[Pkg-javascript-devel] Bug#1059926: marked as done (node-follow-redirects: CVE-2023-26159)
Your message dated Mon, 18 Mar 2024 04:20:36 + with message-id and subject line Bug#1059926: fixed in node-follow-redirects 1.15.6+~1.14.4-1 has caused the Debian Bug report #1059926, regarding node-follow-redirects: CVE-2023-26159 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1059926: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059926 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: node-follow-redirects Version: 1.15.3+~1.14.2-1 Severity: important Tags: security upstream Forwarded: https://github.com/follow-redirects/follow-redirects/issues/235 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-follow-redirects. CVE-2023-26159[0]: | Versions of the package follow-redirects before 1.15.4 are | vulnerable to Improper Input Validation due to the improper handling | of URLs by the url.parse() function. When new URL() throws an error, | it can be manipulated to misinterpret the hostname. An attacker | could exploit this weakness to redirect traffic to a malicious site, | potentially leading to information disclosure, phishing attacks, or | other security breaches. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-26159 https://www.cve.org/CVERecord?id=CVE-2023-26159 [1] https://github.com/follow-redirects/follow-redirects/issues/235 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: node-follow-redirects Source-Version: 1.15.6+~1.14.4-1 Done: Yadd We believe that the bug you reported is fixed in the latest version of node-follow-redirects, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1059...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd (supplier of updated node-follow-redirects package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 17 Mar 2024 07:25:36 +0400 Source: node-follow-redirects Architecture: source Version: 1.15.6+~1.14.4-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Yadd Closes: 1059926 1066971 Changes: node-follow-redirects (1.15.6+~1.14.4-1) unstable; urgency=medium . * Team upload * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse, Security-Contact * New upstream version (Closes: #1059926, #1066971) * Unfuzz patches Checksums-Sha1: 36afe707389b367f179f072138e4ac56be9cd04e 2656 node-follow-redirects_1.15.6+~1.14.4-1.dsc ca054d72ef574c77949fc5fff278b430fcd508ec 2813 node-follow-redirects_1.15.6+~1.14.4.orig-types-follow-redirects.tar.gz ae7c6134597bcf6be130c9092614aba9a6a52d9b 93426 node-follow-redirects_1.15.6+~1.14.4.orig.tar.gz 0bd17d51ef02f96e8e03dbea3bea8478312f9b8e 4500 node-follow-redirects_1.15.6+~1.14.4-1.debian.tar.xz Checksums-Sha256: e699e1aa6b3c56b486a8e17bae3a937a0f72244db4044e3ad09f82acd61f4f68 2656 node-follow-redirects_1.15.6+~1.14.4-1.dsc 88b7ad41ccdd6b77b864f048a67b7141dea86841a382d22b8b91f6c28f73a7d8 2813 node-follow-redirects_1.15.6+~1.14.4.orig-types-follow-redirects.tar.gz 445ac6551ae24e52fa7a6f6c7c81e5a9b458088734a4db941188230db1fd3226 93426 node-follow-redirects_1.15.6+~1.14.4.orig.tar.gz 0e5ee7b948c3e1ce855f908b5ba4a11e843a3cea16ee79fd7440dba1d2b1ef99 4500 node-follow-redirects_1.15.6+~1.14.4-1.debian.tar.xz Files: 660ad42ea359ce055806187a74018c18 2656 javascript optional node-follow-redirects_1.15.6+~1.14.4-1.dsc 719a7019d9e21269e285e4a7c45126dc 2813 javascript optional node-follow-redirects_1.15.6+~1.14.4.orig-types-follow-redirects.tar.gz c584ce3805a9906ee6c618d61a3ee98c 93426 javascript optional node-follow-redirects_1.15.6+~1.14.4.orig.tar.gz bf66bb5e8ffd8e3d2acd0490465bdd1d 4500 javascript optional node-follow-redirects_1.15.6+~1.14.4-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmX3u1gACgkQ9tdMp8mZ
[Pkg-javascript-devel] Bug#1066971: marked as done (node-follow-redirects: CVE-2024-28849)
Your message dated Mon, 18 Mar 2024 04:20:36 + with message-id and subject line Bug#1066971: fixed in node-follow-redirects 1.15.6+~1.14.4-1 has caused the Debian Bug report #1066971, regarding node-follow-redirects: CVE-2024-28849 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1066971: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1066971 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: node-follow-redirects Version: 1.15.3+~1.14.2-1 Severity: important Tags: security upstream Forwarded: https://github.com/psf/requests/issues/1885 X-Debbugs-Cc: car...@debian.org, Debian Security Team Hi, The following vulnerability was published for node-follow-redirects. CVE-2024-28849[0]: | follow-redirects is an open source, drop-in replacement for Node's | `http` and `https` modules that automatically follows redirects. In | affected versions follow-redirects only clears authorization header | during cross-domain redirect, but keep the proxy-authentication | header which contains credentials too. This vulnerability may lead | to credentials leak, but has been addressed in version 1.15.6. Users | are advised to upgrade. There are no known workarounds for this | vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-28849 https://www.cve.org/CVERecord?id=CVE-2024-28849 [1] https://github.com/psf/requests/issues/1885 [2] https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-cxjh-pqwp-8mfp [3] https://github.com/follow-redirects/follow-redirects/commit/c4f847f85176991f95ab9c88af63b1294de8649b Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: node-follow-redirects Source-Version: 1.15.6+~1.14.4-1 Done: Yadd We believe that the bug you reported is fixed in the latest version of node-follow-redirects, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1066...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd (supplier of updated node-follow-redirects package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 17 Mar 2024 07:25:36 +0400 Source: node-follow-redirects Architecture: source Version: 1.15.6+~1.14.4-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Yadd Closes: 1059926 1066971 Changes: node-follow-redirects (1.15.6+~1.14.4-1) unstable; urgency=medium . * Team upload * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse, Security-Contact * New upstream version (Closes: #1059926, #1066971) * Unfuzz patches Checksums-Sha1: 36afe707389b367f179f072138e4ac56be9cd04e 2656 node-follow-redirects_1.15.6+~1.14.4-1.dsc ca054d72ef574c77949fc5fff278b430fcd508ec 2813 node-follow-redirects_1.15.6+~1.14.4.orig-types-follow-redirects.tar.gz ae7c6134597bcf6be130c9092614aba9a6a52d9b 93426 node-follow-redirects_1.15.6+~1.14.4.orig.tar.gz 0bd17d51ef02f96e8e03dbea3bea8478312f9b8e 4500 node-follow-redirects_1.15.6+~1.14.4-1.debian.tar.xz Checksums-Sha256: e699e1aa6b3c56b486a8e17bae3a937a0f72244db4044e3ad09f82acd61f4f68 2656 node-follow-redirects_1.15.6+~1.14.4-1.dsc 88b7ad41ccdd6b77b864f048a67b7141dea86841a382d22b8b91f6c28f73a7d8 2813 node-follow-redirects_1.15.6+~1.14.4.orig-types-follow-redirects.tar.gz 445ac6551ae24e52fa7a6f6c7c81e5a9b458088734a4db941188230db1fd3226 93426 node-follow-redirects_1.15.6+~1.14.4.orig.tar.gz 0e5ee7b948c3e1ce855f908b5ba4a11e843a3cea16ee79fd7440dba1d2b1ef99 4500 node-follow-redirects_1.15.6+~1.14.4-1.debian.tar.xz Files: 660ad42ea359ce055806187a74018c18 2656 javascript optional node-follow-redirects_1.15.6+~1.14.4-1.dsc 719a7019d9e21269e285e4a7c45126dc 2813 javascript optional node-follow-redirects_1.15.6+~1.14.4.orig-types-follow-redirects.tar.gz c584ce3805a9906ee6c618d61a3ee98c 93426 javascript optional node-follow-redirects_1.15.6+~1.14.4.orig.tar.gz
[Pkg-javascript-devel] node-follow-redirects_1.15.6+~1.14.4-1_sourceonly.changes ACCEPTED into unstable
Thank you for your contribution to Debian. Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sun, 17 Mar 2024 07:25:36 +0400 Source: node-follow-redirects Architecture: source Version: 1.15.6+~1.14.4-1 Distribution: unstable Urgency: medium Maintainer: Debian Javascript Maintainers Changed-By: Yadd Closes: 1059926 1066971 Changes: node-follow-redirects (1.15.6+~1.14.4-1) unstable; urgency=medium . * Team upload * Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse, Security-Contact * New upstream version (Closes: #1059926, #1066971) * Unfuzz patches Checksums-Sha1: 36afe707389b367f179f072138e4ac56be9cd04e 2656 node-follow-redirects_1.15.6+~1.14.4-1.dsc ca054d72ef574c77949fc5fff278b430fcd508ec 2813 node-follow-redirects_1.15.6+~1.14.4.orig-types-follow-redirects.tar.gz ae7c6134597bcf6be130c9092614aba9a6a52d9b 93426 node-follow-redirects_1.15.6+~1.14.4.orig.tar.gz 0bd17d51ef02f96e8e03dbea3bea8478312f9b8e 4500 node-follow-redirects_1.15.6+~1.14.4-1.debian.tar.xz Checksums-Sha256: e699e1aa6b3c56b486a8e17bae3a937a0f72244db4044e3ad09f82acd61f4f68 2656 node-follow-redirects_1.15.6+~1.14.4-1.dsc 88b7ad41ccdd6b77b864f048a67b7141dea86841a382d22b8b91f6c28f73a7d8 2813 node-follow-redirects_1.15.6+~1.14.4.orig-types-follow-redirects.tar.gz 445ac6551ae24e52fa7a6f6c7c81e5a9b458088734a4db941188230db1fd3226 93426 node-follow-redirects_1.15.6+~1.14.4.orig.tar.gz 0e5ee7b948c3e1ce855f908b5ba4a11e843a3cea16ee79fd7440dba1d2b1ef99 4500 node-follow-redirects_1.15.6+~1.14.4-1.debian.tar.xz Files: 660ad42ea359ce055806187a74018c18 2656 javascript optional node-follow-redirects_1.15.6+~1.14.4-1.dsc 719a7019d9e21269e285e4a7c45126dc 2813 javascript optional node-follow-redirects_1.15.6+~1.14.4.orig-types-follow-redirects.tar.gz c584ce3805a9906ee6c618d61a3ee98c 93426 javascript optional node-follow-redirects_1.15.6+~1.14.4.orig.tar.gz bf66bb5e8ffd8e3d2acd0490465bdd1d 4500 javascript optional node-follow-redirects_1.15.6+~1.14.4-1.debian.tar.xz -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmX3u1gACgkQ9tdMp8mZ 7um4VhAAjek5himuhRjBwqqWlPiwIn9j5O6ezc7lWCo4Tt84zTSFBKCapTIPQE/e c0u4nXAa2BXsagp0wFoePIpBQ4zV6Ue5GzYW5os0+mZbqVztz0yFDXhajjud03NY rnr9Daw4lRLyyS7E0OqS/TcTTZn0JHTM4fOS8cnBtEArJ7IRuw9UNMyNLbZGqSpD qGJy4iKkVoz7jo9jxWhBY6z0wnKKtRCq3YCrjLm5Uh/hmyBYwaMPN3c++rf1X0NW DfmNBv/1SxqK94aOuKWZk2/3pUoaMQlaHe/5n3WST14RuI4uuUlWsT8zlmZoSW0r AaQomhAJQlQQ1No+DWS6EPRZKTA4pZGyqtydFYbuf4QPlHKZMJCdbC/nus2CzXUW 6UhzsK1H6nzmD4xwHw7zXx2KFB2+BKURBHCO5RZhQWiru0BjRPOYlB+ffm4AAU72 rCMygiDAII8LrQ6ZIgkoZeUWVM6ouvAbSntg9GEJ1YBIb0SqKSVbrCAtpITPU0th 9Fwp8vf+LadxWEGzVVJgTjckwL7BtmOUZPvNChsTJuwvV6iTYPABW8qlXppwVEEh hxn+XNWZcy5ifueX2Ve0PcwyNG/5sgZcRSGsjvsE07kjVOjMvGhhcX/V/ZwO39ML Eiy61qDoHxwxs53fJKgfUt2EosKwr+KbCCAoZoL5BW9VSOFHYbc= =MIxM -END PGP SIGNATURE- pgp3vQA06AaXJ.pgp Description: PGP signature -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
[Pkg-javascript-devel] Processing of node-follow-redirects_1.15.6+~1.14.4-1_sourceonly.changes
node-follow-redirects_1.15.6+~1.14.4-1_sourceonly.changes uploaded successfully to localhost along with the files: node-follow-redirects_1.15.6+~1.14.4-1.dsc node-follow-redirects_1.15.6+~1.14.4.orig-types-follow-redirects.tar.gz node-follow-redirects_1.15.6+~1.14.4.orig.tar.gz node-follow-redirects_1.15.6+~1.14.4-1.debian.tar.xz Greetings, Your Debian queue daemon (running on host usper.debian.org) -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel