason ] The useless link for browser module pointed to a libjs-fetch file instead of new node-whatwg-fetch dependency [ Impact ] Only developpers that require the "browser" file of this library had to install libjs-fetch. [ Tests ] No changes [ Risks ] No risk here [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-isomorphic-fetch/3.0.0-3 Here is the debdiffdiff --git a/debian/changelog b/debian/changelog index 01aba01..853ab23 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,16 @@ +node-isomorphic-fetch (3.0.0-3) unstable; urgency=medium + + * Team upload + + [ Debian Janitor ] + * Apply multi-arch hints. + node-isomorphic-fetch: Add Multi-Arch: foreign. + + [ Yadd ] + * Declare compliance with policy 4.6.2 + * Update fetch-npm-browserify.js link (Closes: #1036610) + + -- Yadd Tue, 23 May 2023 13:18:55 +0400 + node-isomorphic-fetch (3.0.0-2) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index fa593ca..f2fa299 100644 --- a/debian/control +++ b/debian/control @@ -6,7 +6,7 @@ Uploaders: Pirate Praveen Build-Depends: debhelper-compat (= 13) , dh-sequence-nodejs , node-fetch -Standards-Version: 4.6.0 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/js-team/node-isomorphic-fetch Vcs-Git: https://salsa.debian.org/js-team/node-isomorphic-fetch.git Homepage: https://github.com/matthew-andrews/isomorphic-fetch/issues @@ -18,6 +18,7 @@ Architecture: all Depends: ${misc:Depends} , node-fetch , node-whatwg-fetch +Multi-Arch: foreign Description: Isomorphic WHATWG Fetch API, for Node & Browserify This adds fetch as a global so that its API is consistent between client and server. diff --git a/debian/links b/debian/links deleted file mode 100644 index 9ff3232..000 --- a/debian/links +++ /dev/null @@ -1 +0,0 @@ -usr/share/javascript/fetch/fetch.js usr/share/nodejs/isomorphic-fetch/fetch-npm-browserify.js diff --git a/debian/nodejs/links b/debian/nodejs/links new file mode 100644 index 000..f822404 --- /dev/null +++ b/debian/nodejs/links @@ -0,0 +1 @@ +whatwg-fetch/dist/fetch.umd.js isomorphic-fetch/fetch-npm-browserify.js
Bug#1036615: unblock: node-isomorphic-fetch/3.0.0-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-isomorphic-fe...@packages.debian.org Control: affects -1 + src:node-isomorphic-fetch Please unblock package node-isomorphic-fetch [ Reason ] The useless link for browser module pointed to a libjs-fetch file instead of new node-whatwg-fetch dependency [ Impact ] Only developpers that require the "browser" file of this library had to install libjs-fetch. [ Tests ] No changes [ Risks ] No risk here [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-isomorphic-fetch/3.0.0-3
Bug#1036613: unblock: node-jschardet/3.0.0+dfsg+~1.4.0-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-jschar...@packages.debian.org Control: affects -1 + src:node-jschardet Please unblock package node-jschardet [ Reason ] node-js-chardet had a useless link to node-buffer [ Impact ] Just a dandling link [ Tests ] No change [ Risks ] No risk [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-jschardet/3.0.0+dfsg+~1.4.0-2 diff --git a/debian/changelog b/debian/changelog index 6cc65b3..e38faf2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-jschardet (3.0.0+dfsg+~1.4.0-2) unstable; urgency=medium + + * Team upload + * Declare compliance with policy 4.6.2 + * Drop useless symlink to buffer (Closes: #1036609) + + -- Yadd Tue, 23 May 2023 13:03:58 +0400 + node-jschardet (3.0.0+dfsg+~1.4.0-1) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index 8e3fed7..a778394 100644 --- a/debian/control +++ b/debian/control @@ -13,7 +13,7 @@ Build-Depends: debhelper-compat (= 13) , node-typescript , terser , webpack (>= 5.0~) -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/js-team/node-jschardet Vcs-Git: https://salsa.debian.org/js-team/node-jschardet.git Homepage: https://github.com/aadsm/jschardet#readme diff --git a/debian/rules b/debian/rules index 8ad0ced..e58679b 100755 --- a/debian/rules +++ b/debian/rules @@ -15,7 +15,6 @@ override_dh_auto_build: cp chardet/package.json debian/ perl -i -pe 's/0.0.0-development/$(CHARDET_VERSION)/' chardet/package.json dh_auto_build --buildsystem=nodejs - ln -s /usr/share/nodejs/buffer . webpack --config debian/webpack.config.js --output-library=jschardet \ --entry index.js --output-path ./dist --output-filename jschardet.js terser dist/jschardet.js -o dist/jschardet.min.js
Bug#1036605: unblock: node-is-docker/3.0.0-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-is-doc...@packages.debian.org Control: affects -1 + src:node-is-docker Please unblock package node-is-docker [ Reason ] The /usr/bin/is-docker link was broken [ Impact ] Library unusable in command-line [ Tests ] No changes [ Risks ] No risk [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-is-docker/3.0.0-5 diff --git a/debian/changelog b/debian/changelog index 5270a2c..4d93442 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-is-docker (3.0.0-5) unstable; urgency=medium + + * Team upload + * Declare compliance with policy 4.6.2 + * Fix /usr/bin/is-docker link (Closes: #1036579) + + -- Yadd Tue, 23 May 2023 12:15:54 +0400 + node-is-docker (3.0.0-4) unstable; urgency=medium * team upload diff --git a/debian/control b/debian/control index e6a687b..7c4821f 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ Build-Depends: debhelper-compat (= 13) , dh-sequence-nodejs (>= 0.14.12~) , rollup -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Homepage: https://github.com/sindresorhus/is-docker#readme Vcs-Git: https://salsa.debian.org/js-team/node-is-docker.git Vcs-Browser: https://salsa.debian.org/js-team/node-is-docker diff --git a/debian/links b/debian/links deleted file mode 100644 index b9973ef..000 --- a/debian/links +++ /dev/null @@ -1 +0,0 @@ -usr/lib/nodejs/is-docker/cli.js usr/bin/is-docker diff --git a/debian/nodejs/links b/debian/nodejs/links new file mode 100644 index 000..6016422 --- /dev/null +++ b/debian/nodejs/links @@ -0,0 +1 @@ +is-docker/cli.js /usr/bin/is-docker diff --git a/debian/rules b/debian/rules index b6e6027..ee9210e 100755 --- a/debian/rules +++ b/debian/rules @@ -10,3 +10,7 @@ override_dh_auto_build: mjs2cjs index.js perl -i -pe 's/node://' index.cjs + +override_dh_fixperms: + dh_fixperms + chmod +x debian/node-is-docker/usr/share/nodejs/is-docker/cli.js
Bug#1036604: unblock: node-shelljs/0.8.5+~cs0.8.10-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-shel...@packages.debian.org Control: affects -1 + src:node-shelljs Please unblock package node-shelljs [ Reason ] The /usr/bin/shjs link was broken [ Impact ] Library unusable in command line [ Tests ] No changes [ Risks ] No risk [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-shelljs/0.8.5+~cs0.8.10-2 diff --git a/debian/changelog b/debian/changelog index 1a94a3e..c688687 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-shelljs (0.8.5+~cs0.8.10-2) unstable; urgency=medium + + * Team upload + * Fix /usr/bin/shjs link (Closes: #1036582) + + -- Yadd Tue, 23 May 2023 06:39:48 +0400 + node-shelljs (0.8.5+~cs0.8.10-1) unstable; urgency=medium * Team upload diff --git a/debian/links b/debian/links deleted file mode 100644 index ba4d0f7..000 --- a/debian/links +++ /dev/null @@ -1 +0,0 @@ -usr/lib/nodejs/shelljs/bin/shjs usr/bin/shjs diff --git a/debian/nodejs/links b/debian/nodejs/links new file mode 100644 index 000..971d6b0 --- /dev/null +++ b/debian/nodejs/links @@ -0,0 +1 @@ +shelljs/bin/shjs /usr/bin/shjs
Bug#1036017: unblock: lemonldap-ng/2.16.1+ds-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: lemonldap...@packages.debian.org Control: affects -1 + src:lemonldap-ng Please unblock package lemonldap-ng [ Reason ] The change introduced in version 2.16.1 breaks the "viewer" (a secondary component of lemonldap-ng which permits to give a read-only view to the configuration. Also there is a little security issue in OpenID-Connect dur to an incorrect regexp. [ Impact ] - Regression in viewer - Little security issue [ Risks ] No risk here: * the fix-OP-acr-parsing.patch is trivial * the fix-viewer-endpoint.patch is just a partial revert [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock lemonldap-ng/2.16.1+ds-2 diff --git a/debian/changelog b/debian/changelog index 5799391bf..8de0d083f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (2.16.1+ds-2) unstable; urgency=medium + + * Fix incorrect parsing of OP-provided acr + * Fix regression introduced in 2.16.1 that render viewer unusable + + -- Yadd Fri, 12 May 2023 21:10:49 +0400 + lemonldap-ng (2.16.1+ds-1) unstable; urgency=medium * Update debian/clean: clean sphynx lock diff --git a/debian/patches/fix-OP-acr-parsing.patch b/debian/patches/fix-OP-acr-parsing.patch new file mode 100644 index 0..92ba116f4 --- /dev/null +++ b/debian/patches/fix-OP-acr-parsing.patch @@ -0,0 +1,41 @@ +Description: fix incorrect parsing of OP-provided acr + Bug description: + . + * Configure Auth::OIDC with an OP that always returns acr: 1 in the ID token + * Set oidcOPMetaDataOptionsAcrValues to loa-1 + ACR value 1 is accepted despite not being part of the list ['loa-1'] + . + The problem is in this regexp: + . + unless ( $acr_values =~ /\b$acr\b/i ) { + . + because \b matches too many things (in the example: it matches -) +Author: Maxime Besson +Origin: upstream, commit: 3691978f +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2875 +Forwarded: not-needed +Applied-Upstream: 2.16.2, commit: 3691978f +Reviewed-By: Yadd +Last-Update: 2023-05-09 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm +@@ -803,7 +803,7 @@ + $self->logger->error("ACR was not returned by OP $op"); + return 0; + } +-unless ( $acr_values =~ /\b$acr\b/i ) { ++unless ( grep { $_ eq $acr } split( /[\s,]+/, $acr_values ) ) { + $self->logger->error( + "ACR $acr not listed in request ACR values ($acr_values)"); + return 0; +--- a/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t b/lemonldap-ng-portal/t/32-Auth-and-issuer-OIDC-authorization_code.t +@@ -492,6 +492,7 @@ + oidcOPMetaDataOptionsCheckJWTSignature => 1, + oidcOPMetaDataOptionsJWKSTimeout => 0, + oidcOPMetaDataOptionsClientSecret => "rpsecret", ++oidcOPMetaDataOptionsAcrValues => "loa-32 customacr-1", + oidcOPMetaDataOptionsScope => "openid profile email", + oidcOPMetaDataOptionsStoreIDToken => 0, + oidcOPMetaDataOptionsMaxAge => 30, diff --git a/debian/patches/fix-viewer-endpoint.patch b/debian/patches/fix-viewer-endpoint.patch new file mode 100644 index 0..9aaf6c59f --- /dev/null +++ b/debian/patches/fix-viewer-endpoint.patch @@ -0,0 +1,46 @@ +Description: fix viewer endpoint + Regression introduced in 2.16.1 +Author: Maxime Besson +Origin: upstream, commit:c330347f +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2909 +Forwarded: not-needed +Applied-Upstream: 2.16.2, commit:c330347f +Reviewed-By: Yadd +Last-Update: 2023-05-09 + +--- a/doc/sources/admin/viewer.rst b/doc/sources/admin/viewer.rst +@@ -39,11 +39,11 @@ + In Manager: \* Declare a Virtual Host : manager.example.com \* Set an + access rule for each enabled module : + +-#. Configuration : ^/(.*?\.(fcgi|psgi)/)?(manager\.html|confs|$) = $uid ++#. Configuration : ^/(.*?\.(fcgi|psgi)/)?(manager\.html|confs) = $uid +eq 'dwho' + #. Notifications : ^/(.*?\.(fcgi|psgi)/)?notifications = $uid eq 'dwho' + #. Sessions : ^/(.*?\.(fcgi|psgi)/)?sessions = $uid eq 'dwho' +-#. Viewer : ^/(.*?\.(fcgi|psgi)/)?viewer = $uid =~ /\b(?:dwho|rtyler)\b/ ++#. Viewer : ^/(.*?\.(fcgi|psgi)/)?view = $uid =~ /\b(?:dwho|rtyler)\b/ + #. Default : $uid =~ /\b(?:dwho|rtyler)\b/ + + +--- a/lemonldap-ng-manager/site/coffee/viewer.coffee b/lemonldap-ng-manager/site/coffee/viewer.coffee +@@ -260,7 +260,7 @@ +
Bug#1035625: unblock: node-yaml/2.1.3-2
On 5/11/23 11:38, Paul Gevers wrote: Hi Yadd, On 06-05-2023 22:22, Yadd wrote: unblock node-yaml/2.1.3-2 done, but --- node-yaml-2.1.3/debian/tests/control 1970-01-01 00:00:00.0 + +++ node-yaml-2.1.3/debian/tests/control 2023-05-06 05:56:19.0 + @@ -0,0 +1,2 @@ +Tests: CVE-2023-2251 +Depends: @, nodejs Can you please mark that test a superficial in the future? This doesn't qualify as non-trivial autopkgtest (see [1]). Paul Oups, sorry. Fixed now: https://salsa.debian.org/js-team/node-yaml/-/commit/f30df34 Regards, Yadd
Bug#1035916: [Pkg-javascript-devel] Bug#1035916: unblock: node-source-map/0.7.0++dfsg2+really.0.6.1-15
Sorry, little error. Here is the new debdiff for node-source-map/0.7.0++dfsg2+really.0.6.1-15 Cheers, Yadd On 5/11/23 10:57, Yadd wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-source-...@packages.debian.org Control: affects -1 + src:node-source-map Please unblock package node-source-map [ Reason ] There was an error in maintscript, then updates from Bullseye dropped the copyright. [ Impact ] Missing copyright [ Risks ] No risk [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-source-map/0.7.0++dfsg2+really.0.6.1-14 diff --git a/debian/changelog b/debian/changelog index 524ef9d..9c5c926 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +node-source-map (0.7.0++dfsg2+really.0.6.1-15) unstable; urgency=medium + + * Team upload + * Restore override_dh_installdocs (#1035805) + + -- Yadd Thu, 11 May 2023 11:03:13 +0400 + +node-source-map (0.7.0++dfsg2+really.0.6.1-14) unstable; urgency=medium + + * Team upload + * Fix maintscript (Closes: #1035805). Thanks to Andreas Beckmann. + + -- Yadd Thu, 11 May 2023 06:30:12 +0400 + node-source-map (0.7.0++dfsg2+really.0.6.1-13) unstable; urgency=medium * Team upload diff --git a/debian/node-source-map.maintscript b/debian/node-source-map.maintscript index 45938e9..dcfb513 100644 --- a/debian/node-source-map.maintscript +++ b/debian/node-source-map.maintscript @@ -1 +1 @@ -dir_to_symlink /usr/share/doc/node-source-map ../libjs-source-map 0.7.0++dfsg2+really.0.6.1-9~ +dir_to_symlink /usr/share/doc/node-source-map libjs-source-map 0.7.0++dfsg2+really.0.6.1-9~
Bug#1035916: unblock: node-source-map/0.7.0++dfsg2+really.0.6.1-14
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-source-...@packages.debian.org Control: affects -1 + src:node-source-map Please unblock package node-source-map [ Reason ] There was an error in maintscript, then updates from Bullseye dropped the copyright. [ Impact ] Missing copyright [ Risks ] No risk [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-source-map/0.7.0++dfsg2+really.0.6.1-14 diff --git a/debian/changelog b/debian/changelog index 524ef9d..0de8d6b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-source-map (0.7.0++dfsg2+really.0.6.1-14) unstable; urgency=medium + + * Team upload + * Fix maintscript (Closes: #1035805). Thanks to Andreas Beckmann. + + -- Yadd Thu, 11 May 2023 06:30:12 +0400 + node-source-map (0.7.0++dfsg2+really.0.6.1-13) unstable; urgency=medium * Team upload diff --git a/debian/node-source-map.maintscript b/debian/node-source-map.maintscript index 45938e9..dcfb513 100644 --- a/debian/node-source-map.maintscript +++ b/debian/node-source-map.maintscript @@ -1 +1 @@ -dir_to_symlink /usr/share/doc/node-source-map ../libjs-source-map 0.7.0++dfsg2+really.0.6.1-9~ +dir_to_symlink /usr/share/doc/node-source-map libjs-source-map 0.7.0++dfsg2+really.0.6.1-9~ diff --git a/debian/rules b/debian/rules index 55b4534..540fff9 100755 --- a/debian/rules +++ b/debian/rules @@ -15,6 +15,3 @@ override_dh_auto_build: override_dh_auto_clean: rm -rf dist node_modules/.cache - -override_dh_installdocs: - dh_installdocs --link-doc=libjs-source-map
Bug#1035625: unblock: node-yaml/2.1.3-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-y...@packages.debian.org Control: affects -1 + src:node-yaml Please unblock package node-yaml [ Reason ] node-yaml is vulnerable to Denial-of-Service (#1035580, CVE-2023-2251) [ Impact ] Medium security issue [ Tests ] New tests added: - by upstream in the CVE-2023-2251.patch file - by myself in autopkgtest using code provided to prove the issue You can verify using https://salsa.debian.org/js-team/node-yaml/-/pipelines that the CVE is fixed by this patch. [ Risks ] Low risk, patch is trivial (just fix line characters count) [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Others ] This debdiff includes also: * little things from lintian-brush * a little test paths fix because test failed on platforms where the "debian" word was in the build root path (especially salsa) Cheers, Yadd unblock node-yaml/2.1.3-2 diff --git a/debian/changelog b/debian/changelog index 3265e73..5d44f16 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +node-yaml (2.1.3-2) unstable; urgency=medium + + * Team upload + * Update lintian override info format in +d/source/lintian-overrides on line 2-7 + * Update standards version to 4.6.2, no changes needed + * Fix corner case failure in error pretty-printer +(Closes: #1035580, CVE-2023-2251) + + -- Yadd Sun, 07 May 2023 00:10:19 +0400 + node-yaml (2.1.3-1) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index 0a7fe7e..e221de8 100644 --- a/debian/control +++ b/debian/control @@ -15,7 +15,7 @@ Build-Depends: , node-tslib , node-typescript , rollup -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Homepage: https://eemeli.org/yaml/ Vcs-Git: https://salsa.debian.org/js-team/node-yaml.git Vcs-Browser: https://salsa.debian.org/js-team/node-yaml diff --git a/debian/patches/CVE-2023-2251.patch b/debian/patches/CVE-2023-2251.patch new file mode 100644 index 000..0d8b1d4 --- /dev/null +++ b/debian/patches/CVE-2023-2251.patch @@ -0,0 +1,36 @@ +Description: fix: Corner case failure in error pretty-printer +Author: Eemeli Aro +Origin: upstream, https://github.com/eemeli/yaml/commit/984f5781 +Bug: https://github.com/advisories/GHSA-f9xv-q969-pqx4 +Bug-Debian: https://bugs.debian.org/1035580 +Forwarded: not-needed +Applied-Upstream: 2.2.2, commit:984f5781 +Reviewed-By: Yadd +Last-Update: 2023-05-06 + +--- a/src/errors.ts b/src/errors.ts +@@ -91,7 +91,7 @@ + let count = 1 + const end = error.linePos[1] + if (end && end.line === line && end.col > col) { +-count = Math.min(end.col - col, 80 - ci) ++count = Math.max(1, Math.min(end.col - col, 80 - ci)) + } + const pointer = ' '.repeat(ci) + '^'.repeat(count) + error.message += `:\n\n${lineStr}\n${pointer}\n` +--- a/tests/doc/errors.js b/tests/doc/errors.js +@@ -341,6 +341,12 @@ + const doc = YAML.parseDocument(src, { prettyErrors: true }) + expect(doc.warnings).toMatchObject([{ name: 'YAMLWarning' }]) + }) ++ ++ test('repeated CR', () => { ++const src = '[' + '\r'.repeat(80) ++const doc = YAML.parseDocument(src, { prettyErrors: true }) ++expect(doc.errors[0]).not.toHaveProperty('source') ++ }) + }) + + describe('tags on invalid nodes', () => { diff --git a/debian/patches/series b/debian/patches/series index 053c2da..e2d7781 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ fix-test.patch fix-for-rollup-3.patch +CVE-2023-2251.patch diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides index 7c118d4..b78412d 100644 --- a/debian/source/lintian-overrides +++ b/debian/source/lintian-overrides @@ -1,10 +1,10 @@ # False positive: test data -source-is-missing *tests/doc/YAML-1.2.spec.js* -source-is-missing *tests/doc/foldFlowLines.js* -source-contains-prebuilt-javascript-object *tests/doc/YAML-1.2.spec.js* -source-contains-prebuilt-javascript-object *tests/doc/foldFlowLines.js* -source-is-missing *debian/tests/test_modules/* -source-contains-prebuilt-javascript-object *debian/tests/test_modules/* +source-is-missing [*tests/doc/YAML-1.2.spec.js*] +source-is-missing [*tests/doc/foldFlowLines.js*] +source-contains-prebuilt-javascript-object [*tests/doc/YAML-1.2.spec.js*] +source-contains-prebuilt-javascript-object [*tests/doc/foldFlowLines.js*] +source-is-missing [*debian/tests/test_modules/*] +source-contains-prebuilt-javascript-object [*debian/tests/test_modules/*] very-long-line-length-in-source-file *tests/doc/YAML-1.2.spec.js* very-long-line-length-in-source-file *tests/doc/foldFlowLines.js* very-long-line-length-in-source-file *debian/tests/test_modules/* diff --git a/debian/tests/CVE-2023-2251 b/debian/tests/CVE-2023-2251
Bug#1035039: unblock: node-core-js/3.26.1-3
Hi, here is a new debdiff: Please unblock package node-core-js [ Reason ] 1. "Breaks" field isn't enough for apt, it needs a "Replaces" to manage file conflicts (#1034947, #1034980, #1034989, #1035000) 2. During build, there was a useless symlink (#1035439) [ Risks ] No risk here [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-core-js/3.26.1-3diff --git a/debian/changelog b/debian/changelog index f85b17e..953664b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +node-core-js (3.26.1-3) unstable; urgency=medium + + * Team upload + * Drop dandling link (Closes: #1035439) + + -- Yadd Wed, 03 May 2023 17:55:43 +0400 + +node-core-js (3.26.1-2) unstable; urgency=medium + + * Team upload + * Duplicate Breaks fields with Replaces +(Closes: #1034980, #1034989, 1035000, #1034947) + + -- Yadd Fri, 28 Apr 2023 06:52:43 +0400 + node-core-js (3.26.1-1) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index cce0fb8..955a902 100644 --- a/debian/control +++ b/debian/control @@ -41,6 +41,7 @@ Depends: ${misc:Depends} , node-semver , webpack Breaks: node-core-js (<< 3.21.1~) +Replaces: node-core-js (<< 3.21.1~) Description: Node.js module to build a custom core-js For some cases could be useful to exclude some `core-js` features or generate a polyfill for target engines. This API helps conditionally include @@ -52,6 +53,7 @@ Architecture: all Depends: ${misc:Depends} Multi-Arch: foreign Breaks: node-core-js (<< 3.21.1~) +Replaces: node-core-js (<< 3.21.1~) Description: Modular version of core-js to load only required features core-js is a modular standard library for JavaScript. Includes polyfills for ECMAScript up to 2021: promises, symbols, collections, iterators, typed @@ -65,6 +67,7 @@ Depends: ${misc:Depends} , node-semver Multi-Arch: foreign Breaks: node-core-js (<< 3.21.1~) +Replaces: node-core-js (<< 3.21.1~) Description: data about the necessity of core-js core-js-compat contains data about the necessity of core-js modules and API for getting a list of required core-js modules by browserslist query. @@ -74,6 +77,7 @@ Architecture: all Depends: ${misc:Depends} Multi-Arch: foreign Breaks: node-core-js (<< 3.21.1~) +Replaces: node-core-js (<< 3.21.1~) Description: Modular standard library for JavaScript without global namespace pollution Includes polyfills for ECMAScript up to 2021: promises, symbols, collections, iterators, typed arrays, ECMAScript 7+ proposals, setImmediate, diff --git a/debian/rules b/debian/rules index 7273a22..8760023 100755 --- a/debian/rules +++ b/debian/rules @@ -8,7 +8,7 @@ override_dh_auto_build: zx scripts/build-indexes.mjs zx scripts/clean-and-copy.mjs zx scripts/build-compat/index.mjs - ln -s ../packages/core-js node_modules/core-js || true + [ -e node_modules/core-js ] || ln -s ../packages/core-js node_modules/ || true zx scripts/bundle-package/bundle-package.mjs rm -f node_modules/core-js core-js terser -o packages/core-js-bundle/index.min.js packages/core-js-bundle/index.js
Bug#1035443: unblock: node-source-map/0.7.0++dfsg2+really.0.6.1-13
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-source-...@packages.debian.org Control: affects -1 + src:node-source-map Please unblock package node-source-map [ Reason ] node-source-map had a dandling link (#1035437) [ Impact ] Just a dandling link that makes piupart cry [ Risks ] No risk [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-source-map/0.7.0++dfsg2+really.0.6.1-13 diff --git a/debian/changelog b/debian/changelog index fe8a39e..524ef9d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-source-map (0.7.0++dfsg2+really.0.6.1-13) unstable; urgency=medium + + * Team upload + * Drop dandling link (Closes: #1035437) + + -- Yadd Wed, 03 May 2023 17:32:45 +0400 + node-source-map (0.7.0++dfsg2+really.0.6.1-12) unstable; urgency=medium * Team upload diff --git a/debian/node-source-map.links b/debian/node-source-map.links index 7045f84..0260904 100644 --- a/debian/node-source-map.links +++ b/debian/node-source-map.links @@ -1,4 +1,3 @@ /usr/share/javascript/source-map/source-map.debug.js /usr/share/nodejs/source-map/dist/source-map.debug.js /usr/share/javascript/source-map/source-map.js /usr/share/nodejs/source-map/dist/source-map.js /usr/share/javascript/source-map/source-map.min.js /usr/share/nodejs/source-map/dist/source-map.debug.min.js -/usr/share/javascript/source-map/source-map.min.js.map /usr/share/nodejs/source-map/dist/source-map.min.js.map
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
On 5/2/23 23:26, Paul Gevers wrote: Hi Yadd, On 02-05-2023 10:15, Yadd wrote: extracting only CVE patch means: * keep some (unimportant) bugs in Bullseye * publish such version number: 5.76.1+dfsg1+~cs17.16.16+really~5.75.0+dfsg+~cs17.16.14-1 Indeed, both are totally acceptable. Can we have a debdiff please? Paul Hi, here is the current debdiff (without the big removal of useless discoveryjs-json-ext/benchmarks) Regards, Yadddiff --git a/README.md b/README.md index c712d27f..a6549c1c 100644 --- a/README.md +++ b/README.md @@ -158,11 +158,11 @@ or are automatically applied via regex from your webpack configuration. Transpiling -| Name |Status | Install Size | Description | -| :: | :---: | :: | : | -| https://github.com/babel/babel-loader;>https://worldvectorlogo.com/logos/babel-10.svg;> | ![babel-npm] | ![babel-size] | Loads ES2015+ code and transpiles to ES5 using https://github.com/babel/babel;>Babel | -| https://github.com/TypeStrong/ts-loader;>https://cdn.rawgit.com/Microsoft/TypeScript/master/doc/logo.svg;> | ![type-npm] | ![type-size] | Loads TypeScript like JavaScript | -|https://github.com/webpack-contrib/coffee-loader;>https://worldvectorlogo.com/logos/coffeescript.svg;>| ![coffee-npm] | ![coffee-size] | Loads CoffeeScript like JavaScript | +| Name |Status | Install Size | Description | +| :--: | :---: | :: | : | +| https://github.com/babel/babel-loader;>https://worldvectorlogo.com/logos/babel-10.svg;> | ![babel-npm] | ![babel-size] | Loads ES2015+ code and transpiles to ES5 using https://github.com/babel/babel;>Babel | +| https://github.com/TypeStrong/ts-loader;>https://raw.githubusercontent.com/microsoft/TypeScript-Website/f407e1ae19e5e990d9901ac8064a32a8cc60edf0/packages/typescriptlang-org/static/branding/ts-logo-128.svg;> | ![type-npm] | ![type-size] | Loads TypeScript like JavaScript | +| https://github.com/webpack-contrib/coffee-loader;>https://worldvectorlogo.com/logos/coffeescript.svg;> | ![coffee-npm] | ![coffee-size] | Loads CoffeeScript like JavaScript | [babel-npm]: https://img.shields.io/npm/v/babel-loader.svg [babel-size]: https://packagephobia.com/badge?p=babel-loader @@ -175,7 +175,7 @@ or are automatically applied via regex from your webpack configuration. | Name | Status | Install Size | Description | | :---: | :-: | :--: | :-- | -|https://github.com/webpack-contrib/html-loader;>https://worldvectorlogo.com/logos/html5.svg;> | ![html-npm] | ![html-size] | Exports HTML as string, requires references to static resources | +| https://github.com/webpack-contrib/html-loader;>https://worldvectorlog
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
On 4/29/23 16:00, Salvatore Bonaccorso wrote: Control: severity 1032904 serious Hi Yadd, On Wed, Mar 15, 2023 at 09:11:46PM +0100, Paul Gevers wrote: Control: tags -1 moreinfo Hi Yadd, On 15-03-2023 13:38, Yadd wrote: [ Reason ] node-webpack is vulnerable to cross-realm object access (#1032904, CVE-2023-28154). This doesn't look like a targeted fix, but rather seems to include much more. How about reverting and providing a fix only for that CVE please? have you seen Paul's comment/question above? We have now a somehow unfortunate situation that the CVE is fixed in unstable, and it is fixed with the last point release as well in bullseye. But it is still open in bookworm. I will bump for this reason the severity of #1032904 to RC as it is a regression on this regards. Regards, Salvatore Hi, extracting only CVE patch means: * keep some (unimportant) bugs in Bullseye * publish such version number: 5.76.1+dfsg1+~cs17.16.16+really~5.75.0+dfsg+~cs17.16.14-1
Bug#1035368: unblock: node-terser/5.16.5-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-ter...@packages.debian.org Control: affects -1 + src:node-terser Please unblock package node-terser [ Reason ] node-terser has several bugs in its version 5.16.4: * #1034969: missing "Replaces" fields * Mutating options.format is unsafe when config is re-used (https://github.com/terser/terser/issues/1341) * Transform functions shouldn't mutate AST arrays [ Impact ] * RC bug: upgrade is broken * Transformation issues [ Tests ] New tests added, passed. [ Risks ] Low risk, the main changes Have been in unstable for 2 months and didn't generate any regressions. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-terser/5.16.5-2
Bug#1035040: unblock: node-jest/29.3.1~ds1+~cs70.48.25-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-j...@packages.debian.org Control: affects -1 + src:node-jest Please unblock package node-jest [ Reason ] "Breaks" field isn't enough for apt, it needs a "Replaces" to manage file conflicts. This update just adds this. [ Risks ] No risk here [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-jest/29.3.1~ds1+~cs70.48.25-2 diff --git a/debian/changelog b/debian/changelog index 920d0a8..e577799 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-jest (29.3.1~ds1+~cs70.48.25-2) unstable; urgency=medium + + * Duplicate Breaks field with Replaces (Closes: #1035008) + + -- Yadd Fri, 28 Apr 2023 06:42:41 +0400 + node-jest (29.3.1~ds1+~cs70.48.25-1) unstable; urgency=medium * New upstream version 29.3.1~ds1+~cs70.48.25 (updates @types/jest) diff --git a/debian/control b/debian/control index 90aeb56..cd2f3cb 100644 --- a/debian/control +++ b/debian/control @@ -203,6 +203,7 @@ Depends: ${misc:Depends} , node-types-node Breaks: node-rollup-plugin-terser (<< 7.0.2-6~) , jest (<< 29.1.2~ds1+~cs70.47.21-1~) +Replaces: jest (<< 29.1.2~ds1+~cs70.47.21-1~) Provides: ${nodeJestWorker:Provides} Multi-Arch: foreign Description: Nodejs module for executing heavy tasks under forked processes in parallel
Bug#1035039: unblock: node-core-js/3.26.1-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-core...@packages.debian.org Control: affects -1 + src:node-core-js Please unblock package node-core-js [ Reason ] "Breaks" field isn't enough for apt, it needs a "Replaces" to manage file conflicts. This update just adds this. [ Risks ] No risk here [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-core-js/3.26.1-2 diff --git a/debian/changelog b/debian/changelog index f85b17e..0c46ebf 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-core-js (3.26.1-2) unstable; urgency=medium + + * Team upload + * Duplicate Breaks fields with Replaces +(Closes: #1034980, #1034989, 1035000, #1034947) + + -- Yadd Fri, 28 Apr 2023 06:52:43 +0400 + node-core-js (3.26.1-1) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index cce0fb8..955a902 100644 --- a/debian/control +++ b/debian/control @@ -41,6 +41,7 @@ Depends: ${misc:Depends} , node-semver , webpack Breaks: node-core-js (<< 3.21.1~) +Replaces: node-core-js (<< 3.21.1~) Description: Node.js module to build a custom core-js For some cases could be useful to exclude some `core-js` features or generate a polyfill for target engines. This API helps conditionally include @@ -52,6 +53,7 @@ Architecture: all Depends: ${misc:Depends} Multi-Arch: foreign Breaks: node-core-js (<< 3.21.1~) +Replaces: node-core-js (<< 3.21.1~) Description: Modular version of core-js to load only required features core-js is a modular standard library for JavaScript. Includes polyfills for ECMAScript up to 2021: promises, symbols, collections, iterators, typed @@ -65,6 +67,7 @@ Depends: ${misc:Depends} , node-semver Multi-Arch: foreign Breaks: node-core-js (<< 3.21.1~) +Replaces: node-core-js (<< 3.21.1~) Description: data about the necessity of core-js core-js-compat contains data about the necessity of core-js modules and API for getting a list of required core-js modules by browserslist query. @@ -74,6 +77,7 @@ Architecture: all Depends: ${misc:Depends} Multi-Arch: foreign Breaks: node-core-js (<< 3.21.1~) +Replaces: node-core-js (<< 3.21.1~) Description: Modular standard library for JavaScript without global namespace pollution Includes polyfills for ECMAScript up to 2021: promises, symbols, collections, iterators, typed arrays, ECMAScript 7+ proposals, setImmediate,
Bug#1035038: unblock: node-strip-eof/3.0.0-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-strip-...@packages.debian.org Control: affects -1 + src:node-strip-eof Please unblock package node-strip-eof [ Reason ] "Breaks" field isn't enough for apt, it needs a "Replaces" to manage file conflicts. This update just adds this. [ Risks ] No risk here [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-strip-eof/3.0.0-5 diff --git a/debian/changelog b/debian/changelog index 0f08d46..fbe8ec8 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-strip-eof (3.0.0-5) unstable; urgency=medium + + * Team upload + * Duplicate Breaks field with Replaces (Closes: #1034924) + + -- Yadd Fri, 28 Apr 2023 06:54:14 +0400 + node-strip-eof (3.0.0-4) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index 9b911b4..45de062 100644 --- a/debian/control +++ b/debian/control @@ -19,6 +19,7 @@ Architecture: all Depends: ${misc:Depends} Provides: ${nodejs:Provides} Breaks: node-execa (<< 5.1.1+dfsg+~cs19.3.6~) +Replaces: node-execa (<< 5.1.1+dfsg+~cs19.3.6~) Multi-Arch: foreign Description: strip CR and LF characters from a string/buffer Strips CR and LF characters (i.e., it strips them away, if the string ends
Bug#1035037: unblock: node-parse5/7.1.2+dfsg-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-par...@packages.debian.org Control: affects -1 + src:node-parse5 Please unblock package node-parse5 [ Reason ] Missing Breaks+Replaces agaist node-cheerio (#1034984) [ Risks ] No risk [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-parse5/7.1.2+dfsg-2 diff --git a/debian/changelog b/debian/changelog index 94e7e84..3719f73 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-parse5 (7.1.2+dfsg-2) unstable; urgency=medium + + * Team upload + * Add missing Breaks+Replaces against node-cheerio (Closes: #1034984) + + -- Yadd Fri, 28 Apr 2023 06:58:41 +0400 + node-parse5 (7.1.2+dfsg-1) unstable; urgency=medium * Apply multi-arch hints (foreign) diff --git a/debian/control b/debian/control index 85e9fc2..c821db8 100644 --- a/debian/control +++ b/debian/control @@ -40,7 +40,9 @@ Depends: ${misc:Depends} , node-domhandler , node-parse5 Breaks: node-jsdom (<< 20.0.0+repack1~) + , node-cheerio (<< 1.0.0~rc~10+repack-1~) Replaces: node-jsdom (<< 20.0.0+repack1~) + , node-cheerio (<< 1.0.0~rc~10+repack-1~) Description: node-htmlparser2 tree adapter Parse5 provides nearly everything needed when dealing with HTML. It's the fastest spec-compliant HTML parser for Node.js to date. It parses HTML the
Bug#1035036: unblock: node-npm-run-path/5.1.0+~4.0.0-8
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-npm-run-p...@packages.debian.org Control: affects -1 + src:node-npm-run-path [ Reason ] "Breaks" field isn't enough for apt, it needs a "Replaces" to manage file conflicts. This update just adds this. [ Risks ] No risk here [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-npm-run-path/5.1.0+~4.0.0-8 diff --git a/debian/changelog b/debian/changelog index 2c842dd..e2ff48a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-npm-run-path (5.1.0+~4.0.0-8) unstable; urgency=medium + + * Team upload + * Duplicate Breaks field with Replaces (Closes: #1034945) + + -- Yadd Fri, 28 Apr 2023 07:08:33 +0400 + node-npm-run-path (5.1.0+~4.0.0-7) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index 56b3abf..dcd115f 100644 --- a/debian/control +++ b/debian/control @@ -20,5 +20,6 @@ Architecture: all Depends: ${misc:Depends} Provides: ${nodejs:Provides} Breaks: node-execa (<< 6.1.0+dfsg1~) +Replaces: node-execa (<< 6.1.0+dfsg1~) Description: Get your PATH prepended with locally installed binaries Node.js is an event-based server-side JavaScript engine.
Bug#1035035: unblock: node-whatwg-fetch/3.6.2-7
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-whatwg-fe...@packages.debian.org Control: affects -1 + src:node-whatwg-fetch [ Reason ] "Breaks" field isn't enough for apt, it needs a "Replaces" to manage file conflicts. This update just adds this. [ Risks ] No risk here [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-whatwg-fetch/3.6.2-7 diff --git a/debian/changelog b/debian/changelog index 125ed5c..6838dbe 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-whatwg-fetch (3.6.2-7) unstable; urgency=medium + + * Team upload + * Duplicate Breaks field with Replaces (Closes: #1034933) + + -- Yadd Fri, 28 Apr 2023 07:13:09 +0400 + node-whatwg-fetch (3.6.2-6) unstable; urgency=medium * Add fix for rollup 3 (Closes: #1022653) diff --git a/debian/control b/debian/control index a61d511..371adc4 100644 --- a/debian/control +++ b/debian/control @@ -18,6 +18,7 @@ Architecture: all Depends: ${misc:Depends} Provides: libjs-whatwg-fetch (= ${binary:Version}) Breaks: libjs-fetch (<< 3.5.0-2~) +Replaces: libjs-fetch (<< 3.5.0-2~) Multi-Arch: foreign Description: window.fetch JavaScript polyfill The fetch() function is a Promise-based mechanism for programmatically making
Bug#1034664: unblock: node-xml2js/0.4.23+~cs15.4.0+dfsg-5
On 4/22/23 13:14, Sebastian Ramacher wrote: Control: tags -1 moreinfo On 2023-04-21 11:16:32 +0400, Yadd wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-xml...@packages.debian.org Control: affects -1 + src:node-xml2js Please unblock package node-xml2js This upload is causing autopkgtest regressions: node-xml2js (0.4.23+~cs15.4.0+dfsg-4 to 0.4.23+~cs15.4.0+dfsg-5) Maintainer: Debian Javascript Maintainers Migration status for node-xml2js (0.4.23+~cs15.4.0+dfsg-4 to 0.4.23+~cs15.4.0+dfsg-5): BLOCKED: Rejected/violates migration policy/introduces a regression Issues preventing migration: ∙ ∙ autopkgtest for node-node-rest-client/3.1.1-2: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), armel: Regression ♻ (reference ♻), armhf: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻) ∙ ∙ autopkgtest for node-xml2js/0.4.23+~cs15.4.0+dfsg-5: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Pass, s390x: Pass ∙ ∙ blocked by freeze: is a key package (Follow the freeze policy when applying for an unblock) ∙ ∙ Too young, only 1 of 20 days old Additional info: ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/node-xml2js.html Please let us know once htey have been fixed. Hi, I just pushed node-xml2js 0.4.23+~cs15.4.0+dfsg-8. In this new debdiff, instead of replacing `{}` by `Object.create(null)`, I filter the forbidden __proto__ key. A new autopkgtest proves that CVE is fixed and node-node-rest-client test pass now The explanation of this change is here: https://github.com/Leonidas-from-XIV/node-xml2js/issues/672 Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 98492d7..be97d0c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,33 @@ +node-xml2js (0.4.23+~cs15.4.0+dfsg-8) unstable; urgency=medium + + * Team upload + * Fix regression in node-node-rest-client tests + + -- Yadd Tue, 25 Apr 2023 17:53:28 +0400 + +node-xml2js (0.4.23+~cs15.4.0+dfsg-7) unstable; urgency=medium + + * Team upload + * Better fix for CVE-2023-0842 + + -- Yadd Tue, 25 Apr 2023 15:48:55 +0400 + +node-xml2js (0.4.23+~cs15.4.0+dfsg-6) unstable; urgency=medium + + * Team upload + * Fix regression in node-node-rest-client tests + + -- Yadd Tue, 25 Apr 2023 13:51:05 +0400 + +node-xml2js (0.4.23+~cs15.4.0+dfsg-5) unstable; urgency=medium + + * Team upload + * Update standards version to 4.6.2, no changes needed. + * Update nodejs dependency to nodejs:any + * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842) + + -- Yadd Fri, 21 Apr 2023 11:11:13 +0400 + node-xml2js (0.4.23+~cs15.4.0+dfsg-4) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index dc4d6d0..406a88d 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Build-Depends: , node-sax , dh-sequence-nodejs , node-diff -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/js-team/node-xml2js Vcs-Git: https://salsa.debian.org/js-team/node-xml2js.git Homepage: https://github.com/Leonidas-from-XIV/node-xml2js @@ -21,8 +21,8 @@ Architecture: all Depends: ${misc:Depends} , node-sax - , nodejs , node-diff + , nodejs:any Provides: ${nodejs:Provides} Description: simple XML to JavaScript object converter - Node.js module xml2js parses XML using node-sax and converts it to a plain JavaScript diff --git a/debian/patches/CVE-2023-0842.patch b/debian/patches/CVE-2023-0842.patch new file mode 100644 index 000..6af0bd7 --- /dev/null +++ b/debian/patches/CVE-2023-0842.patch @@ -0,0 +1,114 @@ +Description: use Object.create(null) to create all parsed objects + (prevent prototype replacement) +Author: James Crosby +Origin: upstream, commit:581b19a6 +Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc +Bug-Debian: https://bugs.debian.org/1034148 +Forwarded: not-needed +Applied-Upstream: 0.5.0, commit:581b19a6 +Reviewed-By: Yadd +Last-Update: 2023-04-21 + +--- a/src/parser.coffee b/src/parser.coffee +@@ -107,14 +107,15 @@ + obj[charkey] = "" + unless @options.ignoreAttrs + for own key of node.attributes +- if attrkey not of obj and not @options.mergeAttrs +-obj[attrkey] = {} ++ if attrkey not of obj and attrkey != '__proto__' and not @options.mergeAttrs ++obj[attrkey] = Object.create(null) + newValue = if @options.attrValueProcessors then processItem(@options.attrValueProcessors, node.attributes[key], key) else node.attributes[key] + processedKey = if @options.attrNameProcessors then processItem(@options.attrNameProcessors, key) else key +- if @options.mergeAttrs +-@assignOrPush obj, processedKey
Bug#1034665: bullseye-pu: package node-xml2js/0.2.8-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-xml...@packages.debian.org Control: affects -1 + src:node-xml2js [ Reason ] node-xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object (#1034148, CVE-2023-0842) [ Impact ] Medium security issue [ Tests ] Sadly test are not enabled in Bullseye [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Replace {} by Object.create(null) Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 628f69a..106d13b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-xml2js (0.2.8-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842) + + -- Yadd Fri, 21 Apr 2023 11:33:31 +0400 + node-xml2js (0.2.8-1) unstable; urgency=low * Upstream update diff --git a/debian/patches/CVE-2023-0842.patch b/debian/patches/CVE-2023-0842.patch new file mode 100644 index 000..cd03e08 --- /dev/null +++ b/debian/patches/CVE-2023-0842.patch @@ -0,0 +1,46 @@ +Description: use Object.create(null) to create all parsed objects + (prevent prototype replacement) +Author: James Crosby +Origin: upstream, commit:581b19a6 +Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc +Bug-Debian: https://bugs.debian.org/1034148 +Forwarded: not-needed +Applied-Upstream: 0.5.0, commit:581b19a6 +Reviewed-By: Yadd +Last-Update: 2023-04-21 + +--- a/src/xml2js.coffee b/src/xml2js.coffee +@@ -105,12 +105,12 @@ + charkey = @options.charkey + + @saxParser.onopentag = (node) => +- obj = {} ++ obj = Object.create(null) + obj[charkey] = "" + unless @options.ignoreAttrs + for own key of node.attributes + if attrkey not of obj and not @options.mergeAttrs +-obj[attrkey] = {} ++obj[attrkey] = Object.create(null) + if @options.mergeAttrs + obj[key] = node.attributes[key] + else +@@ -158,7 +158,7 @@ + + # put children into property and unfold chars if necessary + if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object' +-node = {} ++node = Object.create(null) + # separate attributes + if @options.attrkey of obj + node[@options.attrkey] = obj[@options.attrkey] +@@ -193,7 +193,7 @@ + if @options.explicitRoot + # avoid circular references + old = obj +- obj = {} ++ obj = Object.create(null) + obj[nodeName] = old + + @resultObject = obj diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..6b5589b --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2023-0842.patch
Bug#1034664: unblock: node-xml2js/0.4.23+~cs15.4.0+dfsg-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-xml...@packages.debian.org Control: affects -1 + src:node-xml2js Please unblock package node-xml2js [ Reason ] node-xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object (#1034148, CVE-2023-0842) [ Impact ] Medium security issue [ Tests ] Test updates, passed [ Risks ] Low risk, patch is trivial and tested [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-xml2js/0.4.23+~cs15.4.0+dfsg-5 diff --git a/debian/changelog b/debian/changelog index 98492d7..9d9dac7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +node-xml2js (0.4.23+~cs15.4.0+dfsg-5) unstable; urgency=medium + + * Team upload + * Update standards version to 4.6.2, no changes needed. + * Update nodejs dependency to nodejs:any + * Add patch to prevent prototype pollution (Closes: #1034148, CVE-2023-0842) + + -- Yadd Fri, 21 Apr 2023 11:11:13 +0400 + node-xml2js (0.4.23+~cs15.4.0+dfsg-4) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index dc4d6d0..406a88d 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Build-Depends: , node-sax , dh-sequence-nodejs , node-diff -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/js-team/node-xml2js Vcs-Git: https://salsa.debian.org/js-team/node-xml2js.git Homepage: https://github.com/Leonidas-from-XIV/node-xml2js @@ -21,8 +21,8 @@ Architecture: all Depends: ${misc:Depends} , node-sax - , nodejs , node-diff + , nodejs:any Provides: ${nodejs:Provides} Description: simple XML to JavaScript object converter - Node.js module xml2js parses XML using node-sax and converts it to a plain JavaScript diff --git a/debian/patches/CVE-2023-0842.patch b/debian/patches/CVE-2023-0842.patch new file mode 100644 index 000..3d80ed9 --- /dev/null +++ b/debian/patches/CVE-2023-0842.patch @@ -0,0 +1,103 @@ +Description: use Object.create(null) to create all parsed objects + (prevent prototype replacement) +Author: James Crosby +Origin: upstream, commit:581b19a6 +Bug: https://github.com/advisories/GHSA-776f-qx25-q3cc +Bug-Debian: https://bugs.debian.org/1034148 +Forwarded: not-needed +Applied-Upstream: 0.5.0, commit:581b19a6 +Reviewed-By: Yadd +Last-Update: 2023-04-21 + +--- a/src/parser.coffee b/src/parser.coffee +@@ -103,12 +103,12 @@ + charkey = @options.charkey + + @saxParser.onopentag = (node) => +- obj = {} ++ obj = Object.create(null) + obj[charkey] = "" + unless @options.ignoreAttrs + for own key of node.attributes + if attrkey not of obj and not @options.mergeAttrs +-obj[attrkey] = {} ++obj[attrkey] = Object.create(null) + newValue = if @options.attrValueProcessors then processItem(@options.attrValueProcessors, node.attributes[key], key) else node.attributes[key] + processedKey = if @options.attrNameProcessors then processItem(@options.attrNameProcessors, key) else key + if @options.mergeAttrs +@@ -161,7 +161,7 @@ + # put children into property and unfold chars if necessary + if @options.explicitChildren and not @options.mergeAttrs and typeof obj is 'object' + if not @options.preserveChildrenOrder +- node = {} ++ node = Object.create(null) + # separate attributes + if @options.attrkey of obj + node[@options.attrkey] = obj[@options.attrkey] +@@ -179,7 +179,7 @@ + # append current node onto parent's array + s[@options.childkey] = s[@options.childkey] or [] + # push a clone so that the node in the children array can receive the #name property while the original obj can do without it +- objClone = {} ++ objClone = Object.create(null) + for own key of obj + objClone[key] = obj[key] + s[@options.childkey].push objClone +@@ -196,7 +196,7 @@ + if @options.explicitRoot + # avoid circular references + old = obj +- obj = {} ++ obj = Object.create(null) + obj[nodeName] = old + + @resultObject = obj +--- a/test/parser.test.coffee b/test/parser.test.coffee +@@ -531,13 +531,13 @@ + + 'test single attrNameProcessors': skeleton(attrNameProcessors: [nameToUpperCase], (r)-> + console.log 'Result object: ' + util.inspect r, false, 10 +-equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('CAMELCASEATTR'), true +-equ r.sample.attrNameProcessTest[0].$.hasOwnProperty('LOWERCASEATTR'), true) ++equ {}.hasOwnProperty.call(r.sample.attrNameProcessTest[0].$, 'CAMELCASEATTR'), true ++equ {}.hasOwnProperty.call(r.sample.attrN
Bug#1034105: unblock: node-ua-parser-js/0.8.1+ds+~0.7.36-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-ua-parser...@packages.debian.org Control: affects -1 + src:node-ua-parser-js Please unblock package node-ua-parser-js [ Reason ] node-ua-parser-js is vulnerable to a Regex DoS (CVE-2022-25927) [ Impact ] Low security issue [ Tests ] No new test, current still pass [ Risks ] No risk, patch is trivial [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-ua-parser-js/0.8.1+ds+~0.7.36-3 diff --git a/debian/changelog b/debian/changelog index 97dc70f..fe75bc4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-ua-parser-js (0.8.1+ds+~0.7.36-3) unstable; urgency=medium + + * Team upload + * Update standards version to 4.6.2, no changes needed. + * Remove unsafe and ueless regex (Closes: CVE-2022-25927) + + -- Yadd Sun, 09 Apr 2023 07:47:39 +0400 + node-ua-parser-js (0.8.1+ds+~0.7.36-2) unstable; urgency=medium [ Debian Janitor ] diff --git a/debian/control b/debian/control index a65ee3c..5156727 100644 --- a/debian/control +++ b/debian/control @@ -10,7 +10,7 @@ Build-Depends: debhelper-compat (= 13) , node-requirejs , node-safe-regex , terser -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/js-team/node-ua-parser-js Vcs-Git: https://salsa.debian.org/js-team/node-ua-parser-js.git Homepage: https://github.com/faisalman/ua-parser-js diff --git a/debian/patches/CVE-2022-25927.patch b/debian/patches/CVE-2022-25927.patch new file mode 100644 index 000..23e19bd --- /dev/null +++ b/debian/patches/CVE-2022-25927.patch @@ -0,0 +1,22 @@ +Description: Remove unsafe regex in trim() function + `trim()` function contains a regular expression that is vulnerable to + ReDoS but was uncaught by `safe-regex` module +Author: Faisal Salman +Origin: upstream, https://github.com/faisalman/ua-parser-js/commit/a6140a17 +Bug: https://security.snyk.io/vuln/SNYK-JS-UAPARSERJS-3244450 +Forwarded: not-needed +Applied-Upstream: 1.0.33, commit:a6140a17 +Reviewed-By: Yadd +Last-Update: 2023-04-09 + +--- a/src/ua-parser.js b/src/ua-parser.js +@@ -92,7 +92,7 @@ + }, + trim = function (str, len) { + if (typeof(str) === STR_TYPE) { +-str = str.replace(/^\s\s*/, EMPTY).replace(/\s\s*$/, EMPTY); ++str = str.replace(/^\s\s*/, EMPTY); + return typeof(len) === UNDEF_TYPE ? str : str.substring(0, UA_MAX_LENGTH); + } + }; diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..8115996 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2022-25927.patch
Bug#1033929: unblock: node-interpret/2.2.0-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-interp...@packages.debian.org Control: affects -1 + src:node-interpret Please unblock package node-interpret [ Reason ] node-interpret uses network for its autopkgtest. Due to upstream changes in some old transpilers, autopkgtest started to fail. The proposed patch only change things in node-interpret test. BTS: #1033816 [ Impact ] No change in installed files, patch changes only node-interpret test. [ Tests ] Broken test on deprecated transpiler are now disabled. [ Risks ] No risk, even if patch is a little big, there is no change in installed files. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Changes ] * don't test babel/register and buble/register (Debian uses @babel/register, no more babel/register) * test modules: drop embedded "expect" and add patch to use Debian's node-expect (provided by jest) * lintian-brush: * update lintian tags * update metadata * update debian/watch Cheers, Yadd unblock node-interpret/2.2.0-3 diff --git a/debian/changelog b/debian/changelog index b38fa5c..b5bca67 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,21 @@ +node-interpret (2.2.0-3) unstable; urgency=medium + + * Team upload + + [ lintian-brush ] + * Update lintian override info format in d/source/lintian-overrides +on line 2-4 + * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse + * Update standards version to 4.6.2, no changes needed + + [ Yadd ] + * Fix filenamemangle + * Add fix for expect 28 and drop embedded "expect" + * Set upstream metadata fields: Repository. + * Drop test on deprecated transpilers (Closes: #1033816) + + -- Yadd Mon, 03 Apr 2023 08:10:46 +0400 + node-interpret (2.2.0-2) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index 2b09242..510057d 100644 --- a/debian/control +++ b/debian/control @@ -20,7 +20,7 @@ Build-Depends: debhelper-compat (= 13) , node-parse-node-version , node-which-boxed-primitive , node-which-collection -Standards-Version: 4.6.0 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/js-team/node-interpret Vcs-Git: https://salsa.debian.org/js-team/node-interpret.git Homepage: https://github.com/tkellen/node-interpret diff --git a/debian/copyright b/debian/copyright index e9d0fe5..b5809a0 100644 --- a/debian/copyright +++ b/debian/copyright @@ -16,10 +16,6 @@ Files: debian/tests/test_modules/* Copyright: 1014-2020 Jordan Harband License: Expat -Files: debian/tests/test_modules/expect/* -Copyright: 2015 Michael Jackson -License: Expat - Files: debian/tests/test_modules/*/node_modules/isarray/* Copyright: 2013 Julian Gruber License: Expat diff --git a/debian/patches/drop-test-on-deprecated-transpilers.patch b/debian/patches/drop-test-on-deprecated-transpilers.patch new file mode 100644 index 000..d9a7cea --- /dev/null +++ b/debian/patches/drop-test-on-deprecated-transpilers.patch @@ -0,0 +1,24 @@ +Description: drop test on deprecated transpilers +Author: Yadd +Bug-Debian: https://bugs.debian.org/1033816 +Forwarded: not-needed +Last-Update: 2023-04-03 + +--- a/test/index.js b/test/index.js +@@ -126,6 +126,7 @@ + var fixtureDir = path.dirname(fixture); + var idx = attempt.index; + ++if( name !== 'babel/register' && name !== 'buble/register' ) { + it('can require ' + extension + ' using ' + name + ' (' + idx + ')', function(done) { + var minVersion = minVersions[module]; + +@@ -232,6 +233,7 @@ + } + done(); + }); ++} + }); + + it('does not error with the .mjs extension', function(done) { diff --git a/debian/patches/fix-for-expect-28.patch b/debian/patches/fix-for-expect-28.patch new file mode 100644 index 000..af3bf26 --- /dev/null +++ b/debian/patches/fix-for-expect-28.patch @@ -0,0 +1,15 @@ +Description: add fix for expect 28 (jest) +Author: Yadd +Forwarded: not-needed +Last-Update: 2022-12-01 + +--- a/test/index.js b/test/index.js +@@ -1,6 +1,6 @@ + 'use strict'; + +-var expect = require('expect'); ++var {expect} = require('expect'); + + var path = require('path'); + var Module = require('module'); diff --git a/debian/patches/series b/debian/patches/series index 0312c9a..7e124d8 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,3 @@ fix-test.diff +fix-for-expect-28.patch +drop-test-on-deprecated-transpilers.patch diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides index 5c71dbd..792e152 100644 --- a/debian/source/lintian-overrides +++ b/debian/source/lintian-overrides @@ -1,4 +1,4 @@ # Test files used only during autopkgtest -source-is-missing debian/tests/test_modules/expect/lib/Expectation.js -source-contains-prebuilt-jav
Bug#1033927: unblock: node-sinon/14.0.2+ds+~cs74.13.25-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-si...@packages.debian.org Control: affects -1 + src:node-sinon Please unblock package node-sinon [ Reason ] node-sinon is a package used during JS tests. In Debian JS Team we choose to launch autopkgtest with `--disable-proto=throw` to ensure that JS packages don't used this old way to access to prototype for security reasons. This change started in September 2022 (pkg-js-autopkgtest 0.15.x). node-sinon currently parses all object properties without avoid __proto__. This breaks (at least) node-nock autopkgtest. [ Impact ] No change, the patch just avoid parsing __proto__ [ Tests ] No change in test, still pass (autopkgtest + build). This fixed also node-nock test. [ Risks ] No risk here, patch is trivial [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] This debdiff adds also some tips from lintian-brush (lintian tags and metadata update) Cheers, Yadd unblock node-sinon/14.0.2+ds+~cs74.13.25-2 diff --git a/debian/changelog b/debian/changelog index aaace48..111c526 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +node-sinon (14.0.2+ds+~cs74.13.25-2) unstable; urgency=medium + + * Team upload + * Update lintian override info format in d/source/lintian-overrides +on line 2-3 + * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse + * Update standards version to 4.6.2, no changes needed + * Drop calls to __proto__ (Closes: #1033818) + + -- Yadd Mon, 03 Apr 2023 07:26:51 +0400 + node-sinon (14.0.2+ds+~cs74.13.25-1) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index 1a73a29..c60cd62 100644 --- a/debian/control +++ b/debian/control @@ -27,7 +27,7 @@ Build-Depends: , node-supports-color , node-type-detect , node-util -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/js-team/node-sinon Vcs-Git: https://salsa.debian.org/js-team/node-sinon.git Homepage: https://sinonjs.org/ diff --git a/debian/patches/dont-try-to-access-to-__proto__.patch b/debian/patches/dont-try-to-access-to-__proto__.patch new file mode 100644 index 000..5973750 --- /dev/null +++ b/debian/patches/dont-try-to-access-to-__proto__.patch @@ -0,0 +1,16 @@ +Description: don't try to access to __proto__ +Author: Yadd +Forwarded: no +Last-Update: 2023-04-03 + +--- a/lib/sinon/util/core/walk.js b/lib/sinon/util/core/walk.js +@@ -17,7 +17,7 @@ + } + + forEach(Object.getOwnPropertyNames(obj), function (k) { +-if (seen[k] !== true) { ++if (k !== '__proto__' && seen[k] !== true) { + seen[k] = true; + var target = + typeof Object.getOwnPropertyDescriptor(obj, k).get === diff --git a/debian/patches/series b/debian/patches/series index ffb3e1f..b2b7689 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ fix-sinonjsreferee-sinon-test.diff reproducible.patch fix-for-path-to-regexp-6.patch drop-unstable-test.patch +dont-try-to-access-to-__proto__.patch diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides index 3f4d9d6..05b110e 100644 --- a/debian/source/lintian-overrides +++ b/debian/source/lintian-overrides @@ -1,6 +1,6 @@ # False positive: data -source-is-missing *sinonjstext-encoding/lib/encoding-indexes.js* -source-contains-prebuilt-javascript-object *sinonjstext-encoding/lib/encoding-indexes.js* +source-is-missing [*sinonjstext-encoding/lib/encoding-indexes.js*] +source-contains-prebuilt-javascript-object [*sinonjstext-encoding/lib/encoding-indexes.js*] very-long-line-length-in-source-file *sinonjsfake-timers/LICENSE* very-long-line-length-in-source-file *sinonjstext-encoding/lib/encoding-indexes.js* very-long-line-length-in-source-file *.md* diff --git a/debian/upstream/metadata b/debian/upstream/metadata index 6d85d64..c5adee0 100644 --- a/debian/upstream/metadata +++ b/debian/upstream/metadata @@ -1,6 +1,6 @@ --- Archive: GitHub -Bug-Database: https://github.com/cjohansen/Sinon.JS/issues -Bug-Submit: https://github.com/cjohansen/Sinon.JS/issues/new +Bug-Database: https://github.com/sinonjs/sinon/issues +Bug-Submit: https://github.com/sinonjs/sinon/issues/new Repository: https://github.com/cjohansen/Sinon.JS.git -Repository-Browse: https://github.com/cjohansen/Sinon.JS +Repository-Browse: https://github.com/sinonjs/sinon
Bug#1033866: unblock: node-sockjs-client/1.6.1+dfsg1-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-sockjs-cli...@packages.debian.org Control: affects -1 + src:node-sockjs-client Please unblock package node-sockjs-client [ Reason ] autopkgtest is broken due to a __proto__ access which is now forbidden during autopkgtest (pkg-js-autopkgtest). [ Impact ] No impact, no code change [ Tests ] Test passed (both build & autopkgtest) [ Risks ] No risk, no code change [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] This change includes a lintian-brush fix (little things in lintian + policy 4.6.2) Regards, Yadd unblock node-sockjs-client/1.6.1+dfsg1-2 diff --git a/debian/changelog b/debian/changelog index d68db9b..77c59b4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,18 @@ +node-sockjs-client (1.6.1+dfsg1-2) unstable; urgency=medium + + * Team upload + + [ lintian-brush ] + * Update lintian override info format in d/source/lintian-overrides +on line 2-8, 11-27 + * Use secure URI in Homepage field + * Update standards version to 4.6.2, no changes needed + + [ Yadd ] + * Drop __proto__ calls in tests (Closes: #1033821) + + -- Yadd Mon, 03 Apr 2023 10:13:25 +0400 + node-sockjs-client (1.6.1+dfsg1-1) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index 811e9fc..809ccdc 100644 --- a/debian/control +++ b/debian/control @@ -22,10 +22,10 @@ Build-Depends: , node-proxyquire , node-serve-static , node-uuid -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/js-team/node-sockjs-client Vcs-Git: https://salsa.debian.org/js-team/node-sockjs-client.git -Homepage: http://sockjs.org +Homepage: https://sockjs.org Rules-Requires-Root: no Package: node-sockjs-client diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides index 2f1b0b2..a846c89 100644 --- a/debian/source/lintian-overrides +++ b/debian/source/lintian-overrides @@ -1,27 +1,27 @@ # false positive -node-sockjs-client source: source-is-missing lib/utils/escape.js -node-sockjs-client source: source-is-missing tests/lib/echo-tests.js -source-contains-prebuilt-javascript-object lib/utils/escape.js -source-contains-prebuilt-javascript-object tests/lib/echo-tests.js -very-long-line-length-in-source-file lib/utils/escape.js line * -very-long-line-length-in-source-file tests/lib/echo-tests.js line * -very-long-line-length-in-source-file *.md line * +node-sockjs-client source: source-is-missing [lib/utils/escape.js] +node-sockjs-client source: source-is-missing [tests/lib/echo-tests.js] +source-contains-prebuilt-javascript-object [lib/utils/escape.js] +source-contains-prebuilt-javascript-object [tests/lib/echo-tests.js] +very-long-line-length-in-source-file * [lib/utils/escape.js:*] +very-long-line-length-in-source-file * [tests/lib/echo-tests.js:*] +very-long-line-length-in-source-file * [*.md:*] # False positive in test module -source-is-missing debian/tests/test_modules/sockjs/lib/iframe.js -source-is-missing debian/tests/test_modules/sockjs/lib/sockjs.js -source-is-missing debian/tests/test_modules/sockjs/lib/trans-eventsource.js -source-is-missing debian/tests/test_modules/sockjs/lib/trans-htmlfile.js -source-is-missing debian/tests/test_modules/sockjs/lib/trans-jsonp.js -source-is-missing debian/tests/test_modules/sockjs/lib/trans-websocket.js -source-is-missing debian/tests/test_modules/sockjs/lib/trans-xhr.js -source-is-missing debian/tests/test_modules/sockjs/lib/transport.js -source-contains-prebuilt-javascript-object debian/tests/test_modules/sockjs/lib/iframe.js -source-contains-prebuilt-javascript-object debian/tests/test_modules/sockjs/lib/sockjs.js -source-contains-prebuilt-javascript-object debian/tests/test_modules/sockjs/lib/trans-eventsource.js -source-contains-prebuilt-javascript-object debian/tests/test_modules/sockjs/lib/trans-htmlfile.js -source-contains-prebuilt-javascript-object debian/tests/test_modules/sockjs/lib/trans-jsonp.js -source-contains-prebuilt-javascript-object debian/tests/test_modules/sockjs/lib/trans-websocket.js -source-contains-prebuilt-javascript-object debian/tests/test_modules/sockjs/lib/trans-xhr.js -source-contains-prebuilt-javascript-object debian/tests/test_modules/sockjs/lib/transport.js -very-long-line-length-in-source-file debian/tests/test_modules/sockjs/lib/sockjs.js line 122 is 675 characters long (>512) +source-is-missing [debian/tests/test_modules/sockjs/lib/iframe.js] +source-is-missing [debian/tests/test_modules/sockjs/lib/sockjs.js] +source-is-missing [debian/tests/test_modules/sockjs/lib/trans-eventsource.js] +source-is-missing [debian/tests/test_modules/sockjs/lib/trans-htmlfile.js] +source-is-missing [debian/tests/test_modules/sockjs/lib/trans-jsonp.js] +source-is-missing [debia
Bug#1033810: unblock: cyrus-imapd/3.6.1-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: cyrus-im...@packages.debian.org Control: affects -1 + src:cyrus-imapd Please unblock package cyrus-imapd [ Reason ] debian/copyright was incomplete [ Impact ] Incomplete copyright [ Tests ] No code change [ Risks ] No risk here, no code change. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock cyrus-imapd/3.6.1-4 diff --git a/debian/changelog b/debian/changelog index 9d1408cb..a6d3c31a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +cyrus-imapd (3.6.1-4) unstable; urgency=medium + + * Update copyright + * Declare compliance with policy 4.6.2 + + -- Yadd Fri, 31 Mar 2023 11:12:57 +0400 + cyrus-imapd (3.6.1-2) unstable; urgency=medium [ Remus-Gabriel Chelu ] diff --git a/debian/control b/debian/control index ad383b18..d20e0f52 100644 --- a/debian/control +++ b/debian/control @@ -51,7 +51,7 @@ Build-Depends: bison, unicode-data, xxd, xutils-dev -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/debian/cyrus-imapd Vcs-Git: https://salsa.debian.org/debian/cyrus-imapd.git Homepage: https://www.cyrusimap.org/ diff --git a/debian/copyright b/debian/copyright index b6d376e4..1049ba5c 100644 --- a/debian/copyright +++ b/debian/copyright @@ -7,6 +7,43 @@ Files: * Copyright: 1994-2020, Carnegie Mellon University License: CMU +Files: cassandane/* +Copyright: 2011 Opera Software Australia Pty. Ltd. +License: OSAP + +Files: cassandane/Cassandane/* + cassandane/utils/crash.c +Copyright: 2011-2022 Fastmail Pty Ltd +License: FPL + +Files: cmulocal/ax_cxx_compile_stdcxx_11.m4 +Copyright: 2008 Benjamin Kosnik + 2012 Zack Weinberg + 2013 Roy Stogner + 2014, 2015 Google Inc., contributed by Alexey Sokolov + 2015 Paul Norman +License: FSFAPL + +Files: cmulocal/ax_prog_perl_modules.m4 +Copyright: 2009 Dean Povey +License: FSFAPL + +Files: cmulocal/*.m4 + compile + config.* + ylwrap +Copyright: 1992-2022 Free Software Foundation, Inc. +License: GPL-2+ + +Files: cmulocal/ax_python_module.m4 +Copyright: 2008 Andrew Collier +License: FSFAPL + +Files: com_err/et/* +Copyright: 1987, 1988 by the Student Information Processing Board of the + Massachusetts Institute of Technology +License: MIT + Files: debian/* Copyright: 1997, Joey Hess 2001-2010, Henrique de Moraes Holschuh @@ -18,6 +55,11 @@ Copyright: 1997, Joey Hess 2019-2022, Yadd License: GPL-2+ +Files: doc/* +Copyright: 1993–2023 The Cyrus Team +License: CMU +Comment: Built with Sphinx, license BSD-2-Clause + Files: imap/objectstore_caringo.c Copyright: 2015 OpenIO, as a part of Cyrus License: CMU @@ -128,6 +170,41 @@ License: CMU AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +License: FPL + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in +the documentation and/or other materials provided with the +distribution. + . + 3. The name "Fastmail Pty Ltd" must not be used to +endorse or promote products derived from this software without +prior written permission. For permission or any legal +details, please contact + FastMail Pty Ltd + PO Box 234 + Collins St West 8007 + Victoria + Australia + . + 4. Redistributions of any form whatsoever must retain the following +acknowledgment: +"This product includes software developed by Fastmail Pty. Ltd." + . + FASTMAIL PTY LTD DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO + EVENT SHALL OPERA SOFTWARE AUSTRALIA BE LIABLE FOR ANY SPECIAL, INDIRECT + OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF + USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER + TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE + OF THIS SOFTWARE. + License: Expat Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to @@ -146,6 +223,12 @@ License: Expat AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. +License: FSFAPL + Copying and distribution of this file
Bug#1033770: bullseye-pu: package apache2/2.4.56-1~deb11u2
Control: tags -1 - confirmed On 4/1/23 22:47, Moritz Mühlenhoff wrote: Am Sat, Apr 01, 2023 at 08:32:55AM +0400 schrieb Yadd: Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: apac...@packages.debian.org Control: affects -1 + src:apache2 [ Reason ] apache2 silently reenable apache2-doc.conf despite having been disabled (#1018718) If we update Apache in Bullseye, how about also adding patches for #1033408 and #1033284? Cheers, Moritz Hi, here is the new debdiff Cheers, Yadddiff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index ..c048ae45 --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,9 @@ +apache2 (2.4.56-1~deb11u2) bullseye; urgency=medium + + This version does not automatically enable the apache2 config snippet for + /manual anymore. If you want to have it enabled you will need to do this + yourself, e.g. with + +/usr/sbin/a2enconf apache2-doc + + -- Yadd Sat, 01 Apr 2023 08:17:08 +0400 diff --git a/debian/apache2-doc.postinst b/debian/apache2-doc.postinst deleted file mode 100644 index e7e1e5a7.. --- a/debian/apache2-doc.postinst +++ /dev/null @@ -1,17 +0,0 @@ -#! /bin/sh - -set -e - -# conffiles must be moved before invoking rc.d -#DEBHELPER# - -# This code should use dh_apache2 once it is available as build dependency - -if [ "$1" = "configure" ] ; then - if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then - . /usr/share/apache2/apache2-maintscript-helper - apache2_invoke enconf apache2-doc || true - fi -fi - -exit diff --git a/debian/changelog b/debian/changelog index 41c3a7cc..e440c341 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,15 @@ +apache2 (2.4.56-1~deb11u2) bullseye; urgency=medium + + [ Hendrik Jäger ] + * Don't automatically enable apache2-doc.conf (Closes: #1018718) + + [ Yadd ] + * Fix regression in mod_rewrite introduced in version 2.4.56 + (Closes: #1033284) + * Fix regression in http2 introduced by 2.4.56 (Closes: #1033408) + + -- Yadd Sun, 02 Apr 2023 07:06:01 +0400 + apache2 (2.4.56-1~deb11u1) bullseye-security; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690) diff --git a/debian/patches/fix-2.4.56-regression-2.patch b/debian/patches/fix-2.4.56-regression-2.patch new file mode 100644 index ..d19373c0 --- /dev/null +++ b/debian/patches/fix-2.4.56-regression-2.patch @@ -0,0 +1,30 @@ +Description: h2 request headers clone instead of copy +Author: Stefan Eissing +Origin: upstream, https://bz.apache.org/bugzilla/attachment.cgi?id=38527=diff +Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=66539 +Bug-Debian: https://bugs.debian.org/1033408 +Forwarded: not-needed +Applied-Upstream: 2.4.57 +Reviewed-By: Yadd +Last-Update: 2023-04-02 + +--- a/modules/http2/h2_request.c b/modules/http2/h2_request.c +@@ -279,7 +279,7 @@ + apr_bucket *h2_request_create_bucket(const h2_request *req, request_rec *r) + { + conn_rec *c = r->connection; +-apr_table_t *headers = apr_table_copy(r->pool, req->headers); ++apr_table_t *headers = apr_table_clone(r->pool, req->headers); + const char *uri = req->path; + + AP_DEBUG_ASSERT(req->authority); +@@ -303,7 +303,7 @@ + { + const char *cl; + +-r->headers_in = apr_table_copy(r->pool, req->headers); ++r->headers_in = apr_table_clone(r->pool, req->headers); + if (req->authority) { + /* for internal handling, we have to simulate that :authority + * came in as Host:, RFC 9113 ch. says that mismatches between diff --git a/debian/patches/fix-2.4.56-regression.patch b/debian/patches/fix-2.4.56-regression.patch new file mode 100644 index ..0203491d --- /dev/null +++ b/debian/patches/fix-2.4.56-regression.patch @@ -0,0 +1,19 @@ +Description: fix 2.4.56 regression +Author: covener +Bug-Debian: https://bugs.debian.org/1033284 +Origin: upstream, http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/mappers/mod_rewrite.c?r1=1908813=1908812=1908813 +Forwarded: not-needed +Applied-Upstream: 2.4.57 +Reviewed-By: Yadd +Last-Update: 2023-04-01 + +--- a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c +@@ -3854,6 +3854,7 @@ + if (*(a2_end-1) == '?') { + /* a literal ? at the end of the unsubstituted rewrite rule */ + newrule->flags |= RULEFLAG_QSNONE; ++ *(a2_end-1) = '\0'; /* trailing ? has done its job */ + } + else if (newrule->flags & RULEFLAG_QSDISCARD) { + if (NULL == ap_strchr(newrule->output, '?')) { diff --git a/debian/patches/series b/debian/patches/series index aa0aae42..6d738242 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -4,6 +4,8 @@ suexec-CVE-2007-1742.patch customize_apxs.patch build_suexec-custom.patch reproducible_builds.diff +fix-2.4.56-regression.patch +fix-2.4.56-regression-2.patch # This patch is applied manually #suexec-custom.patch
Bug#1033770: bullseye-pu: package apache2/2.4.56-1~deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: apac...@packages.debian.org Control: affects -1 + src:apache2 [ Reason ] apache2 silently reenable apache2-doc.conf despite having been disabled (#1018718) [ Impact ] This behavior overwrites local changes on upgrade, which is a release-critical bug as it’s a Policy violation [ Tests ] No change [ Risks ] No risk here [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Drop apache2-doc.postinst [ Other ] Fixed in testing/Bookworm in version 2.4.54-3. Cheers, Yadd diff --git a/debian/NEWS b/debian/NEWS new file mode 100644 index ..c048ae45 --- /dev/null +++ b/debian/NEWS @@ -0,0 +1,9 @@ +apache2 (2.4.56-1~deb11u2) bullseye; urgency=medium + + This version does not automatically enable the apache2 config snippet for + /manual anymore. If you want to have it enabled you will need to do this + yourself, e.g. with + +/usr/sbin/a2enconf apache2-doc + + -- Yadd Sat, 01 Apr 2023 08:17:08 +0400 diff --git a/debian/apache2-doc.postinst b/debian/apache2-doc.postinst deleted file mode 100644 index e7e1e5a7.. --- a/debian/apache2-doc.postinst +++ /dev/null @@ -1,17 +0,0 @@ -#! /bin/sh - -set -e - -# conffiles must be moved before invoking rc.d -#DEBHELPER# - -# This code should use dh_apache2 once it is available as build dependency - -if [ "$1" = "configure" ] ; then - if [ -e /usr/share/apache2/apache2-maintscript-helper ] ; then - . /usr/share/apache2/apache2-maintscript-helper - apache2_invoke enconf apache2-doc || true - fi -fi - -exit diff --git a/debian/changelog b/debian/changelog index 41c3a7cc..1c0d3659 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +apache2 (2.4.56-1~deb11u2) bullseye; urgency=medium + + [ Hendrik Jäger ] + * Don't automatically enable apache2-doc.conf (Closes: #1018718) + + -- Yadd Sat, 01 Apr 2023 08:24:10 +0400 + apache2 (2.4.56-1~deb11u1) bullseye-security; urgency=medium * New upstream version (Closes: #1032476, CVE-2023-27522, CVE-2023-25690)
Bug#1033766: bullseye-pu: package cyrus-imapd/3.6.1-4
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: cyrus-im...@packages.debian.org Control: affects -1 + src:cyrus-imapd [ Reason ] debian/copyright was incomplete [ Impact ] Incomplete copyright [ Tests ] No change, test passed. Note that autopkgtest works but has been disabled on Debian machines (too long). [ Risks ] No risk here, no code change. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Update of debian/copyright Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 9d1408cb..a6d3c31a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +cyrus-imapd (3.6.1-4) unstable; urgency=medium + + * Update copyright + * Declare compliance with policy 4.6.2 + + -- Yadd Fri, 31 Mar 2023 11:12:57 +0400 + cyrus-imapd (3.6.1-2) unstable; urgency=medium [ Remus-Gabriel Chelu ] diff --git a/debian/control b/debian/control index ad383b18..d20e0f52 100644 --- a/debian/control +++ b/debian/control @@ -51,7 +51,7 @@ Build-Depends: bison, unicode-data, xxd, xutils-dev -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Vcs-Browser: https://salsa.debian.org/debian/cyrus-imapd Vcs-Git: https://salsa.debian.org/debian/cyrus-imapd.git Homepage: https://www.cyrusimap.org/ diff --git a/debian/copyright b/debian/copyright index b6d376e4..1049ba5c 100644 --- a/debian/copyright +++ b/debian/copyright @@ -7,6 +7,43 @@ Files: * Copyright: 1994-2020, Carnegie Mellon University License: CMU +Files: cassandane/* +Copyright: 2011 Opera Software Australia Pty. Ltd. +License: OSAP + +Files: cassandane/Cassandane/* + cassandane/utils/crash.c +Copyright: 2011-2022 Fastmail Pty Ltd +License: FPL + +Files: cmulocal/ax_cxx_compile_stdcxx_11.m4 +Copyright: 2008 Benjamin Kosnik + 2012 Zack Weinberg + 2013 Roy Stogner + 2014, 2015 Google Inc., contributed by Alexey Sokolov + 2015 Paul Norman +License: FSFAPL + +Files: cmulocal/ax_prog_perl_modules.m4 +Copyright: 2009 Dean Povey +License: FSFAPL + +Files: cmulocal/*.m4 + compile + config.* + ylwrap +Copyright: 1992-2022 Free Software Foundation, Inc. +License: GPL-2+ + +Files: cmulocal/ax_python_module.m4 +Copyright: 2008 Andrew Collier +License: FSFAPL + +Files: com_err/et/* +Copyright: 1987, 1988 by the Student Information Processing Board of the + Massachusetts Institute of Technology +License: MIT + Files: debian/* Copyright: 1997, Joey Hess 2001-2010, Henrique de Moraes Holschuh @@ -18,6 +55,11 @@ Copyright: 1997, Joey Hess 2019-2022, Yadd License: GPL-2+ +Files: doc/* +Copyright: 1993–2023 The Cyrus Team +License: CMU +Comment: Built with Sphinx, license BSD-2-Clause + Files: imap/objectstore_caringo.c Copyright: 2015 OpenIO, as a part of Cyrus License: CMU @@ -128,6 +170,41 @@ License: CMU AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +License: FPL + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright +notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright +notice, this list of conditions and the following disclaimer in +the documentation and/or other materials provided with the +distribution. + . + 3. The name "Fastmail Pty Ltd" must not be used to +endorse or promote products derived from this software without +prior written permission. For permission or any legal +details, please contact + FastMail Pty Ltd + PO Box 234 + Collins St West 8007 + Victoria + Australia + . + 4. Redistributions of any form whatsoever must retain the following +acknowledgment: +"This product includes software developed by Fastmail Pty. Ltd." + . + FASTMAIL PTY LTD DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, + INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO + EVENT SHALL OPERA SOFTWARE AUSTRALIA BE LIABLE FOR ANY SPECIAL, INDIRECT + OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF + USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER + TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE + OF THIS SOFTWARE. + License: Expat Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to @@ -146,6 +223,12 @@ License: Expat AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- TIO
Bug#1033653: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: lemonldap...@packages.debian.org, secur...@debian.org Control: affects -1 + src:lemonldap-ng [ Reason ] lemonldap-ng is vulnarable to a second factor bypass when used with an "AuthBasic handler" (generally used for non-browser apps). [ Impact ] Medium security issue. [ Tests ] New test proves that issue is fixed [ Risks ] Low risk, patch isn't so big and test coverage looks good [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] No more allow to accept basic authentication in AuthBasic handler when a second factor is required, add also an environment variable to restore previous behavior. [ Other info ] I didn't pushed yet the already accepted patch for deb11u3 (#1030598). Maybe we could join and push directly deb11u4 into Bullseye. Cheers, Yadd diff --git a/debian/NEWS b/debian/NEWS index b8955920b..c4d7ee951 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,15 @@ +lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium + + AuthBasic now enforces 2FA activation (CVE-2023-28862): + In previous versions of LemonLDAP::NG, a 2FA protected account didn't need + to use their second factor when authenticating to an AuthBasic handler. + If you want 2FA protected accounts to access AuthBasic handlers, which are + password only, you can add the following test in your 2FA activation rules: + +and not $ENV{AuthBasic} + + -- Yadd Wed, 29 Mar 2023 15:24:20 +0400 + lemonldap-ng (2.0.9+ds-1) unstable; urgency=medium CVE-2020-24660 diff --git a/debian/changelog b/debian/changelog index b6f666f69..5d2c62ac0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +lemonldap-ng (2.0.11+ds-4+deb11u4) bullseye; urgency=medium + + * Fix 2FA issue when using AuthBasic handler (CVE-2023-28862) + + -- Yadd Wed, 29 Mar 2023 15:50:40 +0400 + lemonldap-ng (2.0.11+ds-4+deb11u3) bullseye; urgency=medium * Fix URL validation bypass diff --git a/debian/patches/CVE-2023-28862.patch b/debian/patches/CVE-2023-28862.patch new file mode 100644 index 0..9fb5d9d23 --- /dev/null +++ b/debian/patches/CVE-2023-28862.patch @@ -0,0 +1,401 @@ +Description: fix AuthBasic security issue when used with second factor + To simplify, AuthBasic accepted connections even if 2FA failed +Author: Yadd +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2896 +Forwarded: not-needed +Applied-Upstream: 2.16.1, (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/334) +Last-Update: 2023-03-29 + +--- a/doc/sources/admin/upgrade_2_0_x.rst b/doc/sources/admin/upgrade_2_0_x.rst +@@ -26,6 +26,19 @@ + + None + ++2.16.1 ++ ++ ++AuthBasic now enforces 2FA activation ++~ ++ ++In previous versions of LemonLDAP::NG, a 2FA protected account didn't need to use their second factor when authenticating to an :doc:`AuthBasic handler `. ++ ++If you are *absolutely sure* that you want 2FA protected accounts to access AuthBasic handlers, which are password only, you can add the following test in your 2FA activation rules :: +++ +++and not $ENV{AuthBasic} +++ +++ + 2.0.11 + -- + +--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/AuthBasic.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/AuthBasic.pm +@@ -28,9 +28,8 @@ + my ( $class, $req ) = @_; + if ( my $creds = $req->env->{'HTTP_AUTHORIZATION'} ) { + $creds =~ s/^Basic\s+//; +-my @date = localtime; +-my $day = $date[5] * 366 + $date[7]; +-return Digest::SHA::sha256_hex( $creds . $day ); ++my $pepper = int( time / $class->tsv->{timeout} ) . $class->tsv->{keyH}; ++return sha256_hex( $creds . $pepper ); + } + else { + return 0; +--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Reload.pm +@@ -5,6 +5,7 @@ + package Lemonldap::NG::Handler::Main; + + use strict; ++use Digest::SHA qw(sha256_hex); + use Lemonldap::NG::Common::Conf::Constants;#inherits + use Lemonldap::NG::Common::Crypto; + use Lemonldap::NG::Common::Safelib;#link protected safe Safe object +@@ -208,6 +209,7 @@ + ); + + $class->tsv->{cipher} = Lemonldap::NG::Common::Crypto->new( $conf->{key} ); ++$class->tsv->{keyH} = sha256_hex( $conf->{key} ); + + foreach my $opt (qw(https port maintenance)) { + +--- a/lemonldap-ng-portal/MANIFEST b/lemonldap-ng-portal/MANIFEST +@@ -579,6 +579,7 @@ + t/35-My-session.t + t/35-REST-config-backend.t + t/35-REST-export-password.t ++t/35-REST-sessions-with-AuthBasic-handler-with-2FA.t + t/35-REST-sessions-with-AuthBasic-handler
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
On 3/15/23 16:38, Yadd wrote: Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-webp...@packages.debian.org Control: affects -1 + src:node-webpack Please unblock package node-webpack [ Reason ] node-webpack is vulnerable to cross-realm object access (#1032904, CVE-2023-28154). [ Impact ] Medium security issue [ Tests ] Test updated, passed [ Risks ] Low risk, autopkgtest passed on all reverse dependencies [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] The attached debdiff doesn't show the doc and test snapshot updates, else debdiff is really big and not relevant. Cheers, Yadd unblock node-webpack/5.76.1+dfsg1+~cs17.16.16-1 Sorry, I didn't see that node-webpack was considered as key package.
Bug#1032994: unblock: node-webpack/5.76.1+dfsg1+~cs17.16.16-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-webp...@packages.debian.org Control: affects -1 + src:node-webpack Please unblock package node-webpack [ Reason ] node-webpack is vulnerable to cross-realm object access (#1032904, CVE-2023-28154). [ Impact ] Medium security issue [ Tests ] Test updated, passed [ Risks ] Low risk, autopkgtest passed on all reverse dependencies [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] The attached debdiff doesn't show the doc and test snapshot updates, else debdiff is really big and not relevant. Cheers, Yadd unblock node-webpack/5.76.1+dfsg1+~cs17.16.16-1 diff --git a/README.md b/README.md index c712d27f..a6549c1c 100644 --- a/README.md +++ b/README.md @@ -158,11 +158,11 @@ or are automatically applied via regex from your webpack configuration. Transpiling -| Name |Status | Install Size | Description | -| :: | :---: | :: | : | -| https://github.com/babel/babel-loader;>https://worldvectorlogo.com/logos/babel-10.svg;> | ![babel-npm] | ![babel-size] | Loads ES2015+ code and transpiles to ES5 using https://github.com/babel/babel;>Babel | -| https://github.com/TypeStrong/ts-loader;>https://cdn.rawgit.com/Microsoft/TypeScript/master/doc/logo.svg;> | ![type-npm] | ![type-size] | Loads TypeScript like JavaScript | -|https://github.com/webpack-contrib/coffee-loader;>https://worldvectorlogo.com/logos/coffeescript.svg;>| ![coffee-npm] | ![coffee-size] | Loads CoffeeScript like JavaScript | +| Name |Status | Install Size | Description | +| :--: | :---: | :: | : | +| https://github.com/babel/babel-loader;>https://worldvectorlogo.com/logos/babel-10.svg;> | ![babel-npm] | ![babel-size] | Loads ES2015+ code and transpiles to ES5 using https://github.com/babel/babel;>Babel | +| https://github.com/TypeStrong/ts-loader;>https://raw.githubusercontent.com/microsoft/TypeScript-Website/f407e1ae19e5e990d9901ac8064a32a8cc60edf0/packages/typescriptlang-org/static/branding/ts-logo-128.svg;> | ![type-npm] | ![type-size] | Loads TypeScript like JavaScript | +| https://github.com/webpack-contrib/coffee-loader;>https://worldvectorlogo.com/logos/coffeescript.svg;> | ![coffee-npm] | ![coffee-size] | Loads CoffeeScript like JavaScript | [babel-npm]: https://img.shields.io/npm/v/babel-loader.svg [babel-size]: https://packagephobia.com/badge?p=babel-loader @@ -175,7 +175,7 @@ or are automatically applied via regex from your webpack configuration. | Name | Status | Install Size | Description | | :---: | :-: | :--: | :---
Bug#1032977: Bug#1032976: unblock: node-sqlite3/5.1.5+ds1-1
On 3/15/23 11:40, Jonathan Wiltshire wrote: It's a bit noisy with the other stuff from the upstream release, but I can see the argument for sticking with it rather than cherry-picking. Unblocked. Thanks Jonathan! I pushed also an unblock request for Apache 2.4.56. Since we decide to follow upstream releases in bullseye-security, we need to have apache2 2.4.56 in testing before releasing apache2 2.4.56~deb11u1 in stable-security. Best regards, Yadd
Bug#1032976: unblock: node-sqlite3/5.1.5+ds1-1
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: node-sqli...@packages.debian.org Control: affects -1 + src:node-sqlite3 Please unblock package node-sqlite3 [ Reason ] A code execution vulnerability was discover in node-sqlite3 due to the underlying implementation of .toString(). It is then possible to execute arbitrary JavaScript or to achieve a denial-of-service. if a binding parameter is a crafted object. (CVE-2022-43441) [ Impact ] Major security issue [ Tests ] New test added, passed [ Risks ] No risk, patch is trivial. The main change is this: @@ -208,7 +208,7 @@ template Values::Field* return new Values::Float(pos, source.ToNumber().DoubleValue()); } else if (source.IsObject()) { -Napi::String napiVal = source.ToString(); +Napi::String napiVal = Napi::String::New(source.Env(), "[object Object]"); // Check whether toString returned a value that is not undefined. if(napiVal.Type() == 0) { return NULL; [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other info ] DSA pushed also for bullseye (5.0.0+ds1-1+deb11u2) unblock node-sqlite3/5.1.5+ds1-1 diff --git a/README.md b/README.md index 4a214a6..571df9e 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ Asynchronous, non-blocking [SQLite3](https://sqlite.org/) bindings for [Node.js] - [Extension support](https://github.com/TryGhost/node-sqlite3/wiki/API#databaseloadextensionpath-callback), including bundled support for the [json1 extension](https://www.sqlite.org/json1.html) - Big test suite - Written in modern C++ and tested for memory leaks - - Bundles SQLite v3.39.4, or you can build using a local SQLite + - Bundles SQLite v3.41.1, or you can build using a local SQLite # Installing diff --git a/binding.gyp b/binding.gyp index f1336f6..20d418b 100644 --- a/binding.gyp +++ b/binding.gyp @@ -25,8 +25,10 @@ "libraries": [ "-l<(sqlite_libname)" ], -"conditions": [ [ "OS=='linux'", {"libraries+":["-Wl,-rpath=<@(sqlite)/lib"]} ] ], -"conditions": [ [ "OS!='win'", {"libraries+":["-L<@(sqlite)/lib"]} ] ], +"conditions": [ + [ "OS=='linux'", {"libraries+":["-Wl,-rpath=<@(sqlite)/lib"]} ], + [ "OS!='win'", {"libraries+":["-L<@(sqlite)/lib"]} ] +], 'msvs_settings': { 'VCLinkerTool': { 'AdditionalLibraryDirectories': [ diff --git a/debian/changelog b/debian/changelog index a1b24b6..5eb4c18 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +node-sqlite3 (5.1.5+ds1-1) unstable; urgency=medium + + * Team upload + * Update lintian override info format in d/source/lintian-overrides +on line 2-3 + * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse + * Update standards version to 4.6.2, no changes needed. + * New upstream version (Closes: CVE-2022-43441) + + -- Yadd Tue, 14 Mar 2023 07:04:46 +0400 + node-sqlite3 (5.1.2+ds1-1) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index e775fb8..cd29f0e 100644 --- a/debian/control +++ b/debian/control @@ -16,7 +16,7 @@ Build-Depends: , mocha , libsqlite3-dev , dh-sequence-nodejs -Standards-Version: 4.6.1 +Standards-Version: 4.6.2 Homepage: https://github.com/mapbox/node-sqlite3/wiki Vcs-Git: https://salsa.debian.org/js-team/node-sqlite3.git Vcs-Browser: https://salsa.debian.org/js-team/node-sqlite3 diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides index 6694acf..30e1e92 100644 --- a/debian/source/lintian-overrides +++ b/debian/source/lintian-overrides @@ -1,5 +1,5 @@ # only long lines, source is readable -source-is-missing *test/null_error.test.js* -source-contains-prebuilt-javascript-object *test/null_error.test.js* +source-is-missing [*test/null_error.test.js*] +source-contains-prebuilt-javascript-object [*test/null_error.test.js*] very-long-line-length-in-source-file *.md* very-long-line-length-in-source-file *test/null_error.test.js* diff --git a/debian/upstream/metadata b/debian/upstream/metadata index 4b6a0f1..b794be2 100644 --- a/debian/upstream/metadata +++ b/debian/upstream/metadata @@ -1,6 +1,6 @@ --- Archive: GitHub -Bug-Database: https://github.com/mapbox/node-sqlite3/issues -Bug-Submit: https://github.com/mapbox/node-sqlite3/issues/new +Bug-Database: https://github.com/TryGhost/node-sqlite3/issues +Bug-Submit: https://github.com/TryGhost/node-sqlite3/issues/new Repository: https://github.com/mapbox/node
Bug#1032921: bullseye-pu: package node-webpack/4.43.0-6+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-webp...@packages.debian.org Control: affects -1 + src:node-webpack [ Reason ] node-webpack is vulnerable to cross-realm object access (#1032904, CVE-2023-28154) [ Impact ] Medium security issue [ Tests ] Sadly webpack has no test in Bullseye [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Better isolation in distinct Node.js vm for each object to parse before setting keys in vulnerable object Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 4bbdc0d3..dcd60ee0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-webpack (4.43.0-6+deb11u1) bullseye; urgency=medium + + * Team upload + * Avoid cross-realm object access (Closes: #1032904, CVE-2023-28154) + + -- Yadd Tue, 14 Mar 2023 07:43:57 +0400 + node-webpack (4.43.0-6) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2023-28154.patch b/debian/patches/CVE-2023-28154.patch new file mode 100644 index ..c239d37b --- /dev/null +++ b/debian/patches/CVE-2023-28154.patch @@ -0,0 +1,72 @@ +Description: avoid cross-realm object access +Author: Jack Works +Bug: https://security-tracker.debian.org/tracker/CVE-2023-28154 +Bug-Debian: https://bugs.debian.org/1032904 +Forwarded: not-needed +Applied-Upstream: 5.76.0, commit:4b4ca3bb +Reviewed-By: Yadd +Last-Update: 2023-03-14 + +--- a/lib/Parser.js b/lib/Parser.js +@@ -2335,11 +2335,20 @@ + if (value && webpackCommentRegExp.test(value)) { + // try compile only if webpack options comment is present + try { +- const val = vm.runInNewContext(`(function(){return {${value}};})()`); +- Object.assign(options, val); ++ for (let [key, val] of Object.entries( ++ vm.runInNewContext(`(function(){return {${value}};})()`) ++ )) { ++ if (typeof val === "object" && val !== null) { ++ if (val.constructor.name === "RegExp") val = new RegExp(val); ++ else val = JSON.parse(JSON.stringify(val)); ++ } ++ options[key] = val; ++ } + } catch (e) { +- e.comment = comment; +- errors.push(e); ++ const newErr = new Error(String(e.message)); ++ newErr.stack = String(e.stack); ++ Object.assign(newErr, { comment }); ++ errors.push(newErr); + } + } + } +--- a/lib/dependencies/ImportParserPlugin.js b/lib/dependencies/ImportParserPlugin.js +@@ -127,7 +127,7 @@ + if (importOptions.webpackInclude !== undefined) { + if ( + !importOptions.webpackInclude || +- importOptions.webpackInclude.constructor.name !== "RegExp" ++ !(importOptions.webpackInclude instanceof RegExp) + ) { + parser.state.module.warnings.push( + new UnsupportedFeatureWarning( +@@ -137,13 +137,13 @@ + ) + ); + } else { +- include = new RegExp(importOptions.webpackInclude); ++ include = importOptions.webpackInclude; + } + } + if (importOptions.webpackExclude !== undefined) { + if ( + !importOptions.webpackExclude || +- importOptions.webpackExclude.constructor.name !== "RegExp" ++
Bug#1017925: RM: node-request/2.88.1-5
On 3/4/23 20:14, Paul Gevers wrote: Hi Yadd, On 22-08-2022 22:01, Paul Gevers wrote: On 22-08-2022 17:26, Yadd wrote: could you remove node-request from testing ? Following #956423, it shouldn't be part of next stable release. All its reverse dependencies are already removed from testing (yarnpkg, node-matrix-sdk). node-request is a build-dependency of node-yarnpkg which still is in testing. node-yarnpkg is a key-package, so that needs to be resolved first. I don't expect this to happen anymore for bookworm right? You still have a couple of weeks though. Paul Hi, yarnpkg is not required for JS, but it seems a key package for ruby-* packages. It's hard to replace node-request here. Cheers, Yadd
Bug#1032134: bullseye-pu: package node-cookiejar/2.1.2-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-cookie...@packages.debian.org Control: affects -1 + src:node-cookiejar [ Reason ] node-cookiejar is vulnerable to ReDoS (CVE-2022-25901). [ Impact ] Medium security issue. [ Tests ] Test passed [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Check if cookie is not too big Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index d31a10d..2ecbcad 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-cookiejar (2.1.2-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Add a guard against maliciously-sized cookies (Closes: CVE-2022-25901) + + -- Yadd Tue, 28 Feb 2023 17:55:16 +0400 + node-cookiejar (2.1.2-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-25901.patch b/debian/patches/CVE-2022-25901.patch new file mode 100644 index 000..8933f32 --- /dev/null +++ b/debian/patches/CVE-2022-25901.patch @@ -0,0 +1,22 @@ +Description: add a guard against maliciously-sized cookies +Author: Andy Burke +Bug: https://github.com/TheKingTermux/alice/issues/240 +Forwarded: not-needed +Applied-Upstream: 2.1.4, https://github.com/bmeck/node-cookiejar/pull/39 +Reviewed-By: Yadd +Last-Update: 2023-02-28 + +--- a/cookiejar.js b/cookiejar.js +@@ -65,6 +65,11 @@ + var cookie_str_splitter = /[:](?=\s*[a-zA-Z0-9_\-]+\s*[=])/g; + Cookie.prototype.parse = function parse(str, request_domain, request_path) { + if (this instanceof Cookie) { ++if ( str.length > 32768 ) { ++console.warn("Cookie too long for parsing (>32768 characters)"); ++return; ++} ++ + var parts = str.split(";").filter(function (value) { + return !!value; + }); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..239e3ed --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2022-25901.patch
Bug#1030598: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u3
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: lemonldap...@packages.debian.org Control: affects -1 + src:lemonldap-ng [ Reason ] lemonldap-ng is vulnerable to URL validation bypass (https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832). No CVE, fixed in lemonldap-ng 2.0.16-1 [ Impact ] Medimu vulnerability: hacker may use a LemonLDAP-NG URL to redirect to their site. [ Tests ] New test included in this patch [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Use URI to test base64 encoded URL instead of custom regex. Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index c276c65c0..b6f666f69 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +lemonldap-ng (2.0.11+ds-4+deb11u3) bullseye; urgency=medium + + * Fix URL validation bypass +(https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832) + + -- Yadd Sun, 05 Feb 2023 18:03:16 +0400 + lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium * Add patch to improve session destroy propagation (Closes: CVE-2022-37186) diff --git a/debian/patches/fix-url-validation-bypass.patch b/debian/patches/fix-url-validation-bypass.patch new file mode 100644 index 0..7eb27f79b --- /dev/null +++ b/debian/patches/fix-url-validation-bypass.patch @@ -0,0 +1,66 @@ +Description: Fix URL validation bypass + An attacker can forge a redirection on a malicious site using a fake credentials in URL value. + . + Example: + . +Portal : https://auth.openid.club +Allowed application : https://test1.openid.club +Malicious site : https://google.fr +Malicious URL : https://test1.openid.club:t...@google.fr +Malicious URL base 64 : aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo= +Malicious redirection trigger : https://auth.openid.club/?url=aHR0cHM6Ly90ZXN0MS5vcGVuaWQuY2x1Yjp0ZXN0QGdvb2dsZS5mcgo= +Author: Maxime Besson +Origin: upstream, commit:88d3507d commit:e6156db0 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2832 +Forwarded: not-needed +Applied-Upstream: 2.0.16 +Reviewed-By: Yadd +Last-Update: 2023-02-05 + +--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Process.pm +@@ -8,6 +8,7 @@ + use MIME::Base64; + use POSIX qw(strftime); + use Lemonldap::NG::Portal::Main::Constants qw(portalConsts); ++use URI; + + # Main method + # --- +@@ -152,12 +153,19 @@ + } + + # Unprotected hosts +-my ( $proto, $vhost, $appuri ) = $tmp =~ m#^(https?://)([^/]*)(.*)#; +-$vhost =~ s/:\d+$//; ++my ( $proto, $vhost, $appuri ); ++if ($tmp) { ++my $u = URI->new($tmp); ++if ( $u->scheme =~ /^https?$/ ) { ++$proto = $u->scheme; ++$vhost = $u->host if $u->can("host"); ++$appuri = $u->path_query; ++} ++} + + # Try to resolve alias + my $originalVhost = $self->HANDLER->resolveAlias($vhost); +-$vhost = $proto . $originalVhost; ++$vhost = $proto . '://' . $originalVhost; + $self->logger->debug( "Required URL (param: " + . ( $req->param('logout') ? 'HTTP Referer' : 'urldc' ) + . " | value: $tmp | alias: $vhost)" ); +--- a/lemonldap-ng-portal/t/03-XSS-protection.t b/lemonldap-ng-portal/t/03-XSS-protection.t +@@ -80,6 +80,11 @@ + => 0, + 'base64 encoded HTML tags', + ++# Make sure userinfo does not confuse URL parsing (#2832) ++# https://test1.example.com:t...@hacker.com ++'aHR0cHM6Ly90ZXN0MS5leGFtcGxlLmNvbTp0ZXN0QGhhY2tlci5jb20=' => 0, ++'userinfo trick', ++ + # LOGOUT TESTS + 'LOGOUT', + diff --git a/debian/patches/series b/debian/patches/series index 9d8952af0..8b9338fec 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -10,3 +10,4 @@ fix-xss-on-register-form.patch dont-display-totp-secret.patch CVE-2021-40874.patch CVE-2022-37186.patch +fix-url-validation-bypass.patch
Bug#1028992: bullseye-pu: package node-json5/2.1.3-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: node-js...@packages.debian.org Control: affects -1 + src:node-json5 [ Reason ] node-json5 is vulnerable to prototype pollution (CVE-2022-46175) [ Impact ] Medium security issue [ Tests ] New tests added, passed [ Risks ] Low risk, patch is simle and test passed [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index fef8d26..0aa0bd6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-json5 (2.1.3-2+deb11u1) bullseye; urgency=medium + + * Team upload + * add __proto__ to objects and arrays (Closes: CVE-2022-46175) + + -- Yadd Mon, 16 Jan 2023 07:34:31 +0400 + node-json5 (2.1.3-2) unstable; urgency=medium * Team upload. diff --git a/debian/patches/CVE-2022-46175.patch b/debian/patches/CVE-2022-46175.patch new file mode 100644 index 000..1b2acc6 --- /dev/null +++ b/debian/patches/CVE-2022-46175.patch @@ -0,0 +1,91 @@ +Description: add __proto__ to objects and arrays +Author: Jordan Tucker +Origin: upstream, https://github.com/json5/json5/commit/4a8c4568 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2023-01-16 + +--- a/CHANGELOG.md b/CHANGELOG.md +@@ -340,5 +340,6 @@ + [#182]: https://github.com/json5/json5/issues/182 + [#187]: https://github.com/json5/json5/issues/187 + [#196]: https://github.com/json5/json5/issues/196 ++[#199]: https://github.com/json5/json5/issues/199 + [#208]: https://github.com/json5/json5/issues/208 + [#210]: https://github.com/json5/json5/issues/210 +--- a/lib/parse.js b/lib/parse.js +@@ -41,15 +41,35 @@ + + function internalize (holder, name, reviver) { + const value = holder[name] +-if (value != null && typeof value === 'object') { +-for (const key in value) { +-const replacement = internalize(value, key, reviver) +-if (replacement === undefined) { +-delete value[key] +-} else { +-value[key] = replacement +-} ++if (Array.isArray(value)) { ++ for (let i = 0; i < value.length; i++) { ++const key = String(i) ++const replacement = internalize(value, key, reviver) ++if (replacement === undefined) { ++ delete value[key] ++} else { ++ Object.defineProperty(value, key, { ++value: replacement, ++writable: true, ++enumerable: true, ++configurable: true, ++ }) ++} ++ } ++} else { ++ for (const key in value) { ++const replacement = internalize(value, key, reviver) ++if (replacement === undefined) { ++ delete value[key] ++} else { ++ Object.defineProperty(value, key, { ++value: replacement, ++writable: true, ++enumerable: true, ++configurable: true, ++ }) + } ++ } + } + + return reviver.call(holder, name, value) +@@ -973,7 +993,12 @@ + if (Array.isArray(parent)) { + parent.push(value) + } else { +-parent[key] = value ++Object.defineProperty(parent, key, { ++value, ++writable: true, ++enumerable: true, ++configurable: true, ++}) + } + } + +--- a/test/parse.js b/test/parse.js +@@ -293,6 +293,12 @@ + ) + + t.strictSame( ++ JSON5.parse('{"__proto__":1}').__proto__, ++ 1, ++ 'preserves __proto__ property names', ++) ++ ++t.strictSame( + JSON5.parse('{a:{b:2}}', (k, v) => (k === 'b') ? 'revived' : v), + {a: {b: 'revived'}}, + 'modifies nested object property values' diff --git a/debian/patches/series b/debian/patches/series index dc10249..f55f44a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ update-unicode.diff ship_typescript_definitions.patch +CVE-2022-46175.patch
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On 04/12/2022 19:11, Adam D. Barratt wrote: [...] Hi, no that's the reverse, I cleaned deb11u1 patch in deb11u2, see https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1022122;filename=node-minimatch_3.0.4%2B~3.0.3-1%2Bdeb11u1%2Bdeb11u2.debdiff;msg=42 (cumulative debdiff) Right, apparently I was confused by the (not entirely clear, at least to me) filenames. Regards, Adam Yes, sorry I introduced unneeded changes in deb11u1. deb11u2 cleans this and fixes node-glob regression
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On 04/12/2022 19:03, Adam D. Barratt wrote: On Tue, 2022-11-29 at 11:14 +0100, Yadd wrote: On 29/11/2022 10:56, Yadd wrote: On 28/11/2022 22:11, Paul Gevers wrote: Hi Yadd, On Sat, 26 Nov 2022 13:01:22 + Adam D Barratt wrote: The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: node-minimatch Version: 3.0.4+~3.0.3-1+deb11u1 Explanation: improve protection against regular expression- based denial of service [CVE-2022-3517] The upload breaks [1] the autopkgtest of node-glob. Can you have a look? [...] the problem is in this part of minimatch.js patch: @@ -280,7 +306,7 @@ if (pattern === '') return '' var re = '' - var hasMagic = !!options.nocase + var hasMagic = false var escaping = false // ? => one single character var patternListStack = [] We should apply this patch: https://github.com/isaacs/minimatch/commit/e4cd4346 I'm going to prepare a new upload Here is a new debdiff: * this cleans CVE-2022-3517 patch (package*.json changes not needed) * this includes regressions fixes from 3.0.6 and 3.0.7 If the huge package*.json changes aren't needed, then why are they included? Your stable -> deb11u2 diff contains a *lot* of noise with the changes to package-lock.json. Other than that, the patch does look like it's just the (still quite large) changes from upstream relating to the CVE, so please go ahead. Regards, Hi, no that's the reverse, I cleaned deb11u1 patch in deb11u2, see https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=1022122;filename=node-minimatch_3.0.4%2B~3.0.3-1%2Bdeb11u1%2Bdeb11u2.debdiff;msg=42 (cumulative debdiff) Cheers, Yadd
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On 29/11/2022 11:25, Yadd wrote: On 29/11/2022 11:14, Yadd wrote: On 29/11/2022 10:56, Yadd wrote: On 28/11/2022 22:11, Paul Gevers wrote: Hi Yadd, On Sat, 26 Nov 2022 13:01:22 + Adam D Barratt wrote: The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: node-minimatch Version: 3.0.4+~3.0.3-1+deb11u1 Explanation: improve protection against regular expression-based denial of service [CVE-2022-3517] The upload breaks [1] the autopkgtest of node-glob. Can you have a look? Paul [...] Hi, the problem is in this part of minimatch.js patch: @@ -280,7 +306,7 @@ if (pattern === '') return '' var re = '' - var hasMagic = !!options.nocase + var hasMagic = false var escaping = false // ? => one single character var patternListStack = [] We should apply this patch: https://github.com/isaacs/minimatch/commit/e4cd4346 I'm going to prepare a new upload Here is a new debdiff: * this cleans CVE-2022-3517 patch (package*.json changes not needed) * this includes regressions fixes from 3.0.6 and 3.0.7 To help, I built a cumulative debdiff (u1 + u2), easier to read. Do I have to open a new BTS ? Cheers, Yadd Of course, verified with node-glob, all is OK now Hi, can I push this new version to stable-proposed-updates ?
Bug#1025414: bullseye-pu: package node-hawk/8.0.1+dfsg-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-hawk used a regular expression to parse `Host` HTTP header (`Hawk.utils.parseHost()`), which was subject to regular expression DoS attack (CVE-2022-29167). [ Impact ] Medium security issue [ Tests ] Sadly test were not launched in Bullseye [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable Replace custom url parsing by `url` functions. Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 7a55fa8..a913487 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-hawk (8.0.1+dfsg-2+deb11u1) bullseye; urgency=medium + + * Team upload + * Parse URLs using stdlib (Closes: CVE-2022-29167) + + -- Yadd Sun, 04 Dec 2022 11:39:16 +0100 + node-hawk (8.0.1+dfsg-2) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-29167.patch b/debian/patches/CVE-2022-29167.patch new file mode 100644 index 000..2c41b08 --- /dev/null +++ b/debian/patches/CVE-2022-29167.patch @@ -0,0 +1,57 @@ +Description: Parse URLs using stdlib +Author: Yaraslau Kurmyza +Origin: upstream, https://github.com/mozilla/hawk/commit/ade13411 +Bug: https://github.com/mozilla/hawk/security/advisories/GHSA-44pw-h2cw-w3vq +Forwarded: not-needed +Applied-Upstream: 9.0.1, ade13411 +Reviewed-By: Yadd +Last-Update: 2022-12-04 + +--- a/lib/utils.js b/lib/utils.js +@@ -2,6 +2,7 @@ + + const Boom = require('@hapi/boom'); + const Sntp = require('@hapi/sntp'); ++const Url = require('url'); + + + const internals = {}; +@@ -18,17 +19,19 @@ + }; + + +-// Extract host and port from request +- +-//$1$2 +-internals.hostHeaderRegex = /^(?:(?:\r\n)?\s)*((?:[^:]+)|(?:\[[^\]]+\]))(?::(\d+))?(?:(?:\r\n)?\s)*$/; // (IPv4, hostname)|(IPv6) +- +- + exports.parseHost = function (req, hostHeaderName) { + + hostHeaderName = (hostHeaderName ? hostHeaderName.toLowerCase() : 'host'); + const hostHeader = req.headers[hostHeaderName]; +-if (!hostHeader) { ++if (hostHeader.indexOf('/') !== -1) { ++return null; ++} ++ ++let uri; ++try { ++uri = new Url.URL('http://' + hostHeader); ++} ++catch (err) { + return null; + } + +@@ -42,8 +45,8 @@ + } + + return { +-name: hostParts[1], +-port: (hostParts[2] ? hostParts[2] : (req.connection && req.connection.encrypted ? 443 : 80)) ++name: uri.hostname, ++port: (uri.port ? uri.port : (req.connection && req.connection.encrypted ? 443 : 80)) + }; + }; + diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..43fa212 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2022-29167.patch
Bug#1025387: bullseye-pu: package node-qs/6.9.4+ds-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-qs is vulnerable to prototype pollution, this affects web applications using node-express (CVE-2022-24999) [ Impact ] Medium security issue [ Tests ] Patch adds a test to verify that bug is fixed [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just verity that key isn't __proto__ before updating object keys Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 3734d04..774ba07 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-qs (6.9.4+ds-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: CVE-2022-24999) + + -- Yadd Sat, 03 Dec 2022 20:22:12 +0100 + node-qs (6.9.4+ds-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-24999.patch b/debian/patches/CVE-2022-24999.patch new file mode 100644 index 000..45c26ca --- /dev/null +++ b/debian/patches/CVE-2022-24999.patch @@ -0,0 +1,87 @@ +Description: `parse`: ignore `__proto__` keys +Author: Jordan Harband +Origin: upstream, https://github.com/ljharb/qs/pull/428 +Bug: https://security-tracker.debian.org/tracker/CVE-2022-24999 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-12-03 + +--- a/lib/parse.js b/lib/parse.js +@@ -135,7 +135,7 @@ + ) { + obj = []; + obj[index] = leaf; +-} else { ++} else if (cleanRoot !== '__proto__') { + obj[cleanRoot] = leaf; + } + } +--- a/test/parse.js b/test/parse.js +@@ -768,5 +768,65 @@ + st.end(); + }); + ++t.test('dunder proto is ignored', function (st) { ++var payload = 'categories[__proto__]=login[__proto__][length]=42'; ++var result = qs.parse(payload, { allowPrototypes: true }); ++ ++st.deepEqual( ++result, ++{ ++categories: { ++length: '42' ++} ++}, ++'silent [[Prototype]] payload' ++); ++ ++var plainResult = qs.parse(payload, { allowPrototypes: true, plainObjects: true }); ++ ++st.deepEqual( ++plainResult, ++{ ++__proto__: null, ++categories: { ++__proto__: null, ++length: '42' ++} ++}, ++'silent [[Prototype]] payload: plain objects' ++); ++ ++var query = qs.parse('categories[__proto__]=cats[__proto__]=dogs[some][json]=toInject', { allowPrototypes: true }); ++ ++st.notOk(Array.isArray(query.categories), 'is not an array'); ++st.notOk(query.categories instanceof Array, 'is not instanceof an array'); ++st.deepEqual(query.categories, { some: { json: 'toInject' } }); ++st.equal(JSON.stringify(query.categories), '{"some":{"json":"toInject"}}', 'stringifies as a non-array'); ++ ++st.deepEqual( ++qs.parse('foo[__proto__][hidden]=value[bar]=stuffs', { allowPrototypes: true }), ++{ ++foo: { ++bar: 'stuffs' ++} ++}, ++'hidden values' ++); ++ ++st.deepEqual( ++qs.parse('foo[__proto__][hidden]=value[bar]=stuffs', { allowPrototypes: true, plainObjects: true }), ++{ ++__proto__: null, ++foo: { ++__proto__: null, ++bar: 'stuffs' ++} ++}, ++'hidden values: plain objects' ++); ++ ++st.end(); ++}); ++ + t.end(); + }); diff --git a/debian/patches/series b/debian/patches/series index aa71f6e..d1bf800 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ use-lodash-forEach-in-test.diff +CVE-2022-24999.patch
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On 29/11/2022 11:14, Yadd wrote: On 29/11/2022 10:56, Yadd wrote: On 28/11/2022 22:11, Paul Gevers wrote: Hi Yadd, On Sat, 26 Nov 2022 13:01:22 + Adam D Barratt wrote: The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: node-minimatch Version: 3.0.4+~3.0.3-1+deb11u1 Explanation: improve protection against regular expression-based denial of service [CVE-2022-3517] The upload breaks [1] the autopkgtest of node-glob. Can you have a look? Paul [...] Hi, the problem is in this part of minimatch.js patch: @@ -280,7 +306,7 @@ if (pattern === '') return '' var re = '' - var hasMagic = !!options.nocase + var hasMagic = false var escaping = false // ? => one single character var patternListStack = [] We should apply this patch: https://github.com/isaacs/minimatch/commit/e4cd4346 I'm going to prepare a new upload Here is a new debdiff: * this cleans CVE-2022-3517 patch (package*.json changes not needed) * this includes regressions fixes from 3.0.6 and 3.0.7 To help, I built a cumulative debdiff (u1 + u2), easier to read. Do I have to open a new BTS ? Cheers, Yadd Of course, verified with node-glob, all is OK now
Bug#1022122: node-minimatch 3.0.4+~3.0.3-1+deb11u1 flagged for acceptance
On 28/11/2022 22:11, Paul Gevers wrote: Hi Yadd, On Sat, 26 Nov 2022 13:01:22 + Adam D Barratt wrote: The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details == Package: node-minimatch Version: 3.0.4+~3.0.3-1+deb11u1 Explanation: improve protection against regular expression-based denial of service [CVE-2022-3517] The upload breaks [1] the autopkgtest of node-glob. Can you have a look? Paul [1] https://ci.debian.net/packages/n/node-glob/stable/amd64/ 4 failing 1) test/nocase-nomagic.js nocase, nomagic should be equivalent: Error: should be equivalent + expected - actual -[] +[ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" + "/tmp/A" + "/tmp/a" +] at test/nocase-nomagic.js:98:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processSimple2 (/usr/share/nodejs/glob/glob.js:688:12) at /usr/share/nodejs/glob/glob.js:676:10 at Glob._stat2 (/usr/share/nodejs/glob/glob.js:772:12) at lstatcb_ (/usr/share/nodejs/glob/glob.js:764:12) at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) 2) test/nocase-nomagic.js nocase, nomagic should be equivalent: Error: should be equivalent + expected - actual -[] +[ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" + "/tmp/A" + "/tmp/a" +] at test/nocase-nomagic.js:108:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processSimple2 (/usr/share/nodejs/glob/glob.js:688:12) at /usr/share/nodejs/glob/glob.js:676:10 at Glob._stat2 (/usr/share/nodejs/glob/glob.js:772:12) at lstatcb_ (/usr/share/nodejs/glob/glob.js:764:12) at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) 3) test/nocase-nomagic.js nocase, with some magic should be equivalent: Error: should be equivalent + expected - actual [ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" "/tmp/A" "/tmp/a" ] at test/nocase-nomagic.js:137:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processReaddir2 (/usr/share/nodejs/glob/glob.js:434:12) at /usr/share/nodejs/glob/glob.js:371:17 at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) at Glob._readdirEntries (/usr/share/nodejs/glob/glob.js:578:10) at /usr/share/nodejs/glob/glob.js:555:12 at test/nocase-nomagic.js:62:9 4) test/nocase-nomagic.js nocase, with some magic should be equivalent: Error: should be equivalent + expected - actual [ + "/TMP/A" + "/TMP/a" + "/tMP/A" + "/tMP/a" + "/tMp/A" + "/tMp/a" "/tmp/A" "/tmp/a" ] at test/nocase-nomagic.js:147:7 at f (/usr/lib/nodejs/once/once.js:25:25) at Glob. (/usr/share/nodejs/glob/glob.js:151:7) at Glob._finish (/usr/share/nodejs/glob/glob.js:197:8) at done (/usr/share/nodejs/glob/glob.js:182:14) at Glob._processReaddir2 (/usr/share/nodejs/glob/glob.js:434:12) at /usr/share/nodejs/glob/glob.js:371:17 at RES (/usr/lib/nodejs/inflight/inflight.js:31:16) at f (/usr/lib/nodejs/once/once.js:25:25) at Glob._readdirEntries (/usr/share/nodejs/glob/glob.js:578:10) at /usr/share/nodejs/glob/glob.js:555:12 at test/nocase-nomagic.js:62:9 Hi, the problem is in this part of minimatch.js patch: @@ -280,7 +306,7 @@ if (pattern === '') return '' var re = '' - var hasMagic = !!options.nocase + var hasMagic = false var escaping = false // ? => one single character var patternListStack = [] We should apply this patch: https://github.com/isaacs/minimatch/commit/e4cd4346 I'm going to prepare a new upload
Bug#1024745: bullseye-pu: package node-xmldom/0.5.0-1+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-xmldom is vulnerable: it doesn't verify that root element is uniq (#1024736, CVE-2022-39353) [ Impact ] Medium vulnerability [ Tests ] Test still pass [ Risks ] Moderate risk: test still pass and patch isn't too big [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Verify XML document before change it Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index e486812..50d0288 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-xmldom (0.5.0-1+deb11u2) bullseye; urgency=medium + + * Team upload + * Prevent inserting DOM nodes when they are not well-formed +(Closes: #1024736, CVE-2022-39353) + + -- Yadd Thu, 24 Nov 2022 09:22:10 +0100 + node-xmldom (0.5.0-1+deb11u1) bullseye; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-39353.patch b/debian/patches/CVE-2022-39353.patch new file mode 100644 index 000..b15040a --- /dev/null +++ b/debian/patches/CVE-2022-39353.patch @@ -0,0 +1,270 @@ +Description: Prevent inserting DOM nodes when they are not well-formed +Author: Christian Bewernitz +Origin: upstream, https://github.com/xmldom/xmldom/commit/7ff7c10a +Bug: https://github.com/xmldom/xmldom/security/advisories/GHSA-crh6-fp67-6883 +Bug-Debian: https://bugs.debian.org/1024736 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-11-24 + +--- a/lib/dom.js b/lib/dom.js +@@ -111,7 +111,31 @@ + serializeToString(this[i],buf,isHTML,nodeFilter); + } + return buf.join(''); +- } ++ }, ++ /** ++ * @private ++ * @param {function (Node):boolean} predicate ++ * @returns {Node | undefined} ++ */ ++ find: function (predicate) { ++ return Array.prototype.find.call(this, predicate); ++ }, ++ /** ++ * @private ++ * @param {function (Node):boolean} predicate ++ * @returns {Node[]} ++ */ ++ filter: function (predicate) { ++ return Array.prototype.filter.call(this, predicate); ++ }, ++ /** ++ * @private ++ * @param {Node} item ++ * @returns {number} ++ */ ++ indexOf: function (item) { ++ return Array.prototype.indexOf.call(this, item); ++ }, + }; + function LiveNodeList(node,refresh){ + this._node = node; +@@ -182,7 +206,7 @@ + } + } + }else{ +- throw DOMException(NOT_FOUND_ERR,new Error(el.tagName+'@'+attr)) ++ throw new DOMException(NOT_FOUND_ERR,new Error(el.tagName+'@'+attr)) + } + } + NamedNodeMap.prototype = { +@@ -496,48 +520,177 @@ + _onUpdateChild(parentNode.ownerDocument,parentNode); + return child; + } ++ + /** +- * preformance key(refChild == null) ++ * Returns `true` if `node` can be a parent for insertion. ++ * @param {Node} node ++ * @returns {boolean} + */ +-function _insertBefore(parentNode,newChild,nextChild){ +- var cp = newChild.parentNode; ++function hasValidParentNodeType(node) { ++ return ( ++ node && ++ (node.nodeType === Node.DOCUMENT_NODE || node.nodeType === Node.DOCUMENT_FRAGMENT_NODE || node.nodeType === Node.ELEMENT_NODE) ++ ); ++} ++ ++/** ++ * Returns `true` if `node` can be inserted according to it's `nodeType`. ++ * @param {Node} node ++ * @returns {boolean} ++ */ ++function hasInsertableNodeType(node) { ++ return ( ++ node && ++ (isElementNode(node) || ++ isTextNode(node) || ++ isDocTypeNode(node) || ++ node.nodeType === Node.DOCUMENT_FRAGMENT_NODE || ++ node.nodeType === Node.COMMENT_NODE || ++ node.nodeType === Node.PROCESSING_INSTRUCTION_NODE) ++ ); ++} ++ ++/** ++ * Returns true if `node` is a DOCTYPE node ++ * @param {Node} node ++ * @returns {boolean} ++ */ ++function isDocTypeNode(node) { ++ return node && node.nodeType === Node.DOCUMENT_TYPE_NODE; ++} ++ ++/** ++ * Returns true if the node is an element ++ * @param {Node} node ++ * @returns {boolean} ++ */ ++function isElementNode(node) { ++ return node && node.nodeType === Node.ELEMENT_NODE; ++} ++/** ++ * Returns true if `node` is a text node ++ * @param {Node} node ++ * @returns {boolean} ++ */ ++function isTextNode(node) { ++ return node && node.nodeType === Node.TEXT_NODE; ++} ++ ++/** ++ * Check if en element node can be inserted before `child`, or at the end if child is falsy, ++ * according to the presence and position of a doctype node on the same level. ++ * ++ * @param {Document} doc Th
Bug#1023798: Update to fix also CVE-2022-37599
On 14/11/2022 11:01, Yadd wrote: Hi, here is another update to fix CVE-2022-37599 (trivial patch). Cheers, Yadd This fix also CVE-2022-37603 (duplicate of CVE-2022-37599)diff --git a/debian/changelog b/debian/changelog index 7d05292..aace5b2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-loader-utils (2.0.0-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: CVE-2022-37601) + * Fix ReDos (Closes: CVE-2022-37599, CVE-2022-37603) + + -- Yadd Mon, 14 Nov 2022 10:58:58 +0100 + node-loader-utils (2.0.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-37599.patch b/debian/patches/CVE-2022-37599.patch new file mode 100644 index 000..d094c30 --- /dev/null +++ b/debian/patches/CVE-2022-37599.patch @@ -0,0 +1,19 @@ +Description: fix ReDoS +Author: Alexander Akait <4567934+alexander-ak...@users.noreply.github.com> +Origin: upstream, https://github.com/webpack/loader-utils/commit/ac09944d +Bug: https://github.com/webpack/loader-utils/issues/211 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-11-14 + +--- a/lib/interpolateName.js b/lib/interpolateName.js +@@ -108,7 +108,7 @@ + // `hash` and `contenthash` are same in `loader-utils` context + // let's keep `hash` for backward compatibility + .replace( +- /\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, ++ /\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, + (all, hashType, digestType, maxLength) => + getHashDigest(content, hashType, digestType, parseInt(maxLength, 10)) + ) diff --git a/debian/patches/CVE-2022-37601.patch b/debian/patches/CVE-2022-37601.patch new file mode 100644 index 000..12eaad6 --- /dev/null +++ b/debian/patches/CVE-2022-37601.patch @@ -0,0 +1,18 @@ +Description: fix prototype pollution +Author: Mike Cebrian +Origin: upstream, https://github.com/webpack/loader-utils/commit/a93cf6f4 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-11-10 + +--- node-loader-utils-2.0.0.orig/lib/parseQuery.js node-loader-utils-2.0.0/lib/parseQuery.js +@@ -26,7 +26,7 @@ function parseQuery(query) { + } + + const queryArgs = query.split(/[,&]/g); +- const result = {}; ++ const result = Object.create(null); + + queryArgs.forEach((arg) => { + const idx = arg.indexOf('='); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..5566245 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +CVE-2022-37601.patch +CVE-2022-37599.patch
Bug#1023798: Update to fix also CVE-2022-37599
Hi, here is another update to fix CVE-2022-37599 (trivial patch). Cheers, Yadddiff --git a/debian/changelog b/debian/changelog index 7d05292..5ba6d13 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-loader-utils (2.0.0-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: CVE-2022-37601) + * Fix ReDos (Closes: CVE-2022-37599) + + -- Yadd Mon, 14 Nov 2022 10:58:58 +0100 + node-loader-utils (2.0.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-37599.patch b/debian/patches/CVE-2022-37599.patch new file mode 100644 index 000..d094c30 --- /dev/null +++ b/debian/patches/CVE-2022-37599.patch @@ -0,0 +1,19 @@ +Description: fix ReDoS +Author: Alexander Akait <4567934+alexander-ak...@users.noreply.github.com> +Origin: upstream, https://github.com/webpack/loader-utils/commit/ac09944d +Bug: https://github.com/webpack/loader-utils/issues/211 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-11-14 + +--- a/lib/interpolateName.js b/lib/interpolateName.js +@@ -108,7 +108,7 @@ + // `hash` and `contenthash` are same in `loader-utils` context + // let's keep `hash` for backward compatibility + .replace( +- /\[(?:([^:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, ++ /\[(?:([^[:\]]+):)?(?:hash|contenthash)(?::([a-z]+\d*))?(?::(\d+))?\]/gi, + (all, hashType, digestType, maxLength) => + getHashDigest(content, hashType, digestType, parseInt(maxLength, 10)) + ) diff --git a/debian/patches/CVE-2022-37601.patch b/debian/patches/CVE-2022-37601.patch new file mode 100644 index 000..12eaad6 --- /dev/null +++ b/debian/patches/CVE-2022-37601.patch @@ -0,0 +1,18 @@ +Description: fix prototype pollution +Author: Mike Cebrian +Origin: upstream, https://github.com/webpack/loader-utils/commit/a93cf6f4 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-11-10 + +--- node-loader-utils-2.0.0.orig/lib/parseQuery.js node-loader-utils-2.0.0/lib/parseQuery.js +@@ -26,7 +26,7 @@ function parseQuery(query) { + } + + const queryArgs = query.split(/[,&]/g); +- const result = {}; ++ const result = Object.create(null); + + queryArgs.forEach((arg) => { + const idx = arg.indexOf('='); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..5566245 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,2 @@ +CVE-2022-37601.patch +CVE-2022-37599.patch
Bug#1023798: bullseye-pu: package node-loader-utils/2.0.0-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-loader-utils is vulnerable to prototype pollution (CVE-2022-37601) [ Impact ] Medium vulnerability [ Tests ] No new test [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Replace {} by Object.create(null) Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 7d05292..8f9f949 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-loader-utils (2.0.0-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: CVE-2022-37601) + + -- Yadd Thu, 10 Nov 2022 11:56:10 +0100 + node-loader-utils (2.0.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-37601.patch b/debian/patches/CVE-2022-37601.patch new file mode 100644 index 000..12eaad6 --- /dev/null +++ b/debian/patches/CVE-2022-37601.patch @@ -0,0 +1,18 @@ +Description: fix prototype pollution +Author: Mike Cebrian +Origin: upstream, https://github.com/webpack/loader-utils/commit/a93cf6f4 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-11-10 + +--- node-loader-utils-2.0.0.orig/lib/parseQuery.js node-loader-utils-2.0.0/lib/parseQuery.js +@@ -26,7 +26,7 @@ function parseQuery(query) { + } + + const queryArgs = query.split(/[,&]/g); +- const result = {}; ++ const result = Object.create(null); + + queryArgs.forEach((arg) => { + const idx = arg.indexOf('='); diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 000..c6bc49a --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2022-37601.patch
Bug#1022122: bullseye-pu: package node-minimatch/3.0.4+~3.0.3-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-minimatch is vulnerable to ReDoS [ Impact ] Medium security issue [ Tests ] New tests included in patch, passed [ Risks ] Low risk, patch is not so big and test passed [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Improve ReDoS protection and add more tests Cheers, Yadd
Bug#1021648: buster-pu: package node-xmldom/0.1.27+ds-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-xmldom is vulnerable to prototype pollution [ Impact ] Medium security issue [ Tests ] No new test, test passed [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Add checks to avoid prototype pollution Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 51d769b..d16e01b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-xmldom (0.1.27+ds-1+deb10u1) buster; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #1021618, CVE-2022-37616) + + -- Yadd Wed, 12 Oct 2022 10:07:56 +0200 + node-xmldom (0.1.27+ds-1) unstable; urgency=low * Initial release (Closes: #902311). Repacked from github diff --git a/debian/patches/CVE-2022-37616.patch b/debian/patches/CVE-2022-37616.patch new file mode 100644 index 000..a591260 --- /dev/null +++ b/debian/patches/CVE-2022-37616.patch @@ -0,0 +1,80 @@ +Description: Avoid iterating over prototype properties +Author: Christian Bewernitz +Origin: upstream, https://github.com/xmldom/xmldom/commit/7c0d4b7f +Bug: https://github.com/xmldom/xmldom/issues/436 +Bug-Debian: https://bugs.debian.org/1021618 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-10-12 + +--- a/dom.js b/dom.js +@@ -7,7 +7,7 @@ + + function copy(src,dest){ + for(var p in src){ +- dest[p] = src[p]; ++ if (Object.prototype.hasOwnProperty.call(src, p)) dest[p] = src[p]; + } + } + /** +@@ -377,7 +377,7 @@ + //console.dir(map) + if(map){ + for(var n in map){ +- if(map[n] == namespaceURI){ ++ if(Object.prototype.hasOwnProperty.call(map, n) && map[n] == namespaceURI){ + return n; + } + } +@@ -393,7 +393,7 @@ + var map = el._nsMap; + //console.dir(map) + if(map){ +- if(prefix in map){ ++ if(Object.prototype.hasOwnProperty.call(map, prefix)){ + return map[prefix] ; + } + } +@@ -1143,12 +1143,14 @@ + function cloneNode(doc,node,deep){ + var node2 = new node.constructor(); + for(var n in node){ ++ if (Object.prototype.hasOwnProperty.call(node, n)) { + var v = node[n]; + if(typeof v != 'object' ){ + if(v != node2[n]){ + node2[n] = v; + } + } ++ } + } + if(node.childNodes){ + node2.childNodes = new NodeList(); +--- a/sax.js b/sax.js +@@ -122,6 +122,7 @@ + domBuilder.endElement(config.uri,config.localName,tagName); + if(localNSMap){ + for(var prefix in localNSMap){ ++ if (Object.prototype.hasOwnProperty.call(localNSMap, prefix)) + domBuilder.endPrefixMapping(prefix) ; + } + } +@@ -450,6 +451,7 @@ + domBuilder.endElement(ns,localName,tagName); + if(localNSMap){ + for(prefix in localNSMap){ ++ if (Object.prototype.hasOwnProperty.call(localNSMap, prefix)) + domBuilder.endPrefixMapping(prefix) + } + } +@@ -497,7 +499,7 @@ + //} + } + function _copy(source,target){ +- for(var n in source){target[n] = source[n]} ++ for(var n in source){if (Object.prototype.hasOwnProperty.call(source, n)) target[n] = source[n]} + } + function parseDCC(source,start,domBuilder,errorHandler){//sure start with '
Bug#1021647: bullseye-pu: package node-xmldom/0.5.0-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-xmldom is vulnerable to prototype pollution [ Impact ] Medium security issue [ Tests ] No new test, curent tests passed with a snapshot update (`jest -u`) [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Add checks to avoid prototype pollution. Update also snapshots during test (`jest -u`) Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index 41abbd3..e486812 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-xmldom (0.5.0-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #1021618, CVE-2022-37616) + + -- Yadd Wed, 12 Oct 2022 09:11:06 +0200 + node-xmldom (0.5.0-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-37616.patch b/debian/patches/CVE-2022-37616.patch new file mode 100644 index 000..4bf06b6 --- /dev/null +++ b/debian/patches/CVE-2022-37616.patch @@ -0,0 +1,80 @@ +Description: Avoid iterating over prototype properties +Author: Christian Bewernitz +Origin: upstream, https://github.com/xmldom/xmldom/commit/7c0d4b7f +Bug: https://github.com/xmldom/xmldom/issues/436 +Bug-Debian: https://bugs.debian.org/1021618 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-10-12 + +--- a/lib/dom.js b/lib/dom.js +@@ -1,6 +1,8 @@ + function copy(src,dest){ + for(var p in src){ ++ if (Object.prototype.hasOwnProperty.call(src, p)) { + dest[p] = src[p]; ++ } + } + } + /** +@@ -371,7 +373,7 @@ + //console.dir(map) + if(map){ + for(var n in map){ +- if(map[n] == namespaceURI){ ++ if(Object.prototype.hasOwnProperty.call(map, n) && map[n] == namespaceURI){ + return n; + } + } +@@ -387,7 +389,7 @@ + var map = el._nsMap; + //console.dir(map) + if(map){ +- if(prefix in map){ ++ if(Object.prototype.hasOwnProperty.call(map, prefix)){ + return map[prefix] ; + } + } +@@ -1170,12 +1172,14 @@ + function cloneNode(doc,node,deep){ + var node2 = new node.constructor(); + for(var n in node){ ++ if (Object.prototype.hasOwnProperty.call(node, n)) { + var v = node[n]; + if(typeof v != 'object' ){ + if(v != node2[n]){ + node2[n] = v; + } + } ++ } + } + if(node.childNodes){ + node2.childNodes = new NodeList(); +--- a/lib/sax.js b/lib/sax.js +@@ -137,6 +137,7 @@ + domBuilder.endElement(config.uri,config.localName,tagName); + if(localNSMap){ + for(var prefix in localNSMap){ ++ if (Object.prototype.hasOwnProperty.call(localNSMap, prefix)) + domBuilder.endPrefixMapping(prefix) ; + } + } +@@ -475,6 +476,7 @@ + domBuilder.endElement(ns,localName,tagName); + if(localNSMap){ + for(prefix in localNSMap){ ++ if (Object.prototype.hasOwnProperty.call(localNSMap, prefix)) + domBuilder.endPrefixMapping(prefix) + } + } +@@ -522,7 +524,7 @@ + //} + } + function _copy(source,target){ +- for(var n in source){target[n] = source[n]} ++ for(var n in source){if (Object.prototype.hasOwnProperty.call(source, n)) target[n] = source[n]} + } + function parseDCC(source,start,domBuilder,errorHandler){//sure start with '
Re: Migration problem
On 11/10/2022 18:56, Adam D. Barratt wrote: On Tue, 2022-10-11 at 09:57 +0200, Yadd wrote: On 11/10/2022 09:27, Sebastian Ramacher wrote: On 2022-10-11 06:50:09 +0200, Yadd wrote: node-jest is still blocked in unstable but I can't understand why: * tracker.d.o reports nothing * Britney output is unintelligible trying: node-ts-jest node-jest skipped: node-ts-jest node-jest (0, 56, 23) got: 22+0: a-4:a-17:a-0:a-0:i-0:m-0:m-0:p-0:s-1 * amd64: jest, node-jest-react, ts-jest Britney is trying to migrate node-js-jest and node-jest together (trying: ...), but it fails to do so since migrating those two source packages would cause new uninstallable packages in testing (amd64: ...) Thanks, but I still don't understand. node-jest-react depends on any version of jest, has already migrate and all of those packages are arch:all. I tried to install ts-jest 29 and jest 29 on a testing schroot with node-jest-react, no problem found... I'm not sure how you managed that. A quick dose run using the current packages files shows that jest 29.1.2~ds1+~cs70.47.21-1 depends on node-cjs-module-lexer, which isn't in testing. Checking the changelog also shows: node-jest (29.1.1~ds1+~cs70.47.20-1) unstable; urgency=medium * Replace component by dependency: cjs-module-lexer (Closes: #1019355) Regards, Adam Oh, thanks a lot, that is the problem! Cheers, Yadd
Re: Migration problem
On 11/10/2022 09:27, Sebastian Ramacher wrote: On 2022-10-11 06:50:09 +0200, Yadd wrote: On 09/10/2022 16:42, Yadd wrote: On 09/10/2022 15:26, Paul Gevers wrote: Hi Yadd, [For the future, these mails should go to the release team. I'm not the only one in the team, and there is nothing secret here]. On 09-10-2022 07:44, Yadd wrote: 4 packages are blocked in unstable but I don't understand where is the problem: node-jest, node-ts-jest, node-webpack and node-rollup-plugin-terser. See https://tracker.debian.org/pkg/node-jest (regressions fixed by the 3 other updates). Could you help me to understand this ? It looks like several packages need to go together, but there's no *versioned* relation that describes that. britney schedules the tests taking versions into account so with the right Breaks or Depends, the tests would take more from unstable. Now, it might be that this is only a *test* issue and not a user facing thing. In that case, (if you think it's not a good idea to add the versioned Depends or Breaks) the release team can trigger the combination. Adding unnecessary Breaks makes upgrades a bit harder for apt, so they are not for free, but I haven't encountered issues on that front yet. Paul Hi, yes, issues are only related to tests, that's why I didn't add Breaks fields. I asked to Jérémy to add a "Breaks: jest (<< 29~)" into nodejs, but it will not help here. Cheers, Yadd Hi, node-jest is still blocked in unstable but I can't understand why: * tracker.d.o reports nothing * Britney output is unintelligible trying: node-ts-jest node-jest skipped: node-ts-jest node-jest (0, 56, 23) got: 22+0: a-4:a-17:a-0:a-0:i-0:m-0:m-0:p-0:s-1 * amd64: jest, node-jest-react, ts-jest Britney is trying to migrate node-js-jest and node-jest together (trying: ...), but it fails to do so since migrating those two source packages would cause new uninstallable packages in testing (amd64: ...) Thanks, but I still don't understand. node-jest-react depends on any version of jest, has already migrate and all of those packages are arch:all. I tried to install ts-jest 29 and jest 29 on a testing schroot with node-jest-react, no problem found...
Re: Migration problem
On 09/10/2022 16:42, Yadd wrote: On 09/10/2022 15:26, Paul Gevers wrote: Hi Yadd, [For the future, these mails should go to the release team. I'm not the only one in the team, and there is nothing secret here]. On 09-10-2022 07:44, Yadd wrote: 4 packages are blocked in unstable but I don't understand where is the problem: node-jest, node-ts-jest, node-webpack and node-rollup-plugin-terser. See https://tracker.debian.org/pkg/node-jest (regressions fixed by the 3 other updates). Could you help me to understand this ? It looks like several packages need to go together, but there's no *versioned* relation that describes that. britney schedules the tests taking versions into account so with the right Breaks or Depends, the tests would take more from unstable. Now, it might be that this is only a *test* issue and not a user facing thing. In that case, (if you think it's not a good idea to add the versioned Depends or Breaks) the release team can trigger the combination. Adding unnecessary Breaks makes upgrades a bit harder for apt, so they are not for free, but I haven't encountered issues on that front yet. Paul Hi, yes, issues are only related to tests, that's why I didn't add Breaks fields. I asked to Jérémy to add a "Breaks: jest (<< 29~)" into nodejs, but it will not help here. Cheers, Yadd Hi, node-jest is still blocked in unstable but I can't understand why: * tracker.d.o reports nothing * Britney output is unintelligible trying: node-ts-jest node-jest skipped: node-ts-jest node-jest (0, 56, 23) got: 22+0: a-4:a-17:a-0:a-0:i-0:m-0:m-0:p-0:s-1 * amd64: jest, node-jest-react, ts-jest - splitting the component into single items and retrying them trying: node-jest skipped: node-jest (0, 56, 24) got: 22+0: a-4:a-17:a-0:a-0:i-0:m-0:m-0:p-0:s-1 * amd64: jest, node-jest-react, ts-jest trying: node-ts-jest skipped: node-ts-jest (0, 57, 23) got: 20+0: a-2:a-17:a-0:a-0:i-0:m-0:m-0:p-0:s-1 * amd64: ts-jest Best regards, Yadd
Re: Migration problem
On 09/10/2022 15:26, Paul Gevers wrote: Hi Yadd, [For the future, these mails should go to the release team. I'm not the only one in the team, and there is nothing secret here]. On 09-10-2022 07:44, Yadd wrote: 4 packages are blocked in unstable but I don't understand where is the problem: node-jest, node-ts-jest, node-webpack and node-rollup-plugin-terser. See https://tracker.debian.org/pkg/node-jest (regressions fixed by the 3 other updates). Could you help me to understand this ? It looks like several packages need to go together, but there's no *versioned* relation that describes that. britney schedules the tests taking versions into account so with the right Breaks or Depends, the tests would take more from unstable. Now, it might be that this is only a *test* issue and not a user facing thing. In that case, (if you think it's not a good idea to add the versioned Depends or Breaks) the release team can trigger the combination. Adding unnecessary Breaks makes upgrades a bit harder for apt, so they are not for free, but I haven't encountered issues on that front yet. Paul Hi, yes, issues are only related to tests, that's why I didn't add Breaks fields. I asked to Jérémy to add a "Breaks: jest (<< 29~)" into nodejs, but it will not help here. Cheers, Yadd
Bug#1019915: bullseye-pu: package dojo/1.15.4+dfsg1-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] dojo is vulnerable to prototype pollution (#1014785, CVE-2021-23450) [ Impact ] Medium vulnerability [ Tests ] No new test here [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index bf5c2b47..b861b5a0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +dojo (1.15.4+dfsg1-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix prototype pollution (Closes: #1014785, CVE-2021-23450) + + -- Yadd Fri, 16 Sep 2022 10:42:57 +0200 + dojo (1.15.4+dfsg1-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-23450.patch b/debian/patches/CVE-2021-23450.patch new file mode 100644 index ..fe66d089 --- /dev/null +++ b/debian/patches/CVE-2021-23450.patch @@ -0,0 +1,22 @@ +Description: Fix for CVE-2021-23450, prototype pollution +Author: Sanchit Chadha +Bug-Debian: https://bugs.debian.org/970501 +Origin: upstream, https://github.com/dojo/dojo/commit/b7b8b279 +Bug-Debian: https://bugs.debian.org/1014785 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-09-16 + +--- a/dojo/_base/lang.js b/dojo/_base/lang.js +@@ -31,6 +31,10 @@ + try{ + for(var i = 0; i < parts.length; i++){ + var p = parts[i]; ++ // Fix for prototype pollution CVE-2021-23450 ++ if (p === '__proto__' || p === 'constructor') { ++ return; ++ } + if(!(p in context)){ + if(create){ + context[p] = {}; diff --git a/debian/patches/series b/debian/patches/series index c75b2155..0436f059 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ 0002-Do-notrun-test-suite-in-build.patch 0003-Disable-flash-storage.patch 0004-Fix-shrinksafe-tests-with-new-rhino.patch +CVE-2021-23450.patch
Bug#1019539: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu X-Debbugs-Cc: pkg-perl-maintain...@alioth-lists.debian.net [ Reason ] lemonldap-ng before version 2.0.15 has an issue that may maintain a session active on a Lemonldap::NG's handler if user has a continuous activity on this handler after session expiration or deletion (CVE-2022-37186), if and only if user activity is tracked by handlers (disabled by defaut) [ Impact ] Medium vulnerability [ Tests ] Test passed, non new tested backported here [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Handler's calls to session API now have a "nocache" option for writing. Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index f6be653a8..c276c65c0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +lemonldap-ng (2.0.11+ds-4+deb11u2) bullseye; urgency=medium + + * Add patch to improve session destroy propagation (Closes: CVE-2022-37186) + + -- Yadd Sun, 11 Sep 2022 09:28:30 +0200 + lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium * Fix auth process in password-testing plugins (Closes: CVE-2021-20874) diff --git a/debian/patches/CVE-2022-37186.patch b/debian/patches/CVE-2022-37186.patch new file mode 100644 index 0..12e80c4d7 --- /dev/null +++ b/debian/patches/CVE-2022-37186.patch @@ -0,0 +1,31 @@ +Description: Improve session destroy propagation +Author: Yadd +Origin: upstream, https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/59c781b3 +Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2758 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-09-11 + +--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Store.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Apache/Session/Store.pm +@@ -56,7 +56,7 @@ + + # Get session from cache + my $id = $session->{data}->{_session_id}; +-if ( $self->cache->get($id) ) { ++if ( !$self->{args}->{noCache} and $self->cache->get($id) ) { + $session->{serialized} = $self->cache->get($id); + return; + } +--- a/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session.pm b/lemonldap-ng-common/lib/Lemonldap/NG/Common/Session.pm +@@ -213,7 +213,8 @@ + return 0; + } + +-my $data = $self->_tie_session($tieOptions); ++my $data = $self->_tie_session( ++{ ( $tieOptions ? %$tieOptions : () ), noCache => 1 } ); + + if ($data) { + foreach ( keys %$infos ) { diff --git a/debian/patches/series b/debian/patches/series index 644277be7..9d8952af0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -9,3 +9,4 @@ fix-trusted-domain-regex.patch fix-xss-on-register-form.patch dont-display-totp-secret.patch CVE-2021-40874.patch +CVE-2022-37186.patch
Bug#1017926: RM: node-request-capture-har/1.2.2-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, node-request-capture-har is a wrapper around deprecated node-request (#1002901). Its reverse-dependency (node-yarnpkg) has already been removed from testing. Could you remove it from testing ? Cheers, Yadd
Bug#1017925: RM: node-request/2.88.1-5
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: rm Hi, could you remove node-request from testing ? Following #956423, it shouldn't be part of next stable release. All its reverse dependencies are already removed from testing (yarnpkg, node-matrix-sdk). Cheers, Yadd
Bug#1016287: closed by Paul Gevers (Re: Bug#1016287: release.debian.org: autopkgtest 2 to 5 days since addition of armel)
On 30/07/2022 16:45, Paul Gevers wrote: Control: reopen -1 Control: retitle -1 britney recursive installability test in autopkgtest Hi Yadd, On 30-07-2022 15:58, Yadd wrote: Node.js isn't available on armel, and the consequence will be to not fix some CVEs/BTS during freeze. Hope none of them will appear... For those we have unblock requests and the normal process to get packages into testing during the freeze. The autopkgtest process wasn't designed to change that. Maybe Britney could not consider autopkgtest as failing when a build dependency is missing in one arch (at least for arch=all) ? Why *build* dependencies? britney takes dependencies into account and doesn't schedule the jobs if all binaries are uninstallable. However, looking at your example, there might be an issue that it doesn't resolve that recursively during the policy phase of britney. (There's also a problem for britney that involves source packages that build both arch:all and arch:any binaries, which it fundamentally can't always resolve correctly, I thought we were in that case here). Let's see if I can come up with a reproducer in our test suite. Thanks! Most of node-* package build depends on nodejs but are usable without it. See libjs-bootstrap4 for example Again, what do build dependencies have to do with the problem? If they don't need nodejs to run, they shouldn't have a dependency on them and everything is fine. You'll recall that I recently stripped the unneeded nodejs dependency from all node-d3-* packages. Now they are installable on armel. Paul By "build dependencies", I meant "test dependencies" (Build-Depends contains often both). All JS test framework needs nodejs (mocha, jest, tape,...) and all node-d3-* autopkgtests will fail with armel. Cheers, Yadd
Bug#1016287: closed by Paul Gevers (Re: Bug#1016287: release.debian.org: autopkgtest 2 to 5 days since addition of armel)
> Hi Jérémy, > > On 29-07-2022 19:36, Jérémy Lal wrote: > > when a package pass all autopkgtests it can migrate in 2 days, > > however if it depends on an architecture that reports "Not a > > regression", > > it seems that the bonus is lost and the package must wait 5 days. > > That's by design. > > > The problem is that it happens when a package depends on a package > > that is not available in a given architecture. > > Unfortunately, that's indeed the price of that design. As we're > supposed > to try and support all architectures equally well, I decided that's > acceptable. > > Paul [...] > Hi Jérémy. > > On 29-07-2022 22:17, Jérémy Lal wrote: > > I don't see how artificially adding migration days will improve > > debian quality in any way. > > We're not adding days, we're just not giving the bounty for success on > all architectures where we run autopkgtests, which was the rule for > the bounty. > > Paul Hi, this is not just a matter of bounty, but the key to upload during freeze. Node.js isn't available on armel, and the consequence will be to not fix some CVEs/BTS during freeze. Hope none of them will appear... Maybe Britney could not consider autopkgtest as failing when a build dependency is missing in one arch (at least for arch=all) ? Most of node-* package build depends on nodejs but are usable without it. See libjs-bootstrap4 for example
Bug#1014900: bullseye-pu: package node-moment/2.29.1+ds-2+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-moment is vulnerable to ReDoS (#1014845, CVE-2022-31129) [ Impact ] Medium security issue [ Tests ] Sadly there is no test in this package. [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Regexp improvement Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index d0566a3b..829c6ec2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-moment (2.29.1+ds-2+deb11u2) bullseye; urgency=medium + + * Fix ReDoS (Closes: #1014845, CVE-2022-31129) + + -- Yadd Wed, 13 Jul 2022 21:12:52 +0200 + node-moment (2.29.1+ds-2+deb11u1) bullseye; urgency=medium * Avoid loading path-looking locales from fs (Closes: #1009327, diff --git a/debian/patches/CVE-2022-31129.patch b/debian/patches/CVE-2022-31129.patch new file mode 100644 index ..e10777fa --- /dev/null +++ b/debian/patches/CVE-2022-31129.patch @@ -0,0 +1,42 @@ +Description: Fix ReDoS +Author: Khang Vo (doublevkay) +Origin: upstream, https://github.com/moment/moment/commit/9a3b5894 +Bug: https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g +Bug-Debian: https://bugs.debian.org/1014845 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-07-13 + +--- a/dist/moment.js b/dist/moment.js +@@ -2434,7 +2434,7 @@ + function preprocessRFC2822(s) { + // Remove comments and folding whitespace and replace multiple-spaces with a single space + return s +-.replace(/\([^)]*\)|[\n\t]/g, ' ') ++.replace(/\([^()]*\)|[\n\t]/g, ' ') + .replace(/(\s\s+)/g, ' ') + .replace(/^\s\s*/, '') + .replace(/\s\s*$/, ''); +--- a/moment.js b/moment.js +@@ -2440,7 +2440,7 @@ + function preprocessRFC2822(s) { + // Remove comments and folding whitespace and replace multiple-spaces with a single space + return s +-.replace(/\([^)]*\)|[\n\t]/g, ' ') ++.replace(/\([^()]*\)|[\n\t]/g, ' ') + .replace(/(\s\s+)/g, ' ') + .replace(/^\s\s*/, '') + .replace(/\s\s*$/, ''); +--- a/src/lib/create/from-string.js b/src/lib/create/from-string.js +@@ -147,7 +147,7 @@ + function preprocessRFC2822(s) { + // Remove comments and folding whitespace and replace multiple-spaces with a single space + return s +-.replace(/\([^)]*\)|[\n\t]/g, ' ') ++.replace(/\([^()]*\)|[\n\t]/g, ' ') + .replace(/(\s\s+)/g, ' ') + .replace(/^\s\s*/, '') + .replace(/\s\s*$/, ''); diff --git a/debian/patches/series b/debian/patches/series index b59ca1ed..48b9eff0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ CVE-2022-24785.patch +CVE-2022-31129.patch
Bug#1014571: bullseye-pu: package node-log4js/6.3.0+~cs8.3.10-1+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-log4js creates log files with permissive rights (644). This causes a security issue (CVE-2022-21704) [ Impact ] Medium vulnerability [ Tests ] Test passed [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Replace default mode from 0644 to 0600 Regards, Yadd diff --git a/debian/changelog b/debian/changelog index 75dbfc2..00af70f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-log4js (6.3.0+~cs8.3.10-1+deb11u1) bullseye; urgency=medium + + * Changed default file modes from 0o644 to 0o600 for better security +(Closes: CVE-2022-21704) + + -- Yadd Fri, 08 Jul 2022 07:44:46 +0200 + node-log4js (6.3.0+~cs8.3.10-1) unstable; urgency=medium [ Debian Janitor ] diff --git a/debian/patches/CVE-2022-21704.patch b/debian/patches/CVE-2022-21704.patch new file mode 100644 index 000..76f1757 --- /dev/null +++ b/debian/patches/CVE-2022-21704.patch @@ -0,0 +1,177 @@ +Description: Changed default file modes from 0o644 to 0o600 for better security +Author: peteriman +Origin: upstream, https://patch-diff.githubusercontent.com/raw/log4js-node/log4js-node/pull/1141 + https://patch-diff.githubusercontent.com/raw/log4js-node/streamroller/pull/87 +Bug: https://github.com/log4js-node/log4js-node/security/advisories/GHSA-82v2-mx6x-wq7q +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-07-08 + +--- a/docs/dateFile.md b/docs/dateFile.md +@@ -11,7 +11,7 @@ + + Any other configuration parameters will be passed to the underlying [streamroller](https://github.com/nomiddlename/streamroller) implementation (see also node.js core file streams): + * `encoding` - `string` (default "utf-8") +-* `mode`- `integer` (default 0o644 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes)) ++* `mode`- `integer` (default 0o600 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes)) + * `flags` - `string` (default 'a') + * `compress` - `boolean` (default false) - compress the backup files during rolling (backup files will have `.gz` extension) + * `alwaysIncludePattern` - `boolean` (default false) - include the pattern in the name of the current log file as well as the backups. +--- a/docs/file.md b/docs/file.md +@@ -12,7 +12,7 @@ + + Any other configuration parameters will be passed to the underlying [streamroller](https://github.com/nomiddlename/streamroller) implementation (see also node.js core file streams): + * `encoding` - `string` (default "utf-8") +-* `mode`- `integer` (default 0o644 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes)) ++* `mode`- `integer` (default 0o600 - [node.js file modes](https://nodejs.org/dist/latest-v12.x/docs/api/fs.html#fs_file_modes)) + * `flags` - `string` (default 'a') + * `compress` - `boolean` (default false) - compress the backup files during rolling (backup files will have `.gz` extension) + * `keepFileExt` - `boolean` (default false) - preserve the file extension when rotating log files (`file.log` becomes `file.1.log` instead of `file.log.1`) +--- a/docs/fileSync.md b/docs/fileSync.md +@@ -12,7 +12,7 @@ + + Any other configuration parameters will be passed to the underlying node.js core stream implementation: + * `encoding` - `string` (default "utf-8") +-* `mode`- `integer` (default 0644) ++* `mode`- `integer` (default 0600) + * `flags` - `string` (default 'a') + + ## Example +--- a/lib/appenders/dateFile.js b/lib/appenders/dateFile.js +@@ -49,7 +49,6 @@ + + function configure(config, layouts) { + let layout = layouts.basicLayout; +- + if (config.layout) { + layout = layouts.layout(config.layout.type, config.layout); + } +@@ -58,6 +57,9 @@ + config.alwaysIncludePattern = false; + } + ++ // security default (instead of relying on streamroller default) ++ config.mode = config.mode || 0o600; ++ + return appender( + config.filename, + config.pattern, +--- a/lib/appenders/file.js b/lib/appenders/file.js +@@ -94,6 +94,9 @@ + layout = layouts.layout(config.layout.type, config.layout); + } + ++ // security default (instead of relying on streamroller default) ++ config.mode = config.mode || 0o600; ++ + return fileAppender( + config.filename, + layout, +--- a/lib/appenders/fileSync.js b/lib/appenders/fileSync.js +@@ -192,7 +192,7 @@ + const options = { + flags: config.flags || 'a', + encoding: config.encoding || 'utf8', +-mode: config.mode || 0o644 ++mode: config.mode || 0o600 + }; + + return fileAppender( +--- a/streamroller/README.md b/st
Bug#1008045: bullseye-pu: package node-mermaid/8.7.0+ds+~cs27.17.17-3+deb11u1
On 21/06/2022 08:30, Salvatore Bonaccorso wrote: Hi Yadd, On Sat, May 28, 2022 at 09:20:40PM +0100, Adam D. Barratt wrote: Control: tags -1 + confirmed On Mon, 2022-03-21 at 14:09 +0100, Yadd wrote: node-mermaid is vulnerable to XSS attack (CVE-2021-23648) Please go ahead. Could you fix as well CVE-2021-43861 in the next point release? Should be then on top of the already uploaded +deb11u1. Regards, Salvatore Hi, done (8.7.0+ds+~cs27.17.17-3+deb11u2), just pushed to Bullseye queue Regards, Yadddiff --git a/debian/changelog b/debian/changelog index 32f71e8..f566922 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-mermaid (8.7.0+ds+~cs27.17.17-3+deb11u2) bullseye; urgency=medium + + * Team upload + * Fix for XSS vulnerability in url sanitization (Closes: CVE-2021-43861) + + -- Yadd Sat, 02 Jul 2022 07:06:05 +0200 + node-mermaid (8.7.0+ds+~cs27.17.17-3+deb11u1) bullseye; urgency=medium * Decode html entities before sanitizing (Closes: CVE-2021-23648) diff --git a/debian/patches/CVE-2021-43861.patch b/debian/patches/CVE-2021-43861.patch new file mode 100644 index 000..418467e --- /dev/null +++ b/debian/patches/CVE-2021-43861.patch @@ -0,0 +1,306 @@ +Description: Fix for XSS vulnerability in url sanitization +Author: Knut Sveidqvist +Origin: upstream, https://github.com/mermaid-js/mermaid/commit/066b7a0d +Bug: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-p3rp-vmj9-gv6v +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-07-02 + +--- /dev/null b/cypress/platform/xss16.html +@@ -0,0 +1,106 @@ ++ ++ ++https://fonts.googleapis.com/css?family=Montserrat=swap; ++ rel="stylesheet" ++/> ++https://unpkg.com/tailwindcss@^1.0/dist/tailwind.min.css; rel="stylesheet"> ++https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css;> ++https://fonts.googleapis.com/css?family=Noto+Sans+SC=swap; rel="stylesheet"> ++ ++ body { ++/* background: rgb(221, 208, 208); */ ++/* background:#333; */ ++font-family: 'Arial'; ++/* font-size: 18px !important; */ ++} ++ h1 { color: grey;} ++ .mermaid2 { ++display: none; ++ } ++ .mermaid svg { ++/* font-size: 18px !important; */ ++ } ++ .malware { ++position: fixed; ++bottom:0; ++left:0; ++right:0; ++height: 150px; ++background: red; ++color: black; ++display: flex; ++display: flex; ++justify-content: center; ++align-items: center; ++font-family: monospace; ++font-size: 72px; ++ } ++ ++ ++ ++Security check ++ ++ ++ ++ ++ ++ mermaid.parseError = function (err, hash) { ++// console.error('Mermaid error: ', err); ++ }; ++ mermaid.initialize({ ++theme: 'forest', ++arrowMarkerAbsolute: true, ++// themeCSS: '.edgePath .path {stroke: red;} .arrowheadPath {fill: red;}', ++logLevel: 0, ++state: { ++ defaultRenderer: 'dagre-d3', ++}, ++flowchart: { ++ // defaultRenderer: 'dagre-wrapper', ++ nodeSpacing: 10, ++curve: 'cardinal', ++htmlLabels: true, ++}, ++htmlLabels: true, ++// gantt: { axisFormat: '%m/%d/%Y' }, ++sequence: { actorFontFamily: 'courier', actorMargin: 50, showSequenceNumbers: false }, ++// sequenceDiagram: { actorMargin: 300 } // deprecated ++// fontFamily: '"times", sans-serif', ++// fontFamily: 'courier', ++fontSize: 18, ++curve: 'basis', ++securityLevel: 'loose', ++startOnLoad: false, ++secure: ['secure', 'securityLevel', 'startOnLoad', 'maxTextSize'], ++// themeVariables: {relationLabelColor: 'red'} ++ }); ++ function callback() { ++ alert('It worked'); ++} ++ function xssAttack() { ++const div = document.createElement('div'); ++div.id = 'the-malware'; ++div.className = 'malware'; ++div.innerHTML = 'XSS Succeeded'; ++document.getElementsByTagName('body')[0].appendChild(div); ++throw new Error('XSS Succeded'); ++ } ++ ++ var diagram = `sequenceDiagram ++participant Alice ++links Alice: { "Click me!" : "javasjavascript:cript:alert('goose')" }`; ++ ++// // var diagram = "stateDiagram-v2\n"; ++// // diagram += "<img/src='1'/onerror" ++// diagram += '//via.placeholder.com/64\' width=64 />"]'; ++// console.log(diagram); ++// document.querySelector('#diagram').innerHTML = diagram; ++mermaid.render('diagram', diagram, (res) => { ++ console.log(res); ++ document.querySelector('#res').innerHTML = res; ++}); ++ ++ ++ ++ +--- /dev/null b/cypress/platform/xss17.html +@@ -0,0 +1,106 @@ ++ ++ ++https://
Bug#1014054: bullseye-pu: package node-got/11.8.1+~cs53.13.17-3+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-got allows redirection to unix sockets (#1013264, CVE-2022-33987) [ Impact ] Medium vulnerability: a remote host can redirect a node-got request to a Unix socket [ Tests ] Sadly test aren't enabled: ava was introduced earlier in Debian [ Risks ] Low risk: * patch is trivial * package is built from TypeScript, then tsc compiler checks for a lot of errors [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Just reject URL starting with "unix:" if original request wasn't a "unix:" request. Note that I had to add a typescript change: one ignored error is no more an error. Regards, Yadd diff --git a/debian/changelog b/debian/changelog index 9cda1ef..a4bd358 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-got (11.8.1+~cs53.13.17-3+deb11u1) bullseye; urgency=medium + + * Team upload + * Don't allow redirection to Unix socket (Closes: #1013264, CVE-2022-33987) + + -- Yadd Wed, 29 Jun 2022 16:30:16 +0200 + node-got (11.8.1+~cs53.13.17-3) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-33987.patch b/debian/patches/CVE-2022-33987.patch new file mode 100644 index 000..79c012f --- /dev/null +++ b/debian/patches/CVE-2022-33987.patch @@ -0,0 +1,100 @@ +Description: Don't allow redirect to Unix socket +Author: Sindre Sorhus +Origin: upstream, https://github.com/sindresorhus/got/commit/bce8ce7d +Bug: https://github.com/sindresorhus/got/pull/2047 +Bug-Debian: https://bugs.debian.org/1013264 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-06-29 + +--- a/source/core/index.ts b/source/core/index.ts +@@ -2102,6 +2102,16 @@ + const redirectString = redirectUrl.toString(); + decodeURI(redirectString); + ++ // eslint-disable-next-line no-inner-declarations ++ function isUnixSocketURL(url: URL) { ++ return url.protocol === 'unix:' || url.hostname === 'unix'; ++ } ++ ++ if (!isUnixSocketURL(url) && isUnixSocketURL(redirectUrl)) { ++ this._beforeError(new RequestError('Cannot redirect to UNIX socket', {}, this)); ++ return; ++ } ++ + // Redirecting to a different site, clear sensitive data. + if (redirectUrl.hostname !== url.hostname || redirectUrl.port !== url.port) { + if ('host' in options.headers) { +--- a/test/redirects.ts b/test/redirects.ts +@@ -1,7 +1,7 @@ + import test from 'ava'; + import {Handler} from 'express'; + import nock = require('nock'); +-import got, {MaxRedirectsError} from '../source'; ++import got, {MaxRedirectsError, RequestError} from '../source'; + import withServer, {withHttpsServer} from './helpers/with-server'; + + const reachedHandler: Handler = (_request, response) => { +@@ -509,3 +509,32 @@ + t.is(response.body, 'SERVER2'); + }); + }); ++ ++const unixProtocol: Handler = (_request, response) => { ++ response.writeHead(302, { ++ location: 'unix:/var/run/docker.sock:/containers/json' ++ }); ++ response.end(); ++}; ++ ++const unixHostname: Handler = (_request, response) => { ++ response.writeHead(302, { ++ location: 'http://unix:/var/run/docker.sock:/containers/json' ++ }); ++ response.end(); ++}; ++ ++test('cannot redirect to unix protocol', withServer, async (t, server, got) => { ++ server.get('/protocol', unixProtocol); ++ server.get('/hostname', unixHostname); ++ ++ await t.throwsAsync(got('protocol'), { ++ message: 'Cannot redirect to UNIX socket', ++ instanceOf: RequestError ++ }); ++ ++ await t.throwsAsync(got('hostname'), { ++ message: 'Cannot redirect to UNIX socket', ++ instanceOf: RequestError ++ }); ++}); +--- a/test/unix-socket.ts b/test/unix-socket.ts +@@ -8,6 +8,13 @@ + response.end('ok'); + }; + ++const redirectHandler: Handler = (_request, response) => { ++ response.writeHead(302, { ++ location: 'foo' ++ }); ++ response.end(); ++}; ++ + if (process.platform !== 'win32') { + test('works', withSocketServer, async (t, server) => { + server.on('/', okHandler); +@@ -53,3 +60,11 @@ + t.is((await got(url)).body, 'ok'); + }); + } ++ ++test('redirects work', withSocketSe
Bug#1013944: bullseye-pu: package cyrus-imapd/3.2.6-2+deb11u2
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] Bookworm will provide cyrus-imapd 3.6.x. To permit a safe upgrade from 3.2.6, updtream provided a patch for versions 3.4 and 3.2. It ensure that mailboxes have an unique id. [ Impact ] Risk during Bullseye to Bookworm upgrade. [ Tests ] Test passed (https://salsa.debian.org/debian/cyrus-imapd/-/pipelines/393112) [ Risks ] This patch is the difference between 3.2.9 and 3.2.10, applied without any change. [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Cyrus tools now check if mailbox id is really unique. Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index ca4d2a92..209a040f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +cyrus-imapd (3.2.6-2+deb11u2) bullseye; urgency=medium + + * Ensure that ctl_cyrusdb -r and reconstruct now ensure the "uniqueid" field +is present in and synchronised between mailboxes.db and cyrus.header. +Required before 3.6.x upgrade + + -- Yadd Mon, 27 Jun 2022 21:41:17 +0200 + cyrus-imapd (3.2.6-2+deb11u1) bullseye; urgency=high * Replace string hashing algorithm (Closes: #993433, CVE-2021-33582) diff --git a/debian/patches/prepare-3.6-upgrade.patch b/debian/patches/prepare-3.6-upgrade.patch new file mode 100644 index ..a7b8aea0 --- /dev/null +++ b/debian/patches/prepare-3.6-upgrade.patch @@ -0,0 +1,244 @@ +Description: reconstruct mailboxes to prepare + ctl_cyrusdb -r and reconstruct now ensure the "uniqueid" field is present + in and synchronised between mailboxes.db and cyrus.header. +Author: ellie timoney +Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/360e5d153 + https://github.com/cyrusimap/cyrus-imapd/commit/93b01dd83 + https://github.com/cyrusimap/cyrus-imapd/commit/0f59f9f36 + https://github.com/cyrusimap/cyrus-imapd/commit/0ee7d128a + https://github.com/cyrusimap/cyrus-imapd/commit/2918ce8f0 + https://github.com/cyrusimap/cyrus-imapd/commit/a330b471f + https://github.com/cyrusimap/cyrus-imapd/commit/df58b26cb +Bug: https://github.com/cyrusimap/cyrus-imapd/pull/4100 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-06-27 + +--- a/imap/ctl_cyrusdb.c b/imap/ctl_cyrusdb.c +@@ -129,7 +129,7 @@ + static int fixmbox(const mbentry_t *mbentry, +void *rock __attribute__((unused))) + { +-int r; ++int r, r2; + + /* if MBTYPE_RESERVED, unset it & call mboxlist_delete */ + if (mbentry->mbtype & MBTYPE_RESERVE) { +@@ -172,12 +172,66 @@ +mbentry->name, cyrusdb_strerror(r)); + } + ++/* make sure every local mbentry has a uniqueid! */ ++if (!mbentry->uniqueid && mbentry_is_local_mailbox(mbentry)) { ++struct mailbox *mailbox = NULL; ++struct mboxlock *namespacelock = NULL; ++mbentry_t *copy = NULL; ++ ++r = mailbox_open_iwl(mbentry->name, ); ++if (r) { ++/* XXX what does it mean if there's an mbentry, but the mailbox ++ * XXX was not openable? ++ */ ++syslog(LOG_DEBUG, "%s: mailbox_open_iwl %s returned %s", ++ __func__, mbentry->name, error_message(r)); ++goto skip_uniqueid; ++} ++ ++if (!mailbox->uniqueid) { ++/* yikes, no uniqueid in header either! */ ++mailbox_make_uniqueid(mailbox); ++syslog(LOG_INFO, "mailbox %s header had no uniqueid, creating %s", ++ mbentry->name, mailbox->uniqueid); ++} ++ ++copy = mboxlist_entry_copy(mbentry); ++copy->uniqueid = xstrdup(mailbox->uniqueid); ++syslog(LOG_INFO, "mbentry %s had no uniqueid, setting %s from header", ++ copy->name, copy->uniqueid); ++ ++namespacelock = mboxname_usernamespacelock(copy->name); ++r = mboxlist_update(copy, /*localonly*/1); ++mboxname_release(); ++if (r) { ++syslog(LOG_ERR, "failed to update mboxlist for %s: %s", ++mbentry->name, error_message(r)); ++r2 = mailbox_abort(mailbox); ++if (r2) { ++syslog(LOG_ERR, "DBERROR: error aborting transaction: %s", ++cyrusdb_strerror(r2)); ++} ++} ++else { ++r2 = mailbox_commit(mailbox); ++if (r2) { ++syslog(LOG_ERR, "DBERROR: error committing transaction: %s", ++cyrusdb_strerror(r2)); ++} ++} ++mailbox_close(); ++mboxlist_entry_free();