Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: node-und...@packages.debian.org Control: affects -1 + src:node-undici
[ Reason ] node-undici doesn't clear Cookie and Host headers on cross-origin redirect. [ Impact ] Medium security issue [ Tests ] No new test here [ Risks ] No risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Drop headers Host/Cookie unless same-origin Cheers, Yadd
diff --git a/debian/changelog b/debian/changelog index 92c0de8..168ee34 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2) bookworm; urgency=medium + + * Delete cookie and host headers on cross-origin redirect + (Closes: #1053879, CVE-2023-45143) + + -- Yadd <y...@debian.org> Fri, 13 Oct 2023 22:14:45 +0400 + node-undici (5.15.0+dfsg1+~cs20.10.9.3-1+deb12u1) bookworm; urgency=medium * Fix security issues (Closes: #1031418): diff --git a/debian/patches/CVE-2023-45143.patch b/debian/patches/CVE-2023-45143.patch new file mode 100644 index 0000000..c196bd2 --- /dev/null +++ b/debian/patches/CVE-2023-45143.patch @@ -0,0 +1,24 @@ +Description: delete 'cookie' and 'host' headers on cross-origin redirect +Author: Khafra <maitken033380...@gmail.com> +Origin: upstream, https://github.com/nodejs/undici/commit/e041de35 +Bug: https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g + https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp +Bug-Debian: https://bugs.debian.org/1053879 +Forwarded: not-needed +Applied-Upstream: 5.26.2, commit:e041de35 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2023-10-13 + +--- a/lib/fetch/index.js ++++ b/lib/fetch/index.js +@@ -1204,6 +1204,10 @@ + if (!sameOrigin(requestCurrentURL(request), locationURL)) { + // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name + request.headersList.delete('authorization') ++ ++ // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement. ++ request.headersList.delete('cookie') ++ request.headersList.delete('host') + } + + // 14. If request’s body is non-null, then set request’s body to the first return diff --git a/debian/patches/series b/debian/patches/series index ce1440a..297000a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -8,3 +8,4 @@ drop-ssl-tests.patch CVE-2023-23936.patch CVE-2023-24807.patch update-httpbin.org-test-timeout.patch +CVE-2023-45143.patch
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel