Bug#928626: unblock: node-axios/0.17.1+dfsg-2

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug#928626: unblock: node-axios/0.17.1+dfsg-2

Xavier Guimard-3
Package: release.debian.org
Severity: normal
User: [hidden email]
Usertags: unblock

Please unblock package node-axios

Hi all,

node-axios is vulnerable to CVE-2019-10742 (#928624). The fix is very
simple:
  --- a/lib/adapters/http.js
  +++ b/lib/adapters/http.js
  @@ -172,6 +172,7 @@
 
             // make sure the content length is not over the maxContentLength if specified
             if (config.maxContentLength > -1 && Buffer.concat(responseBuffer).length > config.maxContentLength) {
  +           stream.destroy();
               reject(createError('maxContentLength size of ' + config.maxContentLength + ' exceeded',
                 config, null, lastRequest));
             }

Full changes:
  * Declare compliance with policy 4.3.0
  * Add upstream/metadata
  * Add patch to destroy stream on exceeding maxContentLength
    (Closes: #928624, CVE-2019-10742)
  * Fix debian/copyright format URL

node-axios has no reverse dependencies.

I think it is low risky to upgrade node-axios in Buster.

Cheers,
Xavier

unblock node-axios/0.17.1+dfsg-2

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

node-axios_0.17.1+dfsg-2.debdiff (3K) Download Attachment