Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-axios is vulnerable to a Regex Denial of Service [ Impact ] Little vulnerability [ Tests ] Test passed [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Regex update Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 17d3b55..5db1f2c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-axios (0.21.1+dfsg-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix ReDoS (Closes: CVE-2021-3749) + + -- Yadd <y...@debian.org> Sun, 05 Sep 2021 08:28:15 +0200 + node-axios (0.21.1+dfsg-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2021-3749.patch b/debian/patches/CVE-2021-3749.patch new file mode 100644 index 0000000..1c99a9b --- /dev/null +++ b/debian/patches/CVE-2021-3749.patch @@ -0,0 +1,19 @@ +Description: fix ReDoS +Author: ready-research <72916209+ready-resea...@users.noreply.github.com> +Origin: upstream, https://github.com/axios/axios/commit/eef56014 +Bug: https://github.com/axios/axios/pull/3980 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2021-09-05 + +--- a/lib/utils.js ++++ b/lib/utils.js +@@ -187,7 +187,7 @@ + * @returns {String} The String freed of excess whitespace + */ + function trim(str) { +- return str.replace(/^\s*/, '').replace(/\s*$/, ''); ++ return str.trim ? str.trim() : str.replace(/^\s+|\s+$/g, ''); + } + + /** diff --git a/debian/patches/series b/debian/patches/series index 7133bc2..84cf811 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ use-webpack3.patch use-webpack4.patch fix-bootstrap-path.diff adapt-example.diff +CVE-2021-3749.patch
