Hi,
On Thu, Jan 30, 2025 at 06:55:08PM +0100, Yadd wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> X-Debbugs-Cc: node-ax...@packages.debian.org
> Control: affects -1 + src:node-axios
> User: release.debian....@packages.debian.org
> Usertags: pu
>
> [ Reason ]
> In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a
> URL object when determining an origin, and has a potentially
> unwanted setAttribute('href',href) call.
>
> [ Impact ]
> Potential security issue
>
> [ Tests ]
> No regression, autopkgtest passed
>
> [ Risks ]
> Low risk, it replace a specific library by the node URL API
>
> [ Checklist ]
> [X] *all* changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in (old)stable
> [X] the issue is verified as fixed in unstable
>
> [ Changes ]
> Replace a specific library by the node URL API
>
> Cheers,
> Xavier
> diff --git a/debian/changelog b/debian/changelog
> index ad1d642..5c966ce 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,11 @@
> +node-axios (1.2.1+dfsg-1+deb12u2) bookworm; urgency=medium
> +
> + * Team upload
> + * Fix potential vulnerability in URL when determining an origin
> + (Closes: #1094731, CVE-2024-57965)
> +
> + -- Yadd <y...@debian.org> Thu, 30 Jan 2025 18:52:13 +0100
Do you know what happened to the 1.2.1+dfsg-1+deb12u1 version?
According to the git commit this was aimed to fix CVE-2023-45857 via a
point release as well but never got uploaded?
Regards,
Salvatore
