Your message dated Sun, 7 Apr 2024 07:16:44 +0200
with message-id <zhispg_jq9f8j...@eldamar.lan>
and subject line [ftpmas...@ftp-master.debian.org: Accepted node-express
4.19.2+~cs8.36.21-1 (source) into unstable]
has caused the Debian Bug report #1068346,
regarding node-express: CVE-2024-29041
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1068346: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068346
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-express
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-express.
CVE-2024-29041[0]:
| Express.js minimalist web framework for node. Versions of Express.js
| prior to 4.19.0 and all pre-release alpha and beta versions of 5.0
| are affected by an open redirect vulnerability using malformed URLs.
| When a user of Express performs a redirect using a user-provided URL
| Express performs an encode [using
| `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents
| before passing it to the `location` header. This can cause malformed
| URLs to be evaluated in unexpected ways by common redirect allow
| list implementations in Express applications, leading to an Open
| Redirect via bypass of a properly implemented allow list. The main
| method impacted is `res.location()` but this is also called from
| within `res.redirect()`. The vulnerability is fixed in 4.19.2 and
| 5.0.0-beta.3.
https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc
https://github.com/koajs/koa/issues/1800
https://github.com/expressjs/express/pull/5539
https://github.com/expressjs/express/commit/0867302ddbde0e9463d0564fea5861feb708c2dd
(4.19.0)
https://github.com/expressjs/express/commit/0b746953c4bd8e377123527db11f9cd866e39f94
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-29041
https://www.cve.org/CVERecord?id=CVE-2024-29041
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-express
Source-Version: 4.19.2+~cs8.36.21-1
----- Forwarded message from Debian FTP Masters
<ftpmas...@ftp-master.debian.org> -----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 07 Apr 2024 07:52:14 +0400
Source: node-express
Architecture: source
Version: 4.19.2+~cs8.36.21-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Changes:
node-express (4.19.2+~cs8.36.21-1) unstable; urgency=medium
.
* Team upload
* New upstream version 4.19.2+~cs8.36.21 (Closes: CVE-2024-29041)
* Unfuzz patches
Checksums-Sha1:
5acf5179d1b48d8019fa3f96fb0062d6a561e8cf 4250
node-express_4.19.2+~cs8.36.21-1.dsc
3ae8ab3767d98d0b682cda063c3339e1e86ccfaa 12489
node-express_4.19.2+~cs8.36.21.orig-types-express-serve-static-core.tar.gz
c26d4a151e60efe0084b23dc3369ebc631ed192d 2699
node-express_4.19.2+~cs8.36.21.orig-types-express.tar.gz
0de8181cc5ac0334fbe0142b510ea66ad45920bb 148014
node-express_4.19.2+~cs8.36.21.orig.tar.gz
54d3fc7adacc1437efb7cb729794ee6c7b942cb0 26632
node-express_4.19.2+~cs8.36.21-1.debian.tar.xz
Checksums-Sha256:
3a82fb4c483ebd00803a1b7318959c6e3ac36b1f65de447efc41173b7a603aaa 4250
node-express_4.19.2+~cs8.36.21-1.dsc
341f919fe2c4929497bac01a6dc29ed8b50485aa2f282896e7532b58bff88399 12489
node-express_4.19.2+~cs8.36.21.orig-types-express-serve-static-core.tar.gz
d292c477ae1b654d6422d7a168a86b7a680f8f0e176e854d6c7ce02e3e202f57 2699
node-express_4.19.2+~cs8.36.21.orig-types-express.tar.gz
08542d21662fead677b6d262ac98383030804b0e5a6c75bca9697dfd7260891a 148014
node-express_4.19.2+~cs8.36.21.orig.tar.gz
e0ce6a40be8f7df3271214924d0f566877b2dfb0afe48d04bbfa5295622cc6d5 26632
node-express_4.19.2+~cs8.36.21-1.debian.tar.xz
Files:
77d68000e84f2b9cb03ab0d2e4bef6cf 4250 javascript optional
node-express_4.19.2+~cs8.36.21-1.dsc
152a87d8e5f6a37982f10c5be3d65948 12489 javascript optional
node-express_4.19.2+~cs8.36.21.orig-types-express-serve-static-core.tar.gz
50f392ae641a36e9cf75ae2eed0600f0 2699 javascript optional
node-express_4.19.2+~cs8.36.21.orig-types-express.tar.gz
755bb69941658f54651b08017ac2dbfb 148014 javascript optional
node-express_4.19.2+~cs8.36.21.orig.tar.gz
7c13d3b855af65df666a76a8946f900a 26632 javascript optional
node-express_4.19.2+~cs8.36.21-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmYSIGgACgkQ9tdMp8mZ
7ukYjA//b+Lm49hKE8Yx3KWD25S77PURUKnnmW9G78y9Drwb0aj9Xa0d3eYxzKp6
z1sYpbdGzJbMlLFKsxAbiWLEnM9hVlNbXQOuazmiGqfz/opIQqeq58iS7YK1RLCA
aVdIK9lL8TM64jMbysqr6ZoPIp09t7gFJU/anjm2KomPxvmYb7x7BHQZOjHmmQMg
VnHl+UphUFlIbLIjoLEcFosspTf9jDhJ5XEcxoM9d6LwcGnXZuJvl+GfcZ41hujF
v11VPZWCC9Vfei4kHgZDGlTHiP8LHcL7TwS9L+gHlCwhekVw3Ols3kjLuOTBhqWk
bRQsZM9LkxWQfHwqtPyLMQIFs72tcwSKivuBj6XYXqedSisj4EIAcBEOurTtlc0c
AGuX2TjFiZX3lajBG0zLqxgUsKESwvORuMAOmxhXsO9/vx3mW47BPWsZjK9c6Xgm
M4YBP23hEhip7iCstFdRAEjuEbmQMoSkR3tZxLQwS1E8K16iaLygygkZ0qvIKv+7
QQainMVjWCcZXfgMBhaMqdREoMBD2UgwXzoR/LQiZTvCt5IPqCKesNhua1cAvo2t
t8hTeNVsTp8wts54gpV5DffQrzlcR0uP/xxTfp5vr9a+l4YWsB8mnGpvNpOxNouf
FB7r0szSeITSRHJLcssKrsPSzd3CYcWECQ3GMS3zcmZtihqztGw=
=b+7+
-----END PGP SIGNATURE-----
----- End forwarded message -----
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
