Your message dated Mon, 16 Sep 2024 08:54:37 +0000
with message-id <e1sq7vf-00efit...@fasolo.debian.org>
and subject line Bug#1081481: fixed in node-express 4.21.0+~cs8.36.26-1
has caused the Debian Bug report #1081481,
regarding node-express: CVE-2024-43796
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1081481: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081481
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-express
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-express.
CVE-2024-43796[0]:
| Express.js minimalist web framework for node. In express < 4.20.0,
| passing untrusted user input - even after sanitizing it - to
| response.redirect() may execute untrusted code. This issue is
| patched in express 4.20.0.
https://github.com/expressjs/express/security/advisories/GHSA-qw6h-vgh9-j6wx
https://github.com/expressjs/express/commit/54271f69b511fea198471e6ff3400ab805d6b553
(4.20.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-43796
https://www.cve.org/CVERecord?id=CVE-2024-43796
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-express
Source-Version: 4.21.0+~cs8.36.26-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-express, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1081...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-express package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 16 Sep 2024 12:34:28 +0400
Source: node-express
Architecture: source
Version: 4.21.0+~cs8.36.26-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1081481
Changes:
node-express (4.21.0+~cs8.36.26-1) unstable; urgency=medium
.
* Team upload
* New upstream version (Closes: #1081481, CVE-2024-43796)
* Refresh patches
* Update test modules
* Embed specific version of path-to-regexp and drop related dependency
* Update dependencies constraints:
- node-cookie >= 0.6
- node-encodeurl >= 2
Checksums-Sha1:
d2e562e123c85a6e6709abff7f8fbd4c56cc36ed 4225
node-express_4.21.0+~cs8.36.26-1.dsc
218064e321126fcf9048d1ca25dd2465da55d9c6 12532
node-express_4.21.0+~cs8.36.26.orig-types-express-serve-static-core.tar.gz
c26d4a151e60efe0084b23dc3369ebc631ed192d 2699
node-express_4.21.0+~cs8.36.26.orig-types-express.tar.gz
73c35b55d66e9ef4ab6c59fcde85ac4c3a0e644d 152841
node-express_4.21.0+~cs8.36.26.orig.tar.gz
126d19f4fce06ecd696bef4d33679b5ca95841e9 29952
node-express_4.21.0+~cs8.36.26-1.debian.tar.xz
Checksums-Sha256:
94a2cb0d341c97af9148963e4aa03d5d205ee99653d91ed5534448f7f66f0c71 4225
node-express_4.21.0+~cs8.36.26-1.dsc
54fd8ccebecf4274c8b66066cfeefe2b07dc3e34b898833bfe7fb5decd95c4c7 12532
node-express_4.21.0+~cs8.36.26.orig-types-express-serve-static-core.tar.gz
d292c477ae1b654d6422d7a168a86b7a680f8f0e176e854d6c7ce02e3e202f57 2699
node-express_4.21.0+~cs8.36.26.orig-types-express.tar.gz
2bfc118a9f043d865299c21fb3d3a7c9f90184fb584db33c33308e14d77fba66 152841
node-express_4.21.0+~cs8.36.26.orig.tar.gz
4ac1a7f2590ce6712cf08c8d69aa90647cb8a6713ae7391be7871f4e677f0081 29952
node-express_4.21.0+~cs8.36.26-1.debian.tar.xz
Files:
45f99b3ccfe15e41af76d48fbac99d5f 4225 javascript optional
node-express_4.21.0+~cs8.36.26-1.dsc
178f91e1df0384851032e324dec89c99 12532 javascript optional
node-express_4.21.0+~cs8.36.26.orig-types-express-serve-static-core.tar.gz
50f392ae641a36e9cf75ae2eed0600f0 2699 javascript optional
node-express_4.21.0+~cs8.36.26.orig-types-express.tar.gz
3eee848d32851c5542eee83cc8672c31 152841 javascript optional
node-express_4.21.0+~cs8.36.26.orig.tar.gz
ea4bd49656d5efeea2092dd2f568d9fd 29952 javascript optional
node-express_4.21.0+~cs8.36.26-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmbn7ekACgkQ9tdMp8mZ
7unxhg/+LVnTg8pVYDQCnOF/XS5Jbd0UZjna1ZTB/xbqkVkQVdMSqDzYz8JcY+uc
9eSQvBP4hjJguHeAO+5JwelBMILvR1GWK+fp8C7Cotkw3kLDKUM/bkOezGdYvrzA
1w4ncFXr7+bRBGf7bMX846JLnA/eBQ1X0WYg0BaVqIF+9MkEw2u0nTHkh1uBVnhn
8YjWbAj7+WsbyXs6cD7ogO2/I0e3pMJ3mXVsOGcNWQC5MO4ji+PV3FV4TK+c+X0Y
Mt3TEivxgQOhibnMtsouWjxaSJJokSD+u386f+K9xQX0vn0ravPgShSA+Tv08CG5
x+PoIvFFv8V4b5vqu8D2fiVHiWY6v3hJhU7zW4NOVSrY0c/T5p8xFqqCICNN3LiV
d/dN1d91IRXAMCFXQXofXKkN7guFKaHQBdHP+HMKrsWKPe5wYnFTv9IMYK4Ulolm
rer0kQ+EVh065wiO8uJzQsk15wVfC5vv9e0Ue9fScV7ySPGH5vOolORXVWuqVCH3
3dduhuDzVHxjmpO8uuWg4pOUCrs9axpKOLq21F6lKSgVSq4o/h3Gcm5hxo8y6MCQ
0KTl8j6FFitdteETOQx7AO9rg8lts3CwGMgot0IA9mTe0Z8fbruR1lV9NcXA/VuO
14du2LzyL5Y2fD7Q3APFeFJt58SN/CZiOX8UQNBsRNCqxAa7UoI=
=LmEp
-----END PGP SIGNATURE-----
pgp02Kzls630K.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
