Your message dated Sat, 12 Sep 2020 15:19:46 +0000
with message-id <e1kh7ja-0003oa...@fasolo.debian.org>
and subject line Bug#970173: fixed in node-fetch 2.6.1-1
has caused the Debian Bug report #970173,
regarding node-fetch: CVE-2020-15168
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
970173: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970173
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-fetch
Version: 1.7.3-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Control: found -1 1.7.3-1
Hi,
The following vulnerability was published for node-fetch.
CVE-2020-15168[0]:
| node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the
| size option after following a redirect, which means that when a
| content size was over the limit, a FetchError would never get thrown
| and the process would end without failure. For most people, this fix
| will have a little or no impact. However, if you are relying on node-
| fetch to gate files above a size, the impact could be significant, for
| example: If you don't double-check the size of the data after fetch()
| has completed, your JS thread could get tied up doing work on a large
| file (DoS) and/or cost you money in computing.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-15168
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15168
[1]
https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r
Regards
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-fetch
Source-Version: 2.6.1-1
Done: Nicolas Mora <babelou...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-fetch, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 970...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nicolas Mora <babelou...@debian.org> (supplier of updated node-fetch package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 12 Sep 2020 10:51:05 -0400
Source: node-fetch
Architecture: source
Version: 2.6.1-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Nicolas Mora <babelou...@debian.org>
Closes: 970173
Changes:
node-fetch (2.6.1-1) experimental; urgency=medium
.
* Team upload
* New upstream version (Closes: #970173)
Checksums-Sha1:
4a488a2897191940b447eff98e1343981c148a8f 2087 node-fetch_2.6.1-1.dsc
43df6a83d17308b98439c245f1026c6103b8b824 41558 node-fetch_2.6.1.orig.tar.gz
00708570c9f0b37616dc33fde177551ce5bdc790 2932 node-fetch_2.6.1-1.debian.tar.xz
057e174db70e2f9d3747399d8f90a39d6a188f43 11325
node-fetch_2.6.1-1_amd64.buildinfo
Checksums-Sha256:
5e8315ccf7ee7966eacc682a289a3d36068cdff33b1de8d2b8ae8acb6d249363 2087
node-fetch_2.6.1-1.dsc
8ec544ea2b5591ba2e12039424e69fbeded65cdf2db9b89b47fd89ce6308e75c 41558
node-fetch_2.6.1.orig.tar.gz
97945c3ef103c611e1637449b17122af196f12bee9b023c1d37e5ee5eea617ef 2932
node-fetch_2.6.1-1.debian.tar.xz
3c2ba406f73bc72c71cbd2431f223128cf1668fcc73171a85e0b274392da6c2d 11325
node-fetch_2.6.1-1_amd64.buildinfo
Files:
7499482c39a7d0da25f628051b69e18d 2087 javascript optional
node-fetch_2.6.1-1.dsc
14dff609e849a5249a7323fb2d63e991 41558 javascript optional
node-fetch_2.6.1.orig.tar.gz
f64ebbd3a9143722fa4553966b4bb364 2932 javascript optional
node-fetch_2.6.1-1.debian.tar.xz
4310336ace6e83ffef96927d2b9c7991 11325 javascript optional
node-fetch_2.6.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEhAWwL8wo75dEyPJT/oITlEC9IrkFAl9c418ACgkQ/oITlEC9
IrlAvxAAo4ZlnAsR6dkxMVX8Wl5fJwKpXAIxJX9VxLtjh2dABeCtNHDjC+hGnocZ
LXupmmfApZFj9trCidZ/P4/sqhUN7h+ORQAPmx9ccb0kz3ou+BRCx7d83/dzqOQO
N824kf9fUkIwuhso10nLAHa6b2+dPrTr30mla9qN3UrW0SDvdkUDHMYuLuTGr3qs
Ocm+sL9cQJ1MOSzoIYBze+Ug5xjiFZyncKpjg67Vs38Oy1oNLm8CmBGLR4Z/VkIB
2LxjILXVH/xsWd+G+w0Ea1S2qE8JRQMkyG7soGMnNX4I2O3ykAAqpf8F6c8UKfT5
CPQldUw4GJ+W9pLnTyskdJPikDd8UPbNpXWn1fDE56wjw19Fie0ow2nndRdWMXv4
/nS9Bk06ImZgBCSxp6VpJp04HUsqd048XLyYEMiaQhjLh7J7AmP1be9jHmaXLePY
rvI5Wy2qUoFZlfwtXm6rqnSpn0FZX1KaoOuAVBgrUDySRpcNYedNiKWQAYNJCBvw
tgr4r4jyq2s74DIPIqeWYIqAmptIqP+vLXX9pR0X8VZPJ0LRweBIWDYAjqMJiHcl
3keLpRVQrZeBWkrTUkTROPygGlxii0I8lqL1tTnj//jmFKLSJluP8QeNnDyj+YZ5
xTXn00zyg1hxvFGIWA/DmZ6bT5tdZ5IGrd1c/fLzWTQXapfWIY4=
=O44B
-----END PGP SIGNATURE-----
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
