Your message dated Sat, 19 Jul 2025 13:34:14 +0000
with message-id <e1ud7he-00e1s8...@fasolo.debian.org>
and subject line Bug#1109525: fixed in node-on-headers 1.0.2-4
has caused the Debian Bug report #1109525,
regarding node-on-headers: CVE-2025-7339
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1109525: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1109525
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-on-headers
Version: 1.0.2-2
Severity: important
Tags: security upstream
Forwarded: https://github.com/jshttp/on-headers/issues/15
X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi,
The following vulnerability was published for node-on-headers.
CVE-2025-7339[0]:
| on-headers is a node.js middleware for listening to when a response
| writes headers. A bug in on-headers versions `<1.1.0` may result in
| response headers being inadvertently modified when an array is
| passed to `response.writeHead()`. Users should upgrade to version
| 1.1.0 to receive a patch. Uses are strongly encouraged to upgrade to
| `1.1.0`, but this issue can be worked around by passing an object to
| `response.writeHead()` rather than an array.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-7339
https://www.cve.org/CVERecord?id=CVE-2025-7339
[1] https://github.com/jshttp/on-headers/issues/15
[2] https://github.com/jshttp/on-headers/security/advisories/GHSA-76c9-3jph-rj3q
[3]
https://github.com/jshttp/on-headers/commit/c6e384908c9c6127d18831d16ab0bd96e1231867
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-on-headers
Source-Version: 1.0.2-4
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-on-headers, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1109...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-on-headers package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 19 Jul 2025 15:08:56 +0200
Source: node-on-headers
Architecture: source
Version: 1.0.2-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1109525
Changes:
node-on-headers (1.0.2-4) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.2
* Fix array handling (Closes: #1109525, CVE-2025-7339)
Checksums-Sha1:
00f0d4b5b858c0868cd3592b2b812b9ef99c2964 2133 node-on-headers_1.0.2-4.dsc
1ebd57e394372a7ecc3249191dba14856562c31e 3796
node-on-headers_1.0.2-4.debian.tar.xz
Checksums-Sha256:
1adde3813d7af2bc0322ce480fa34cfa709578dc98930c1d43599a49ce854106 2133
node-on-headers_1.0.2-4.dsc
7ede9e6c4a0d620d45530148bcd7257958db2a56825e32455a9e0d6aadfb8217 3796
node-on-headers_1.0.2-4.debian.tar.xz
Files:
4f8b1229736ad481d0205719e0435d84 2133 javascript optional
node-on-headers_1.0.2-4.dsc
8531798821a9160f1136ee3d6a61900a 3796 javascript optional
node-on-headers_1.0.2-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmh7mXcACgkQ9tdMp8mZ
7unVrg/9Hr4m/+KazRldzjK33Qj1IoEiUuq7Oe1BKvfxVEToJqNw9/c7DwTHpeQ4
kYfCzIeVmen9nQhDFh0gOw4hIyFG7gL0AXR6pO9iol5LgC2KnmsTQOBCayghp0cx
loyZG6mQSIXDMIzb0oyyq/2Fixtyg5WaotjYQg+QONR12Tb8ZGTimjBNf15hproH
n0cE8Q9Wn/FlgTxpMTl5ilqqoxJPJf6MzLBqwQFIG83/pHYFEfVeHwtXR2W/br11
eUJk441wsUS2LUa7vSTJ6MIYmTLM2bHI49Irwb0excU0beOdSxRrp6fe3HJIstXW
/6wM4Gaay/QUmFu6cssoEfwphPD9zv1WRyxKqsRhNVkrF66GBtJ4XsqFcHFgiRp0
n4yg0x70YeuO258M+d1r3Tbjrmh7UXxkwbJVh4y8O1kNGuKtJhUu+HXfnCLa/HTB
CE7ErMXcC0gFO/6NeG+pYB8tGlVd67uPQ8K0JbNDEgjDagPnfiDCFLK6nu9AJ2lt
xxho7AUOAL8EtL3PMj9CUf369FfGC8k7mmUTf44FNUb2DpbV4BayDb+w+j8KUOgI
cgdxaKS6GJlaDCLYJdPahbF3VyDQW3YNwePygseeXkqrL0yDypjg82KLJjm7nA/T
c/IKugb3bTr59PRShPApNclrEU3pRzw5UCfofSwN7qC2FGsbzlE=
=tF+s
-----END PGP SIGNATURE-----
pgpyVWVAAcUOq.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
