Your message dated Sun, 09 Jul 2023 09:47:07 +0000 with message-id <e1qir0v-009awy...@fasolo.debian.org> and subject line Bug#1031418: fixed in node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1 has caused the Debian Bug report #1031418, regarding node-undici: CVE-2023-23936 CVE-2023-24807 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1031418: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031418 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: node-undici Version: 5.15.0+dfsg1+~cs20.10.9.3-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for node-undici. CVE-2023-23936[0]: | Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 | and prior to version 5.19.1, the undici library does not protect | `host` HTTP header from CRLF injection vulnerabilities. This issue is | patched in Undici v5.19.1. As a workaround, sanitize the | `headers.host` string before passing to undici. CVE-2023-24807[1]: | Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the | `Headers.set()` and `Headers.append()` methods are vulnerable to | Regular Expression Denial of Service (ReDoS) attacks when untrusted | values are passed into the functions. This is due to the inefficient | regular expression used to normalize the values in the | `headerValueNormalize()` utility function. This vulnerability was | patched in v5.19.1. No known workarounds are available. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-23936 https://www.cve.org/CVERecord?id=CVE-2023-23936 [1] https://security-tracker.debian.org/tracker/CVE-2023-24807 https://www.cve.org/CVERecord?id=CVE-2023-24807 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: node-undici Source-Version: 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1 Done: Yadd <y...@debian.org> We believe that the bug you reported is fixed in the latest version of node-undici, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1031...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Yadd <y...@debian.org> (supplier of updated node-undici package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 31 May 2023 15:52:45 +0400 Source: node-undici Architecture: source Version: 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Debian Javascript Maintainers <pkg-javascript-de...@lists.alioth.debian.org> Changed-By: Yadd <y...@debian.org> Closes: 1031418 Changes: node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium . * Fix security issues (Closes: #1031418): - Protect "Host" HTTP header from CLRF injection (Closes: CVE-2023-23936) - Fix potential ReDoS on Headers.set and Headers.append (Closes: CVE-2023-24807) * Increase httpbin.org test timeout Checksums-Sha1: f63b6c8a5c594a7521861f4b16125bca7f9c0998 4248 node-undici_5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1.dsc bfa4f8cb06a9587e3c04c775419aeb6a013321ed 31384 node-undici_5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1.debian.tar.xz Checksums-Sha256: 2299cda40966a779ada72a8148a4efff942296d8abed1d31f8c157a4903f8d12 4248 node-undici_5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1.dsc 6a0dbca4b3d4a3d059c34dfbe93f9b4359f249f45eb0ef9e66275dae61dd3e14 31384 node-undici_5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1.debian.tar.xz Files: 2765c38f352494537f1861c7edfe2521 4248 javascript optional node-undici_5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1.dsc 6cb8f4ce37c2f817e935c100db959a2b 31384 javascript optional node-undici_5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmSqZicACgkQ9tdMp8mZ 7un5WhAAm5gZQ8e9Ax+6RL+oVbk1WUE7BvOqa2LjILAguxs0PR/d60CzENTAR04z CoAoRaX1XAzZgWXvXSH5c5lEyruIg7ibOW0Kg06pwGWoJLwWc6vqpDBai7nMpUEy Gsm8r/v3waGVYXOQowIDQhUu2vQwZ7a8gVIFF12CNxhNM1C+g26WrsuHsIbXKGSE /WyA7rkMQKSnUw06H7Lcba1z+kc0jn/7H3M+z1zVSvks2FHeYb5iTJhhytkaAy0J 7JSnLZmZo1/YCwJxJoDZCqkp1Hn4R3ZZfWWY0azG/MQTGBtlVHpZbTmsZmLNRHUZ OqSYRqvNHpRnUwCg+il734F6GLlQXVjq654H2Y8Lgr77CS+3WUEy2xtW0MiamjFP p7tnQ3wcqpqSsIOI3sL7xmmMI1Vxasp4NPe+QeyuVmykmO/s0j3NsIvWEen0WHEy qLAzSguge1fEJ+pEZN0T3UFDgnvtsoEDYnDx92rbwFXdkekV9rGRTj80tndUlUgo J8xse+YjgwTrnP1ooNfk2A3dDkJ40LKGYykjrCOT3Vg6Z9sgLd+DlR/CGPBmbR+r JaZBdmhRHAN3sIk9t4RvfTa6zl3AVJ1LnEoHlB4As6plLQpFvkGtNZolvgWoxBlL NCBEpYf9yWIUr9dS9mOZq5i+Xlm+CicApBI6qvIfWz7RfYr5YPo= =yhSP -----END PGP SIGNATURE-----
--- End Message ---
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
