Package: release.debian.org Severity: normal Tags: buster User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] rode-redis is vulnerable ro ReDoS (CVE-2021-29469 [ Impact ] Medium risk [ Tests ] No [ Risks ] No risk, node-redis has no reverse dependencies and patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Regex update Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index e865de4..5994010 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-redis (2.8.0-1+deb10u1) unstable; urgency=medium + + * Fix potential ReDoS (Closes: CVE-2021-29469) + + -- Yadd <y...@debian.org> Sun, 25 Apr 2021 14:09:33 +0200 + node-redis (2.8.0-1) unstable; urgency=medium * Add components in gbp.conf and debian/watch (used for test only): diff --git a/debian/patches/CVE-2021-29469.patch b/debian/patches/CVE-2021-29469.patch new file mode 100644 index 0000000..d074802 --- /dev/null +++ b/debian/patches/CVE-2021-29469.patch @@ -0,0 +1,19 @@ +Description: fix ReDoS +Author: Leibale Eidelman <leibale1...@gmail.com> +Origin: upstream, https://github.com/NodeRedis/node-redis/commit/2d11b6dc +Bug: https://github.com/NodeRedis/node-redis/issues/1569 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-04-25 + +--- a/lib/utils.js ++++ b/lib/utils.js +@@ -127,7 +127,7 @@ + reply_to_object: replyToObject, + print: print, + err_code: /^([A-Z]+)\s+(.+)$/, +- monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\]( ".+?")+$/, ++ monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\].*"$/, + clone: convenienceClone, + callback_or_emit: callbackOrEmit, + reply_in_order: replyInOrder diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..1d28461 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +CVE-2021-29469.patch
