Package: release.debian.org Severity: normal Tags: bullseye User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor [ Impact ] Medium vulnerability [ Tests ] Test passed, no new test [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Drop Cookie header Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 5bfcaa7..63c3770 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-follow-redirects (1.13.1-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Drop Cookie header across domains (Closes: CVE-2022-0155) + + -- Yadd <y...@debian.org> Tue, 11 Jan 2022 12:11:11 +0100 + node-follow-redirects (1.13.1-1) unstable; urgency=medium * Team upload diff --git a/debian/patches/CVE-2022-0155.patch b/debian/patches/CVE-2022-0155.patch new file mode 100644 index 0000000..0e8419f --- /dev/null +++ b/debian/patches/CVE-2022-0155.patch @@ -0,0 +1,22 @@ +Description: Drop Cookie header across domains. +Author: Ruben Verborgh <ru...@verborgh.org> +Origin: upstream, https://github.com/follow-redirects/follow-redirects/commit/8b347cbc +Bug: https://github.com/follow-redirects/follow-redirects/issues/183 +Forwarded: not-needed +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2022-01-11 + +--- a/index.js ++++ b/index.js +@@ -345,9 +345,9 @@ + var redirectUrlParts = url.parse(redirectUrl); + Object.assign(this._options, redirectUrlParts); + +- // Drop the Authorization header if redirecting to another host ++ // Drop the confidential headers when redirecting to another domain + if (redirectUrlParts.hostname !== previousHostName) { +- removeMatchingHeaders(/^authorization$/i, this._options.headers); ++ removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); + } + + // Evaluate the beforeRedirect callback diff --git a/debian/patches/series b/debian/patches/series index a22cf9d..b90eb05 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1 +1,2 @@ fix-test.patch +CVE-2022-0155.patch
