Your message dated Sun, 08 Mar 2026 15:32:08 +0000
with message-id <[email protected]>
and subject line Bug#1129093: fixed in node-proxy-agents 0~2024040606-6+deb13u1
has caused the Debian Bug report #1129093,
regarding node-proxy-agents: CVE-2026-27699
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1129093: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129093
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-proxy-agents
Version: 0~2025070717-6
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-proxy-agents.
CVE-2026-27699[0]:
| The `basic-ftp` FTP client library for Node.js contains a path
| traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the
| `downloadToDir()` method. A malicious FTP server can send directory
| listings with filenames containing path traversal sequences (`../`)
| that cause files to be written outside the intended download
| directory. Version 5.2.0 patches the issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-27699
https://www.cve.org/CVERecord?id=CVE-2026-27699
[1]
https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c
[2]
https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-proxy-agents
Source-Version: 0~2024040606-6+deb13u1
Done: Yadd <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-proxy-agents, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-proxy-agents package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 27 Feb 2026 07:58:26 +0100
Source: node-proxy-agents
Architecture: source
Version: 0~2024040606-6+deb13u1
Distribution: trixie
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1129093
Changes:
node-proxy-agents (0~2024040606-6+deb13u1) trixie; urgency=medium
.
* Team upload
* Fix basic-ftp traversal vulnerability (Closes: #1129093, CVE-2026-27699)
Checksums-Sha1:
c474a92edd1a6eaeef20a164a88fba7f81ddf504 4230
node-proxy-agents_0~2024040606-6+deb13u1.dsc
2e475158410f6a2c306334394375d7898a3c186f 44136
node-proxy-agents_0~2024040606-6+deb13u1.debian.tar.xz
Checksums-Sha256:
3f22e9e2e4cf76f06064b609290ef7add38f424afee75f15de460c4321d8d86d 4230
node-proxy-agents_0~2024040606-6+deb13u1.dsc
b9041439cead2718b3253e505738b564d9717487d1c12dfa465289f4ad979942 44136
node-proxy-agents_0~2024040606-6+deb13u1.debian.tar.xz
Files:
2f9f1278ee31466e606c8c44a645eb3a 4230 javascript optional
node-proxy-agents_0~2024040606-6+deb13u1.dsc
4f45ae729e1803898edf1d364ba3a153 44136 javascript optional
node-proxy-agents_0~2024040606-6+deb13u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmmtVNwACgkQ9tdMp8mZ
7umC2w/+OMYFU5jz6ikUxznpql3I4dIwDAPncMnCENxDSt3YqZoCQpZO6Y2lhi9M
Z1P9IfNOs6meJjOgu2Yaj3arcAokNmfbNuntE1A8owA/ExlDdMdWIHXxuQ1lHHj5
DkBtCUfrQg78klGknXSv6LPq97st9znUc/C0PJCEnOVCryiCIibx9qvfxHeDMCpN
t1MV/0sJmm1R0j+Es910I3HRwjlffgvhXXRkfswKRdHQe2ICfkFL36povTTnnw+c
x3wRnvoXwZtXCIqRal8+JKTSPzY5kIxzG0ssMllAjx/AFU9n7DacFQ6xaPBp8G1u
uEIrEhZaCoclLmGo+pBTrF4ou31/W4m/TUxYLxdCeVBg9oWIuXBuGEckhm2yhJT7
3YtKL2ssNFnCbXE3qOwWm9TfHMIMckOOKyvInaiXZJOJZUGL3q7TU9jPIEx/VFvH
8LuTmKR6biTIv0dybEfu9wZNcqkgFc7E72PVDb4ACwaK2M+q0tydo+7Qk5RkaGgZ
Y7NLdy3wBZFPsHfiuSDxoQGwtV6EqfIgR0qUWZtim5AXpzNIqfYtN6gzbFskYGhx
iCzjnuioRZoFM9GWZoIUVDCGIBDSj0mPBUC7a3I0nLXVrA6PLboDmMGbKgvhGuaq
StVOOkTQDjug2jKzq7hoDg36UP3EoGaJKS+3Bh6I4D3EGRIS0ME=
=dVIQ
-----END PGP SIGNATURE-----
pgpqt5ghvHDQV.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
