Bug#930374: stretch-pu: package node-url-parse/1.0.5-2+deb9u1

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Bug#930374: stretch-pu: package node-url-parse/1.0.5-2+deb9u1

Xavier Guimard-3
Package: release.debian.org
Severity: normal
Tags: stretch
User: [hidden email]
Usertags: pu

Hi all,

node-url-parse does not parse correctly hostname which leads to multiple
vulnerabilities such as SSRF, Open Redirect, Bypass Authentication
Protocol,... (#906058, CVE-2018-3774)

I imported upstream patch in debian/patches/CVE-2018-3774.patch. This is
the only changes enabled on installed files. Since this package didn't
launch upstream test, I added also some build dependencies and installed
some little required test dependencies in debian/tests/test_modules, and
of course modify debian/rules.

If you prefer to have only the security change without test, I just can
just this commit with a debian/changelog entry:
https://salsa.debian.org/js-team/node-url-parse/commit/e4204c37

Cheers,
Xavier

-- System Information:
Debian Release: 10.0
  APT prefers testing
  APT policy: (600, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

node-url-parse_1.0.5-2+deb9u1.debdiff (239K) Download Attachment