Bug#989106: unblock: node-ws/7.4.2+~cs18.0.8-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package node-ws
[ Reason ]
node-ws is vulnerable to a ReDoS: A specially crafted value of the
`Sec-Websocket-Protocol` header could be used to significantly slow
down a ws server.
[ Impact ]
Medium vulnerability
[ Tests ]
No change in test
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-ws/7.4.2+~cs18.0.8-2
diff --git a/debian/changelog b/debian/changelog
index 5c44772..f349028 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-ws (7.4.2+~cs18.0.8-2) unstable; urgency=medium
+
+ * Team upload
+ * Fix GitHub tags regex
+ * Fix ReDoS vulnerability (Closes: CVE-2021-32640)
+
+ -- Yadd Wed, 26 May 2021 08:26:30 +0200
+
node-ws (7.4.2+~cs18.0.8-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-32640.patch
b/debian/patches/CVE-2021-32640.patch
new file mode 100644
index 000..648faae
--- /dev/null
+++ b/debian/patches/CVE-2021-32640.patch
@@ -0,0 +1,40 @@
+Description: Fix ReDoS vulnerability
+ A specially crafted value of the `Sec-Websocket-Protocol` header could
+ be used to significantly slow down a ws server.
+ .
+ PoC and fix were sent privately by Robert McLaughlin from University of
+ California, Santa Barbara.
+Author: Luigi Pinca
+Origin: upstream, https://github.com/websockets/ws/commit/00c425e
+Bug: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-05-26
+
+--- a/lib/websocket-server.js
b/lib/websocket-server.js
+@@ -286,7 +286,7 @@
+ let protocol = req.headers['sec-websocket-protocol'];
+
+ if (protocol) {
+- protocol = protocol.trim().split(/ *, */);
++ protocol = protocol.split(',').map(trim);
+
+ //
+ // Optionally call external protocol selection handler.
+@@ -404,3 +404,15 @@
+ socket.removeListener('error', socketOnError);
+ socket.destroy();
+ }
++
++/**
++ * Remove whitespace characters from both ends of a string.
++ *
++ * @param {String} str The string
++ * @return {String} A new string representing `str` stripped of whitespace
++ * characters from both its beginning and end
++ * @private
++ */
++function trim(str) {
++ return str.trim();
++}
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..c58b9aa
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-32640.patch
diff --git a/debian/watch b/debian/watch
index aa7ee90..8d06a3a 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,32 +1,32 @@
version=4
opts=filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/ws-$1.tar.gz/,\
dversionmangle=auto \
-https://github.com/websockets/ws/tags .*/archive/v?([\d\.]+).tar.gz group
+https://github.com/websockets/ws/tags .*/archive/.*/v?([\d\.]+).tar.gz group
opts=\
ctype=nodejs,\
component=utf-8-validate,\
dversionmangle=auto,\
filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-utf-8-validate-$1.tar.gz/ \
- https://github.com/websockets/utf-8-validate/tags
.*/archive/v?([\d\.]+).tar.gz checksum
+ https://github.com/websockets/utf-8-validate/tags
.*/archive/.*/v?([\d\.]+).tar.gz checksum
opts=\
ctype=nodejs,\
component=bufferutil,\
dversionmangle=auto,\
filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-bufferutil-$1.tar.gz/ \
- https://github.com/websockets/bufferutil/tags .*/archive/v?([\d\.]+).tar.gz
checksum
+ https://github.com/websockets/bufferutil/tags
.*/archive/.*/v?([\d\.]+).tar.gz checksum
opts=\
ctype=nodejs,\
component=wscat,\
dversionmangle=auto,\
filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-wscat-$1.tar.gz/ \
- https://github.com/websockets/wscat/tags .*/archive/v?([\d\.]+).tar.gz
checksum
+ https://github.com/websockets/wscat/tags .*/archive/.*/v?([\d\.]+).tar.gz
checksum
opts=\
ctype=nodejs,\
component=https-proxy-agent,\
dversionmangle=auto,\
filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-node-https-proxy-agent-$1.tar.gz/
\
- https://github.com/TooTallNate/node-https-proxy-agent/tags
.*/archive/v?([\d\.]+).tar.gz checksum
+ https://github.com/TooTallNate/node-https-proxy-agent/tags
.*/archive/.*/v?([\d\.]+).tar.gz checksum
Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-ws is vulnerable to re regex denial of service (ReDoS)
(CVE-2021-32640).
[ Impact ]
A specially crafted value of the `Sec-Websocket-Protocol` header could
be used to significantly slow down a ws server.
[ Tests ]
No change in test, it passed.
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just replace:
split(/, */)
by
split(',').map(s => s.trim())
[ Other info ]
I adapted patch from 7.4.2 to 1.1.0
Cheers,
Yadd
Bug#989129: buster-pu: package node-ws/1.1.0+ds1.e6ddaae4-5+deb10u1
Here is the missing debdiff
diff --git a/debian/changelog b/debian/changelog
index d8d3387..20f5a00 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-ws (1.1.0+ds1.e6ddaae4-5+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix ReDoS vulnerability (Closes: CVE-2021-32640)
+
+ -- Yadd Wed, 26 May 2021 12:33:11 +0200
+
node-ws (1.1.0+ds1.e6ddaae4-5) unstable; urgency=medium
* Add upstream/metadata
diff --git a/debian/patches/CVE-2021-32640.patch
b/debian/patches/CVE-2021-32640.patch
new file mode 100644
index 000..fd4c9dc
--- /dev/null
+++ b/debian/patches/CVE-2021-32640.patch
@@ -0,0 +1,49 @@
+Description: Fix ReDoS vulnerability
+ A specially crafted value of the `Sec-Websocket-Protocol` header could
+ be used to significantly slow down a ws server.
+ .
+ PoC and fix were sent privately by Robert McLaughlin from University of
+ California, Santa Barbara.
+Author: Luigi Pinca
+Origin: upstream, https://github.com/websockets/ws/commit/00c425e
+Bug: https://github.com/websockets/ws/security/advisories/GHSA-6fc8-4gx4-v693
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-05-26
+
+--- a/lib/WebSocketServer.js
b/lib/WebSocketServer.js
+@@ -289,7 +289,7 @@
+ var completeHybiUpgrade1 = function() {
+ // choose from the sub-protocols
+ if (typeof self.options.handleProtocols == 'function') {
+-var protList = (protocols || "").split(/, */);
++var protList = (protocols || "").split(',').map(trim);
+ var callbackCalled = false;
+ var res = self.options.handleProtocols(protList, function(result,
protocol) {
+ callbackCalled = true;
+@@ -303,7 +303,7 @@
+ return;
+ } else {
+ if (typeof protocols !== 'undefined') {
+-completeHybiUpgrade2(protocols.split(/, */)[0]);
++completeHybiUpgrade2(protocols.split(',').map(trim)[0]);
+ }
+ else {
+ completeHybiUpgrade2();
+@@ -552,3 +552,15 @@
+ try { socket.destroy(); } catch (e) {}
+ }
+ }
++
++/**
++ * Remove whitespace characters from both ends of a string.
++ *
++ * @param {String} str The string
++ * @return {String} A new string representing `str` stripped of whitespace
++ * characters from both its beginning and end
++ * @private
++ */
++function trim(str) {
++ return str.trim();
++}
diff --git a/debian/patches/series b/debian/patches/series
index 0556eb7..e5cc10a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ disable-debian-failing-tests
fix-failing-tests
increase-test-timeout
node-ads-120.diff
+CVE-2021-32640.patch
Bug#989146: unblock: node-cpr/3.0.1-4
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package node-cpr
[ Reason ]
I did an error when including node-mkdirp (≥1) patch. Here is the fix
which permits to reenable all tests.
[ Impact ]
Maybe node-cpr is unable to copy empty directories
[ Tests ]
Upstream tests are now all enabled and passed (build + autopkgtest)
[ Risks ]
No risk, new patch is verified by tests.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Sorry for this error...
Cheers,
Yadd
unblock node-cpr/3.0.1-4
diff --git a/debian/changelog b/debian/changelog
index b0e6caf..338ddf1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-cpr (3.0.1-4) unstable; urgency=medium
+
+ * Team upload
+ * Fix GitHub tags regex
+ * Fix patch for node-mkdirp ≥ 1
+
+ -- Yadd Wed, 26 May 2021 21:31:55 +0200
+
node-cpr (3.0.1-3) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/update-mkdirp.diff
b/debian/patches/update-mkdirp.diff
index 2e50ece..092902d 100644
--- a/debian/patches/update-mkdirp.diff
+++ b/debian/patches/update-mkdirp.diff
@@ -1,26 +1,27 @@
Description: update to mkdirp ≥ 1
-Author: Xavier Guimard
-Forwarded: https://github.com/davglass/cpr/issues/65
+Author: Yadd
+Forwarded: https://github.com/davglass/cpr/issues/68
Last-Update: 2020-10-21
--- a/lib/index.js
+++ b/lib/index.js
-@@ -121,12 +121,12 @@
+@@ -121,12 +121,13 @@
err.errno = 27;
options.errors.push(err);
} else {
-mkdirp(to, stat.mode, stack.add(function(err) {
-+mkdirp(to, stat.mode).catch((err) =>
{stack.add(function(err) {
++var ef = stack.add(function(err) {
/*istanbul ignore next*/
if (err) {
options.errors.push(err);
}
-}));
-+})});
++});
++mkdirp(to, stat.mode).then(ef).catch(ef);
}
}));
}
-@@ -139,7 +139,7 @@
+@@ -139,7 +140,7 @@
var copyFile = function(from, to, options, callback) {
var dir = path.dirname(to);
@@ -29,32 +30,3 @@ Last-Update: 2020-10-21
fs.stat(to, function(statError) {
var err;
if(!statError && options.overwrite !== true) {
a/tests/full.js
-+++ b/tests/full.js
-@@ -343,6 +343,7 @@
-
- describe('validations', function() {
-
-+/*
- it('should copy empty directory', function(done) {
- mkdirp.sync(path.join(to, 'empty-src'));
- cpr(path.join(to, 'empty-src'), path.join(to, 'empty-dest'),
function() {
-@@ -351,6 +352,7 @@
- done();
- });
- });
-+*/
-
- it('should not delete existing folders in out dir', function(done) {
- mkdirp.sync(path.join(to, 'empty-src', 'a'));
-@@ -359,8 +361,8 @@
- var stat = fs.statSync(path.join(to, 'empty-dest'));
- assert.ok(stat.isDirectory());
- var dirs = fs.readdirSync(path.join(to, 'empty-dest'));
--assert.equal(dirs[0], 'a');
--assert.equal(dirs[1], 'b');
-+assert.equal(dirs[0], 'b');
-+//assert.equal(dirs[1], 'a');
- done();
- });
- });
diff --git a/debian/watch b/debian/watch
index 3e3a8e7..1b77a15 100644
--- a/debian/watch
+++ b/debian/watch
@@ -2,4 +2,4 @@ version=3
opts=\
dversionmangle=s/\+(debian|dfsg|ds|deb)(\.\d+)?$//,\
filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-cpr-$1.tar.gz/ \
- https://github.com/davglass/cpr/tags .*/archive/v?([\d\.]+).tar.gz
+ https://github.com/davglass/cpr/tags .*/archive/.*/v?([\d\.]+).tar.gz
Bug#988977: buster-pu: package libbusiness-us-usps-webtools-perl/1.122-1+deb10u1
Le 29/05/2021 à 16:04, Adam D. Barratt a écrit : > Control: tags -1 + confirmed > > On Sat, 2021-05-22 at 12:26 +0200, Yadd wrote: >> [ Reason ] >> USPS is sending notices that HTTP access will be turned off shortly, >> in favor of HTTPS. >> >> Given that is a web service that will break in the wild, in addition >> to a regular update for unstable, we should update buster (and >> stretch) via stable-updates (and oldstable-updates). > > Ideally there'll have been a point release before June 24th; admittedly > that still needs organising. > > Note that stretch-updates stopped being supported when stretch moved to > LTS; indeed, it doesn't make much sense given that there are no point > releases for LTS for such updates to be released in advance of. > > Please go ahead. > > Regards, > > Adam Hi, done for Buster. I pushed also a Stretch update, then if someone want to get it, it is ready ;-) Thanks! Yadd
Bug#989290: unblock: node-got/11.8.1+~cs53.13.17-3
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Please unblock package node-got
[ Reason ]
node-normalize-url (embedded in node-got) is vulnerable to a Regex
Denial of Service (ReDoS) (#989258, CVE-2021-33502). This little patch
fixes it.
[ Impact ]
Medium security issue
[ Tests ]
Sadly test are not enabled for this package due to missing test
dependencies
[ Risks ]
No risk here, patch is trivial (just a regex improvement)
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-got/11.8.1+~cs53.13.17-3
-BEGIN PGP SIGNATURE-
iQJEBAEBCgAuFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmC0tMwQHHlhZGRAZGVi
aWFuLm9yZwAKCRD210ynyZnu6TKiD/4jlh7TN9AxaWxx2MJLho3t/w3eBaHL9zzP
091IzeAZndqYDzAsC0migMIeMpwS0laDg9WTafesq0kPWGPCPbFOtuiQo8CNAoP5
eakDTq0LZRjSDbziUe3QjT9YdSOeOBbopRkDx8fcpBu8Wutp6trsIgAUQ0xaGMYL
KJRzn/e90Ceqg+VUd9Pimp4EFnB+MfX5PPVUcJSJCFFgmHSQuvBPl9BV7qaIF05Y
n4H64Pa4bLh4+iSvvfbhvotnt7W091b86lTEuWzAv9XOijjeIRpkRPBUHRSXTSoc
BDhQ9kgE6y4PUip7iBpNTPRpZpSj0ow8kRcekoBYp9U9EO34dffk/czBj203FVWv
me61VJITKhLKuBhQ4GCHbXrmnMYcax+hZXiev9vvsF+v1W3pJgj0KFc51/cBkoCc
n+YuNq8+0ski1byjA3edk+VWsQz/q7ElNs3Y0ZvHH4nfA0UUXzastPlSw5qnoOyK
kkUFUdCF2w5i4HrJZ0bgKjA+c4eouAUkF8+z5ENQ2K6XJ1Iwqv8lwo162MfTPq1W
zNj6CWWBEgB+GLkEO7VBcpwrPMoJHkRejjZTRhUWBP47CnnzX6a+JOfLGYG/PytO
R6yLy/oWQtoPTsDDuqP0LH+korjw2DmFsH8DWxWbCdtmQzB1dEn7+htluK2h+Mbt
W5J0x1auFw==
=dUjO
-END PGP SIGNATURE-
diff --git a/debian/changelog b/debian/changelog
index c1ca5b3..9cda1ef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-got (11.8.1+~cs53.13.17-3) unstable; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: #989258, CVE-2021-33502)
+
+ -- Yadd Mon, 31 May 2021 11:57:23 +0200
+
node-got (11.8.1+~cs53.13.17-2) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-33502.patch
b/debian/patches/CVE-2021-33502.patch
new file mode 100644
index 000..1572953
--- /dev/null
+++ b/debian/patches/CVE-2021-33502.patch
@@ -0,0 +1,40 @@
+Description: Fix ReDoS for data URLs
+Author: Sindre Sorhus
+Origin: upstream, https://github.com/sindresorhus/normalize-url/commit/b1fdb51
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33502
+Bug-Debian: https://bugs.debian.org/989258
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-05-31
+
+--- a/normalize-url/index.js
b/normalize-url/index.js
+@@ -9,7 +9,7 @@
+ };
+
+ const normalizeDataURL = (urlString, {stripHash}) => {
+- const match =
/^data:(?.*?),(?.*?)(?:#(?.*))?$/.exec(urlString);
++ const match =
/^data:(?[^,]*?),(?[^#]*?)(?:#(?.*))?$/.exec(urlString);
+
+ if (!match) {
+ throw new Error(`Invalid URL: ${urlString}`);
+--- a/normalize-url/test.js
b/normalize-url/test.js
+@@ -320,3 +320,17 @@
+ normalizeUrl('view-source:https://www.sindresorhus.com');
+ }, '`view-source:` is not supported as it is a non-standard protocol');
+ });
++
++test('does not have exponential performance for data URLs', t => {
++ for (let index = 0; index < 1000; index += 50) {
++ const url = 'data:' + Array.from({length:
index}).fill(',#').join('') + '\ra';
++ const start = Date.now();
++
++ try {
++ normalizeUrl(url);
++ } catch {}
++
++ const difference = Date.now() - start;
++ t.true(difference < 100, `Execution time: ${difference}`);
++ }
++});
diff --git a/debian/patches/series b/debian/patches/series
index 225f561..2299ad7 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
build-source-only.diff
fix-package-json-paths.diff
+CVE-2021-33502.patch
Apache2 policy for Bullseye
Hi all, In the past we had some problems to follow CVE fixes for Apache2. For Buster, we had to import the whole http2 module from 2.4.46 into 2.4.38 because it was impossible to apply the upstream fix due to module changes. This isolated import was really risky but we didn't found a better way. Now the story restarts with CVE-2021-31618. The upstream fix is simple but refers to other changes. In particular the whole SSL stack changed. Even for Bullseye, there are too many differences between 2.4.46 and 2.4.48 to apply this fix. Apache2 is RFH for years, but has too many reverse dependencies to be removed from Bullseye (even if there are some alternatives). Our current apache2 policy keeps a lot of (maybe unimportant) CVE opened [1]. Then I'd like to see if it is possible to follow 2.4.x changes for Bullseye (and maybe Buster). Upstream provides fully-tested versions with no major behavior changes in 2.4.x branch [2], but with many CVE fixes [3]. But maybe is there a better way to fix these vulnerabilities (and future ones) ? Cheers, Yadd [1] https://security-tracker.debian.org/tracker/source-package/apache2 [2] https://downloads.apache.org/httpd/CHANGES_2.4 [3] http://httpd.apache.org/security/vulnerabilities_24.html
Bug#989683: unblock: apache2/2.4.46-5
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: secur...@debian.org
Please unblock package apache2
[ Reason ]
Apache2 is vulnerable to a denial of service due to a NULL pointer
dereference on specially crafted HTTP/2 request (#989562,
CVE-2021-31618)
[ Impact ]
Denial of service
[ Tests ]
No new test
[ Risks ]
Patch is really trivial
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock apache2/2.4.46-5
diff --git a/debian/changelog b/debian/changelog
index 8a02325f..7ddeb00a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apache2 (2.4.46-5) unstable; urgency=medium
+
+ * Fix "NULL pointer dereference on specially crafted HTTP/2 request"
+(Closes: #989562, CVE-2021-31618)
+
+ -- Yadd Thu, 10 Jun 2021 11:57:38 +0200
+
apache2 (2.4.46-4) unstable; urgency=medium
* Ignore other random another test failures (Closes: #979664)
diff --git a/debian/patches/CVE-2021-31618.patch
b/debian/patches/CVE-2021-31618.patch
new file mode 100644
index ..12d59c8b
--- /dev/null
+++ b/debian/patches/CVE-2021-31618.patch
@@ -0,0 +1,20 @@
+Description: fix NULL pointer dereference on specially crafted HTTP/2 request
+Author: Upstream
+Origin: upstream,
http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/modules/http2/h2_stream.c?r1=1889759&r2=1889758&pathrev=1889759
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-31618
+Bug-Debian: https://bugs.debian.org/989562
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-10
+
+--- a/modules/http2/h2_stream.c
b/modules/http2/h2_stream.c
+@@ -638,7 +638,7 @@
+
+ static void set_error_response(h2_stream *stream, int http_status)
+ {
+-if (!h2_stream_is_ready(stream)) {
++if (!h2_stream_is_ready(stream) && stream->rtmp) {
+ conn_rec *c = stream->session->c;
+ apr_bucket *b;
+ h2_headers *response;
diff --git a/debian/patches/series b/debian/patches/series
index 20bc4b61..8dfa2af8 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -11,3 +11,4 @@ tlsv13-add-logno.diff
# This patch is applied manually
#suexec-custom.patch
spelling-errors.diff
+CVE-2021-31618.patch
Bug#989683: unblock: apache2/2.4.46-5
Control: retitle -1 unblock: apache2/2.4.46-6
Le 10/06/2021 à 12:21, Yadd a écrit :
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: secur...@debian.org
>
> Please unblock package apache2
>
> [ Reason ]
> Apache2 is vulnerable to a denial of service due to a NULL pointer
> dereference on specially crafted HTTP/2 request (#989562,
> CVE-2021-31618)
>
> [ Impact ]
> Denial of service
>
> [ Tests ]
> No new test
>
> [ Risks ]
> Patch is really trivial
>
> [ Checklist ]
> [X] all changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in testing
>
> unblock apache2/2.4.46-5
I added also fixes for other CVEs published with 2.4.48 release. All
these patches are trivial.
Cheers,
Yadd
unblock apache2/2.4.46-6
diff --git a/debian/changelog b/debian/changelog
index 8a02325f..fa775057 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+apache2 (2.4.46-6) unstable; urgency=medium
+
+ * Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
+CVE-2021-26690, CVE-2021-26691, CVE-2021-30641)
+
+ -- Yadd Thu, 10 Jun 2021 13:40:11 +0200
+
+apache2 (2.4.46-5) unstable; urgency=medium
+
+ * Fix "NULL pointer dereference on specially crafted HTTP/2 request"
+(Closes: #989562, CVE-2021-31618)
+
+ -- Yadd Thu, 10 Jun 2021 11:57:38 +0200
+
apache2 (2.4.46-4) unstable; urgency=medium
* Ignore other random another test failures (Closes: #979664)
diff --git a/debian/patches/CVE-2020-13950.patch
b/debian/patches/CVE-2020-13950.patch
new file mode 100644
index ..cf0ef992
--- /dev/null
+++ b/debian/patches/CVE-2020-13950.patch
@@ -0,0 +1,28 @@
+Description: The proxy connection may be NULL during prefetch, don't try to
dereference it!
+ Still origin->keepalive will be set according to p_conn->close by the caller
+ (proxy_http_handler).
+Author: Apache authors
+Origin: upstream, https://svn.apache.org/r1678771
+Bug:
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-10
+
+--- a/modules/proxy/mod_proxy_http.c
b/modules/proxy/mod_proxy_http.c
+@@ -577,7 +577,6 @@
+ apr_off_t bytes;
+ int force10, rv;
+ apr_read_type_e block;
+-conn_rec *origin = p_conn->connection;
+
+ if (apr_table_get(r->subprocess_env, "force-proxy-request-1.0")) {
+ if (req->expecting_100) {
+@@ -637,7 +636,6 @@
+ "chunked body with Content-Length (C-L ignored)",
+ c->client_ip, c->remote_host ? c->remote_host: "");
+ req->old_cl_val = NULL;
+-origin->keepalive = AP_CONN_CLOSE;
+ p_conn->close = 1;
+ }
+
diff --git a/debian/patches/CVE-2020-35452.patch
b/debian/patches/CVE-2020-35452.patch
new file mode 100644
index ..52042108
--- /dev/null
+++ b/debian/patches/CVE-2020-35452.patch
@@ -0,0 +1,27 @@
+Description:
+Author: Apache authors
+Origin: upstream, https://github.com/apache/httpd/commit/3b6431e
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2020-35452
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-10
+
+--- a/modules/aaa/mod_auth_digest.c
b/modules/aaa/mod_auth_digest.c
+@@ -1422,9 +1422,14 @@
+ time_rec nonce_time;
+ char tmp, hash[NONCE_HASH_LEN+1];
+
+-if (strlen(resp->nonce) != NONCE_LEN) {
++/* Since the time part of the nonce is a base64 encoding of an
++ * apr_time_t (8 bytes), it should end with a '=', fail early otherwise.
++ */
++if (strlen(resp->nonce) != NONCE_LEN
++|| resp->nonce[NONCE_TIME_LEN - 1] != '=') {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01775)
+- "invalid nonce %s received - length is not %d",
++ "invalid nonce '%s' received - length is not %d "
++ "or time encoding is incorrect",
+ resp->nonce, NONCE_LEN);
+ note_digest_auth_failure(r, conf, resp, 1);
+ return HTTP_UNAUTHORIZED;
diff --git a/debian/patches/CVE-2021-26690.patch
b/debian/patches/CVE-2021-26690.patch
new file mode 100644
index ..5ceec1fd
--- /dev/null
+++ b/debian/patches/CVE-2021-26690.patch
@@ -0,0 +1,20 @@
+Description:
+Author: Apache authors
+Origin: upstream, https://github.com/apache/httpd/commit/67bd9bfe
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2021-26690
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-10
+
+--- a/modules/session/mod_session.c
b/modules/session/mod_session.c
+@@ -405,8 +405,8 @@
+ char *plast = NULL;
+ const char *psep = "=";
+ char *key = apr_strtok
Bug#989683: Fwd: [Bug 1968013] CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 request
Le 10/06/2021 à 14:07, Moritz Muehlenhoff a écrit :
> On Thu, Jun 10, 2021 at 02:02:05PM +0200, Yadd wrote:
>> Le 10/06/2021 à 12:16, Yadd a écrit :
>>> Le 10/06/2021 à 11:51, Yadd a écrit :
>>>> Hi,
>>>>
>>>> Hopefully there is an available-and-simple fix for #989562
>>>> (CVE-2021-31618) !
>>>>
>>>> Cheers,
>>>> Yadd
>>>
>>> Here is the debdiff
>>
>> Updated with all CVE fixes. Thanks to security-tracker and its
>> maintainers ;-)
>>
>> Cheers,
>> Yadd
>
>> diff --git a/debian/changelog b/debian/changelog
>> index b6096f7d..41cb8b28 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,12 @@
>> +apache2 (2.4.38-3+deb10u5) buster-security; urgency=medium
>> +
>> + * Fix "NULL pointer dereference on specially crafted HTTP/2 request"
>> +(Closes: #989562, CVE-2021-31618)
>> + * Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
>> +CVE-2021-26690, CVE-2021-26691, CVE-2021-30641)
>
> There's also https://security-tracker.debian.org/tracker/CVE-2019-17567
> https://www.openwall.com/lists/oss-security/2021/06/10/2
>
> The CVE ID is from 2019, but it got public yesterday with the other fixes.
>
> Cheers,
> Moritz
Hi,
this adds a non trivial patch (attached debdiff shows the difference
with 2.4.46-6 which is already proposed in unblock issue (#989683). I
had to modify significantly upstream patch. As proposed earlier, I think
it should be more safe to upload Apache 2.4.48 in Bullseye instead of
this increasingly deviant hybrid (already 7 CVEs patches!).
@release-team: please consider this new debdiff as a pre-aproval for
2.4.46-7
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index fa775057..25650ac5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+apache2 (2.4.46-7) UNRELEASED; urgency=medium
+
+ * Fix mod_proxy_wstunnel to avoid HTTP validation bypass
+(Closes: CVE-2019-17567)
+
+ -- Yadd Thu, 10 Jun 2021 17:19:55 +0200
+
apache2 (2.4.46-6) unstable; urgency=medium
* Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
diff --git a/debian/patches/CVE-2019-17567.patch
b/debian/patches/CVE-2019-17567.patch
new file mode 100644
index ..0d9e3d51
--- /dev/null
+++ b/debian/patches/CVE-2019-17567.patch
@@ -0,0 +1,1854 @@
+Description: mod_proxy_wstunnel tunneling of non Upgraded connections
+ mod_proxy_wstunnel configured on an URL that is not necessarily Upgraded
+ by the origin server was tunneling the whole connection regardless, thus
+ allowing for subsequent requests on the same connection to pass through
+ with no HTTP validation, authentication or authorization possibly
+ configured.
+Author: Apache authors
+Origin: upstream,
http://people.apache.org/~ylavic/patches/2.4.x-mod_proxy_http-upgrade-4on5-v2.patch
+Bug: https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-17567
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-10
+
+--- a/modules/proxy/mod_proxy.c
b/modules/proxy/mod_proxy.c
+@@ -314,7 +314,8 @@
+ }
+ }
+ else if (!strcasecmp(key, "upgrade")) {
+-if (PROXY_STRNCPY(worker->s->upgrade, val) != APR_SUCCESS) {
++if (PROXY_STRNCPY(worker->s->upgrade,
++ strcasecmp(val, "ANY") ? val : "*") != APR_SUCCESS)
{
+ return apr_psprintf(p, "upgrade protocol length must be < %d
characters",
+ (int)sizeof(worker->s->upgrade));
+ }
+--- a/modules/proxy/mod_proxy.h
b/modules/proxy/mod_proxy.h
+@@ -725,6 +725,19 @@
+proxy_worker *worker);
+
+ /**
++ * Return whether a worker upgrade configuration matches Upgrade header
++ * @param p memory pool used for displaying worker name
++ * @param worker the worker
++ * @param upgrade the Upgrade header to match
++ * @param dfltdefault protocol (NULL for none)
++ * @return1 (true) or 0 (false)
++ */
++PROXY_DECLARE(int) ap_proxy_worker_can_upgrade(apr_pool_t *p,
++ const proxy_worker *worker,
++ const char *upgrade,
++ const char *dflt);
++
++/**
+ * Get the worker from proxy configuration
+ * @param pmemory pool used for finding worker
+ * @param balancer the balancer that the worker belongs to
+@@ -1181,6 +1194,40 @@
+ conn_rec *origin, apr_bucket_brigade
*bb,
+ int flush);
+
++struct proxy_tunnel_conn; /* opaque */
++typedef struct {
++request_rec *r;
Bug#989683: Fwd: [Bug 1968013] CVE-2021-31618 httpd: NULL pointer dereference on specially crafted HTTP/2 request
Le 10/06/2021 à 17:31, Yadd a écrit : > Le 10/06/2021 à 14:07, Moritz Muehlenhoff a écrit : >> On Thu, Jun 10, 2021 at 02:02:05PM +0200, Yadd wrote: >>> Le 10/06/2021 à 12:16, Yadd a écrit : >>>> Le 10/06/2021 à 11:51, Yadd a écrit : >>>>> Hi, >>>>> >>>>> Hopefully there is an available-and-simple fix for #989562 >>>>> (CVE-2021-31618) ! >>>>> >>>>> Cheers, >>>>> Yadd >>>> >>>> Here is the debdiff >>> >>> Updated with all CVE fixes. Thanks to security-tracker and its >>> maintainers ;-) >>> >>> Cheers, >>> Yadd >> >>> diff --git a/debian/changelog b/debian/changelog >>> index b6096f7d..41cb8b28 100644 >>> --- a/debian/changelog >>> +++ b/debian/changelog >>> @@ -1,3 +1,12 @@ >>> +apache2 (2.4.38-3+deb10u5) buster-security; urgency=medium >>> + >>> + * Fix "NULL pointer dereference on specially crafted HTTP/2 request" >>> +(Closes: #989562, CVE-2021-31618) >>> + * Fix various low security issues (Closes: CVE-2020-13950, >>> CVE-2020-35452, >>> +CVE-2021-26690, CVE-2021-26691, CVE-2021-30641) >> >> There's also https://security-tracker.debian.org/tracker/CVE-2019-17567 >> https://www.openwall.com/lists/oss-security/2021/06/10/2 >> >> The CVE ID is from 2019, but it got public yesterday with the other fixes. >> >> Cheers, >> Moritz > > Hi, > > this adds a non trivial patch (attached debdiff shows the difference > with 2.4.46-6 which is already proposed in unblock issue (#989683). I > had to modify significantly upstream patch. As proposed earlier, I think > it should be more safe to upload Apache 2.4.48 in Bullseye instead of > this increasingly deviant hybrid (already 7 CVEs patches!). > > @release-team: please consider this new debdiff as a pre-aproval for > 2.4.46-7 > > Cheers, > Yadd And autopkgtest finally failed, so I'm not able to fix CVE-2019-31618... (patch uses some other changes introduced in 2.4.47 or 2.4.48)
Bug#989730: unblock: ckeditor/4.16.0+dfsg-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package ckeditor
[ Reason ]
ckeditor is vulnerable to a cross-site scripting (XSS) vulnerability in
the HTML Data Processor because --!> is mishandled.
[ Impact ]
Medium XSS vulnerability
[ Tests ]
Upstream doesn't provide any test for this package
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock ckeditor/4.16.0+dfsg-2
diff --git a/debian/changelog b/debian/changelog
index 72d59540..477ce555 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+ckeditor (4.16.0+dfsg-2) unstable; urgency=medium
+
+ * Team upload
+ * Treat "--!>" as a valid comment end tag (Closes: CVE-2021-33829)
+
+ -- Yadd Fri, 11 Jun 2021 13:28:40 +0200
+
ckeditor (4.16.0+dfsg-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-33829.patch
b/debian/patches/CVE-2021-33829.patch
new file mode 100644
index ..228f1859
--- /dev/null
+++ b/debian/patches/CVE-2021-33829.patch
@@ -0,0 +1,19 @@
+Description: Treat --!> as a valid comment end tag.
+Author: Tomasz Jakut
+Origin: upstream, https://github.com/ckeditor/ckeditor4/commit/3e426ce3
+Bug: https://github.com/ckeditor/ckeditor4/issues/4659
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-11
+
+--- a/core/htmlparser.js
b/core/htmlparser.js
+@@ -17,7 +17,7 @@
+ */
+ CKEDITOR.htmlParser = function() {
+ this._ = {
+- htmlPartsRegex:
/<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)-->)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/g
++ htmlPartsRegex:
/<(?:(?:\/([^>]+)>)|(?:!--([\S|\s]*?)--!?>)|(?:([^\/\s>]+)((?:\s+[\w\-:.]+(?:\s*=\s*?(?:(?:"[^"]*")|(?:'[^']*')|[^\s"'\/>]+))?)*)[\S\s]*?(\/?)>))/g
+ };
+ };
+
diff --git a/debian/patches/series b/debian/patches/series
index d0d2ffa6..2b74345d 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
0001-build-corrections-skip-debian-dir.patch
0002-Remove-flash-example.patch
0003-Remove-autogenerated-part-of-file.patch
+CVE-2021-33829.patch
Bug#988234: unblock: acorn/8.0.5+ds+~cs19.19.27-2
Control: tags -1 - moreinfo Control: retitle -1 unblock: acorn/8.0.5+ds+~cs19.19.27-3 Le 15/06/2021 à 20:59, Paul Gevers a écrit : > Control: tag -1 moreinfo > > Hi Yadd, > > On Thu, 20 May 2021 11:29:15 +0200 Paul Gevers wrote: >> Control: tag -1 confirmed moreinfo >> >> Hi Yadd, >> >> On 08-05-2021 13:30, Yadd wrote: >>> [ Reason ] >>> Buster to Bullseye transition needs a real node-acorn package (#986134) >> >> I pinged ftp on IRC some days ago, but the package didn't land yet. We >> need the package in the archive to unblock. Please remove the moreinfo >> tag once you receive the notification that the package is processed. > > I noticed that you removed the moreinfo tag, but because you had to > traverse NEW we now have: > Not built on buildd: arch all binaries uploaded by x.guim...@free.fr, a > new source-only upload is needed to allow migration > > We can't sensibly binNMU arch:all packages. Can you do an no-change > source-only upload to have the binaries build on the buildd please? If > not, shout and I can have a stab at it. > > Paul Done, sorry for that Cheers, Yadd
Bug#990077: unblock: apache2/2.4.48-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: secur...@debian.org
Please unblock package apache2
[ Reason ]
In the past we had some problems to follow CVE fixes for Apache2. For
Buster, we had to import the whole http2 module from 2.4.46 into 2.4.38
because it was impossible to apply the upstream fix due to module
changes. This isolated import was really risky but we didn't found a
better way.
Now the story restarts with CVE-2021-31618. The upstream fix is simple
but refers to other changes. In particular the whole SSL stack changed.
Even for Bullseye, there are too many differences between 2.4.46 and
2.4.48 to apply this fix.
Apache2 is RFH for years, but has too many reverse dependencies to be
removed from Bullseye (even if there are some alternatives).
Our current apache2 policy keeps a lot of (maybe unimportant) CVE
opened.
So we decided to follow upstream changes for Bullseye. So this is the
last version which fixes 6 CVEs (one grave)/
[ Impact ]
Multiple security issues.
[ Tests ]
Tests passed (autopkgtest)
[ Risks ]
Patch isn't trivial, but it looks like upstream provides version fully
tested.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
The dedbiff contains only debian/* changes. I found not interessant to
provide the real debdiff which is really big.
Cheers,
Yadd
unblock apache2/2.4.48-2
diff --git a/debian/apache2-data.lintian-overrides
b/debian/apache2-data.lintian-overrides
index 902735d7..fa617892 100644
--- a/debian/apache2-data.lintian-overrides
+++ b/debian/apache2-data.lintian-overrides
@@ -1 +1,5 @@
debian-changelog-file-is-a-symlink
+package-contains-documentation-outside-usr-share-doc
usr/share/apache2/default-site/index.html
+package-contains-documentation-outside-usr-share-doc
usr/share/apache2/error/include/bottom.html
+package-contains-documentation-outside-usr-share-doc
usr/share/apache2/error/include/spacer.html
+package-contains-documentation-outside-usr-share-doc
usr/share/apache2/error/include/top.html
diff --git a/debian/apache2.logrotate b/debian/apache2.logrotate
index 37c5f22e..9d2356da 100644
--- a/debian/apache2.logrotate
+++ b/debian/apache2.logrotate
@@ -1,20 +1,20 @@
/var/log/apache2/*.log {
- daily
- missingok
- rotate 14
- compress
- delaycompress
- notifempty
- create 640 root adm
- sharedscripts
- postrotate
-if invoke-rc.d apache2 status > /dev/null 2>&1; then \
-invoke-rc.d apache2 reload > /dev/null 2>&1; \
-fi;
- endscript
- prerotate
- if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
- run-parts /etc/logrotate.d/httpd-prerotate; \
- fi; \
- endscript
+daily
+missingok
+rotate 14
+compress
+delaycompress
+notifempty
+create 640 root adm
+sharedscripts
+prerotate
+ if [ -d /etc/logrotate.d/httpd-prerotate ]; then
+ run-parts /etc/logrotate.d/httpd-prerotate
+ fi
+endscript
+postrotate
+ if pgrep -f ^/usr/sbin/apache2 > /dev/null; then
+ invoke-rc.d apache2 reload
+ fi
+endscript
}
diff --git a/debian/changelog b/debian/changelog
index fa775057..fef71d5b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,40 @@
-apache2 (2.4.46-6) unstable; urgency=medium
+apache2 (2.4.48-2) unstable; urgency=medium
+
+ * Back to unstable: Apache2 will follow upstream changes for Bullseye
+
+ [ Christian Ehrhardt ]
+ * d/t/control, d/t/check-http2: basic test for http2 (Closes: #884068)
+
+ -- Yadd Sat, 19 Jun 2021 17:50:29 +0200
+
+apache2 (2.4.48-1) experimental; urgency=medium
+
+ [ Daniel Lewart ]
+ * Update apache2.logrotate (Closes: #979813)
+
+ [ Andreas Hasenack ]
+ * Avoid test suite failure (Closes: #985012)
+
+ [ Yadd ]
+ * Update lintian overrides
+ * Re-export upstream signing key without extra signatures.
+
+ [ Ondřej Surý ]
+ * New upstream version 2.4.48 (Closes: CVE-2019-17567, CVE-2020-13938,
+CVE-2020-13950, CVE-2020-35452, CVE-2021-26690, CVE-2021-26691,
+CVE-2021-30641, CVE-2021-31618)
+
+ -- Ondřej Surý Tue, 08 Jun 2021 08:29:35 +0200
+
+apache2 (2.4.47-1) experimental; urgency=medium
+
+ * Update upstream keys file
+ * New upstream version 2.4.47
+ * Refresh patches
+
+ -- Yadd Thu, 29 Apr 2021 08:03:33 +0200
+
+apache2 (2.4.48-1) experimental; urgency=medium
* Fix various low security issues (Closes: CVE-2020-13950, CVE-2020-35452,
CVE-2021-26690, CVE-2021-26691, CVE-2021-30641)
@@ -76,7 +112,7 @@ apache2 (2.4.43-1) unstable; urgency=medium
* Fix logrotate script for multi-instance (Closes: #914606)
[ Xavier Guimard ]
- * New upstream version 2.4.43
+ * New upstream vers
Re: Apache2 policy for Bullseye
Le 19/06/2021 à 14:57, Sebastian Ramacher a écrit : > On 2021-06-14 21:08:14 +0200, Moritz Mühlenhoff wrote: >> Yadd wrote: >>> Our current apache2 policy keeps a lot of (maybe unimportant) CVE opened >>> [1]. >> >> Note that this isn't really accurate: While there are CVEs listed with >> 2019- or 2020-, those were in fact all only recently published with the >> latest Apache release. >> >>> Then I'd like to see if it is possible to follow 2.4.x changes for >>> Bullseye (and maybe Buster). Upstream provides fully-tested versions >>> with no major behavior changes in 2.4.x branch [2], but with many CVE >>> fixes [3]. >> >> JFTR, I think this is worth a shot. TTBOMK the httpd developers avoid >> breaking changes within 2.4.x and with the many different modules around, >> the test coverage around their maintenance releases is certainly higher >> than what we can realistically cover with testing for isolated backports. > > Okay, if that helps with security maintenance in the long run, let's do > this. Please keep any unreleated changes to a minimum, though. Also note > that the full freeze is coming closer, so the upload would need to > happen very soon. > > Cheers Hi, thanks, I just pushed apache2 2.4.48-2 to unstable. I'm going to push an unblock request. Of course, I'll upload new Apache2 versions to Bullseye, only if there is a significant CVE (this means 50% ;-)) Cheers, Yadd
Bug#990077: unblock: apache2/2.4.48-3
Control: tags -1 - moreinfo Control: retitle -1 unblock: apache2/2.4.48-3 Le 20/06/2021 à 16:35, Sebastian Ramacher a écrit : > Control: tags -1 moreinfo > > On 2021-06-19 18:13:16 +0200, Yadd wrote: >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: unblock >> X-Debbugs-Cc: secur...@debian.org >> >> Please unblock package apache2 >> >> [...] >> >> diff --git a/debian/apache2-data.lintian-overrides >> b/debian/apache2-data.lintian-overrides >> [...] >> +apache2 (2.4.47-1) experimental; urgency=medium >> + >> + * Update upstream keys file >> + * New upstream version 2.4.47 >> + * Refresh patches >> + >> + -- Yadd Thu, 29 Apr 2021 08:03:33 +0200 >> + >> +apache2 (2.4.48-1) experimental; urgency=medium > > I suppose this should be 2.4.46-6 (unstable) instead. Could you please > fix that? > > Cheers Sorry, done. Cheers, Yadd unblock apache2/2.4.48-3 OpenPGP_signature Description: OpenPGP digital signature
Bug#990374: unblock: node-color-string/1.5.4-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package node-color-string
[ Reason ]
node-color-string is vulnerable to a Regex Denial of Service (ReDoS)
reported in CVE-2021-29060
[ Impact ]
Little vulnerability
[ Tests ]
No change in tests, passed
[ Risks ]
Patch is trivial, no risk IMO
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-color-string/1.5.4-2
diff --git a/debian/changelog b/debian/changelog
index 299dfc1..d80a103 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-color-string (1.5.4-2) unstable; urgency=medium
+
+ * Team upload
+ * Fix GitHub tags regex
+ * Fix Regex Denial of Service (Closes: CVE-2021-29060)
+
+ -- Yadd Sun, 27 Jun 2021 18:12:06 +0200
+
node-color-string (1.5.4-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-29060.patch
b/debian/patches/CVE-2021-29060.patch
new file mode 100644
index 000..69bf300
--- /dev/null
+++ b/debian/patches/CVE-2021-29060.patch
@@ -0,0 +1,48 @@
+Description: fix ReDos in hwb() parser (low-severity)
+ .
+ Discovered by Yeting Li, c/o Colin Ife via Snyk.io.
+ .
+ A ReDos (Regular Expression Denial of Service) vulnerability
+ was responsibly disclosed to me via email by Colin on
+ Mar 5 2021 regarding an exponential time complexity for
+ linearly increasing input lengths for `hwb()` color strings.
+ .
+ Strings reaching more than 5000 characters would see several
+ milliseconds of processing time; strings reaching more than
+ 50,000 characters began seeing 1500ms (1.5s) of processing time.
+ .
+ The cause was due to a the regular expression that parses
+ hwb() strings - specifically, the hue value - where
+ the integer portion of the hue value used a 0-or-more quantifier
+ shortly thereafter followed by a 1-or-more quantifier.
+ .
+ This caused excessive backtracking and a cartesian scan,
+ resulting in exponential time complexity given a linear
+ increase in input length.
+Author: Josh Junon
+Origin: upstream, https://github.com/Qix-/color-string/commit/0789e212
+Bug: https://github.com/yetingli/PoCs/blob/main/CVE-2021-29060/Color-String.md
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-27
+
+--- a/index.js
b/index.js
+@@ -129,7 +129,7 @@
+ return null;
+ }
+
+- var hsl =
/^hsla?\(\s*([+-]?(?:\d*\.)?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
++ var hsl =
/^hsla?\(\s*([+-]?(?:\d{0,3}\.)?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
+ var match = string.match(hsl);
+
+ if (match) {
+@@ -150,7 +150,7 @@
+ return null;
+ }
+
+- var hwb =
/^hwb\(\s*([+-]?\d*[\.]?\d+)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
++ var hwb =
/^hwb\(\s*([+-]?\d{0,3}(?:\.\d+)?)(?:deg)?\s*,\s*([+-]?[\d\.]+)%\s*,\s*([+-]?[\d\.]+)%\s*(?:,\s*([+-]?[\d\.]+)\s*)?\)$/;
+ var match = string.match(hwb);
+
+ if (match) {
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..543b76a
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-29060.patch
diff --git a/debian/watch b/debian/watch
index dc974c3..ad5d207 100644
--- a/debian/watch
+++ b/debian/watch
@@ -2,7 +2,7 @@ version=4
opts=\
dversionmangle=auto,\
filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-color-string-$1.tar.gz/ \
- https://github.com/qix-/color-string/tags .*/archive/v?([\d\.]+).tar.gz
+ https://github.com/qix-/color-string/tags .*/archive/.*/v?([\d\.]+).tar.gz
# It is not recommended use npmregistry. Please investigate more.
# Take a look at https://wiki.debian.org/debian/watch/
Bug#990891: unblock: node-millstone/0.6.19-5
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package node-millstone
[ Reason ]
node-millstone 0.6.19-4 has brokken autopkgtest due to wikipedia changes
(some tests need internet). Bug: #990857
[ Impact ]
Only autopkgtest failure
[ Tests ]
Most of test which download files from external sites are now disabled
[ Risks ]
No risk, only tests changes
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-millstone/0.6.19-5
diff --git a/debian/changelog b/debian/changelog
index 772caee..48a07e5 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-millstone (0.6.19-5) unstable; urgency=medium
+
+ * Team upload
+ * Disable another test (Closes: #990857)
+
+ -- Yadd Sat, 10 Jul 2021 07:46:14 +0200
+
node-millstone (0.6.19-4) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/disable-one-test.diff
b/debian/patches/disable-one-test.diff
index 20e5058..d542571 100644
--- a/debian/patches/disable-one-test.diff
+++ b/debian/patches/disable-one-test.diff
@@ -2,17 +2,17 @@ Description: disable some checks
Upstream deleted test files in its repo
Author: Yadd
Forwarded: not-needed
-Last-Update: 2021-05-14
+Last-Update: 2021-07-10
--- a/test/markers.test.js
+++ b/test/markers.test.js
-@@ -42,6 +42,7 @@
- });
+@@ -15,6 +15,7 @@
});
+
+/*
- it('correctly localizes zipped json', function(done) {
- var mml = JSON.parse(fs.readFileSync(path.join(__dirname,
'zipped-json/project.mml')));
+ it('correctly localizes remote image/svg files', function(done) {
+ var mml = JSON.parse(fs.readFileSync(path.join(__dirname,
'markers/project.mml')));
@@ -70,3 +71,4 @@
done();
Bug#991421: unblock: lemonldap-ng/2.0.11+ds-4
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: secur...@debian.org
Please unblock package lemonldap-ng
[ Reason ]
lemonldap-ng 2.0.11+ds-3 has several vulnerabilities fixed in 2.0.12.
This update fixes:
* Session cache corruption can lead to authorization bypass or spoofing
(Closes: CVE-2021-35472)
* OAuth2 handler does not verify access token validity
(Closes: CVE-2021-35473)
* XSS on register form
* Bad behavior which displays TOTP secret to connected user and debug logs
[ Impact ]
One high vulnerability (CVE-2021-35472) and medium others
[ Tests ]
New upstream test not imported here. Current tests passed (both build
and autopkgtest)
[ Risks ]
Low risk. lemonldap-ng is developed following BDD/TDD, so most features
are tested.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
(Anything else the release team should know.)
unblock lemonldap-ng/2.0.11+ds-4
diff --git a/debian/changelog b/debian/changelog
index d3c338880..a56d54279 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+lemonldap-ng (2.0.11+ds-4) unstable; urgency=high
+
+ * Import security fixes from 2.0.12
+* Session cache corruption can lead to authorization bypass or spoofing
+ (Closes: CVE-2021-35472)
+* OAuth2 handler does not verify access token validity
+ (Closes: CVE-2021-35473)
+* Fix XSS on register form
+* Don't display TOTP secret to connected user, neither in logs
+
+ -- Yadd Thu, 22 Jul 2021 22:13:38 +0200
+
lemonldap-ng (2.0.11+ds-3) unstable; urgency=medium
* Add Breaks+Replaces in lemonldap-ng-handler for
diff --git a/debian/patches/CVE-2021-35472.patch
b/debian/patches/CVE-2021-35472.patch
new file mode 100644
index 0..16a4e4c10
--- /dev/null
+++ b/debian/patches/CVE-2021-35472.patch
@@ -0,0 +1,30 @@
+Description: fix session cache corruption
+Author: Yadd
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/b6a1f946
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2539
+Forwarded: not-needed
+Last-Update: 2021-06-25
+
+--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Main/Run.pm
+@@ -139,7 +139,9 @@
+ }
+
+ # Try to recover cookie and user session
+-if ($id = $class->fetchId($req)
++$id = $class->fetchId($req);
++$class->data( {} ) unless($id);
++if ($id
+ and $session = $class->retrieveSession( $req, $id ) )
+ {
+
+--- a/lemonldap-ng-portal/t/75-2F-Registers.t
b/lemonldap-ng-portal/t/75-2F-Registers.t
+@@ -439,6 +439,7 @@
+ ),
+ 'Push U2F signature'
+ );
++$id = expectCookie($res);
+ ok(
+ $res = $client->_get(
+ '/2fregisters',
diff --git a/debian/patches/CVE-2021-35473.patch
b/debian/patches/CVE-2021-35473.patch
new file mode 100644
index 0..535252b03
--- /dev/null
+++ b/debian/patches/CVE-2021-35473.patch
@@ -0,0 +1,69 @@
+Description: Add missing access token expiration check in OAuth2 handler
+Author: Maxime Besson
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/23a8a100
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2549
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-06-25
+
+--- a/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/OAuth2.pm
b/lemonldap-ng-handler/lib/Lemonldap/NG/Handler/Lib/OAuth2.pm
+@@ -10,16 +10,17 @@
+
+ # Retrieve regular session if this is not an offline access token
+ unless ($offlineId) {
+-my $data = {
+-%{
+-$class->Lemonldap::NG::Handler::Main::retrieveSession( $req,
+-$id )
+-},
+-$class->_getTokenAttributes($req)
+-};
++my $data =
++ $class->Lemonldap::NG::Handler::Main::retrieveSession( $req, $id );
++if ( ref($data) eq "HASH" ) {
++$data = { %{$data}, $class->_getTokenAttributes($req) };
+
+-# Update cache
+-$class->data($data);
++# Update cache
++$class->data($data);
++}
++else {
++$req->data->{oauth2_error} = 'invalid_token';
++}
+ return $data;
+ }
+
+@@ -87,6 +88,10 @@
+
+ # Get access token session
+ my $infos = $class->getOIDCInfos($access_token);
++unless ($infos) {
++$req->data->{oauth2_error} = 'invalid_token';
++return;
++}
+
+ # Store scope and rpid for future session attributes
+ if ( $infos->{rp} ) {
+@@ -141,6 +146,20 @@
+ unless ( $oidcSession->error ) {
+ $class->logger->debug("Get OIDC session $id");
+
++
Bug#991524: unblock: node-jszip/3.5.0+dfsg-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package node-jszip
[ Reason ]
node-jszip is vulnerable to a prototype pollution: rafting a new zip file
with filenames set to Object prototype values (e.g __proto__, toString,
etc) results in a returned object with a modified prototype instance.
[ Impact ]
Little security issue.
[ Tests ]
Sadly test are not launched for this package.
[ Risks ]
No risk, patch is trivial.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-jszip/3.5.0+dfsg-2
diff --git a/debian/changelog b/debian/changelog
index 7994aaf..bbfd736 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-jszip (3.5.0+dfsg-2) unstable; urgency=medium
+
+ * Team upload
+ * Fix GitHub tags regex
+ * Fix a null prototype object for this.files (Closes: CVE-2021-23413)
+
+ -- Yadd Mon, 26 Jul 2021 21:54:02 +0200
+
node-jszip (3.5.0+dfsg-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-23413.patch
b/debian/patches/CVE-2021-23413.patch
new file mode 100644
index 000..7f3e672
--- /dev/null
+++ b/debian/patches/CVE-2021-23413.patch
@@ -0,0 +1,43 @@
+Description: fix: Use a null prototype object for this.files
+Author: Michael Aquilina
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-07-26
+
+--- a/lib/index.js
b/lib/index.js
+@@ -19,7 +19,10 @@
+ // "folder/" : {...},
+ // "folder/data.txt" : {...}
+ // }
+-this.files = {};
++// NOTE: we use a null prototype because we do not
++// want filenames like "toString" coming from a zip file
++// to overwrite methods and attributes in a normal Object.
++this.files = Object.create(null);
+
+ this.comment = null;
+
+--- a/lib/object.js
b/lib/object.js
+@@ -179,16 +179,16 @@
+ */
+ forEach: function(cb) {
+ var filename, relativePath, file;
++/* jshint ignore:start */
++// ignore warning about unwanted properties because this.files is a
null prototype object
+ for (filename in this.files) {
+-if (!this.files.hasOwnProperty(filename)) {
+-continue;
+-}
+ file = this.files[filename];
+ relativePath = filename.slice(this.root.length, filename.length);
+ if (relativePath && filename.slice(0, this.root.length) ===
this.root) { // the file is in the current root
+ cb(relativePath, file); // TODO reverse the parameters ? need
to be clean AND consistent with the filter search fn...
+ }
+ }
++/* jshint ignore:end */
+ },
+
+ /**
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..b0d53b4
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23413.patch
diff --git a/debian/watch b/debian/watch
index 46895cc..4525548 100644
--- a/debian/watch
+++ b/debian/watch
@@ -4,4 +4,4 @@ repacksuffix=+dfsg,\
repack,compression=xz,\
dversionmangle=auto,\
filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-jszip-$1.tar.gz/ \
- https://github.com/Stuk/jszip/tags .*/archive/v?([\d\.]+).tar.gz
+ https://github.com/Stuk/jszip/tags .*/archive/.*/v?([\d\.]+).tar.gz
Bug#991524: unblock: node-jszip/3.5.0+dfsg-2
Le 26/07/2021 à 22:01, Yadd a écrit : > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package node-jszip > > [ Reason ] > node-jszip is vulnerable to a prototype pollution: rafting a new zip file > with filenames set to Object prototype values (e.g __proto__, toString, > etc) results in a returned object with a modified prototype instance. Ref: CVE-2021-23413
Bug#991632: buster-pu: package node-jszip/3.1.4+dfsg-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-jszip is vulnerable to a prototype pollution (CVE-2021-23413)
[ Impact ]
Medium security issue
[ Tests ]
Sadly no test for this package in Buster
[ Risks ]
Low risk: patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 365402c..3f1b365 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-jszip (3.1.4+dfsg-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix a null prototype object for this.files (Closes: CVE-2021-23413)
+
+ -- Yadd Thu, 29 Jul 2021 13:03:23 +0200
+
node-jszip (3.1.4+dfsg-1) unstable; urgency=low
* Initial release (Closes: #875843)
diff --git a/debian/patches/CVE-2021-23413.patch
b/debian/patches/CVE-2021-23413.patch
new file mode 100644
index 000..7f3e672
--- /dev/null
+++ b/debian/patches/CVE-2021-23413.patch
@@ -0,0 +1,43 @@
+Description: fix: Use a null prototype object for this.files
+Author: Michael Aquilina
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23413
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-07-26
+
+--- a/lib/index.js
b/lib/index.js
+@@ -19,7 +19,10 @@
+ // "folder/" : {...},
+ // "folder/data.txt" : {...}
+ // }
+-this.files = {};
++// NOTE: we use a null prototype because we do not
++// want filenames like "toString" coming from a zip file
++// to overwrite methods and attributes in a normal Object.
++this.files = Object.create(null);
+
+ this.comment = null;
+
+--- a/lib/object.js
b/lib/object.js
+@@ -179,16 +179,16 @@
+ */
+ forEach: function(cb) {
+ var filename, relativePath, file;
++/* jshint ignore:start */
++// ignore warning about unwanted properties because this.files is a
null prototype object
+ for (filename in this.files) {
+-if (!this.files.hasOwnProperty(filename)) {
+-continue;
+-}
+ file = this.files[filename];
+ relativePath = filename.slice(this.root.length, filename.length);
+ if (relativePath && filename.slice(0, this.root.length) ===
this.root) { // the file is in the current root
+ cb(relativePath, file); // TODO reverse the parameters ? need
to be clean AND consistent with the filter search fn...
+ }
+ }
++/* jshint ignore:end */
+ },
+
+ /**
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..b0d53b4
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23413.patch
Bug#991661: unblock: node-superagent/6.1.0-4
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package node-superagent
[ Reason ]
node-superagent fails to rebuild because it checks if node-caniuse-lite
is the latest available version (#991656).
[ Impact ]
FTBFS
[ Tests ]
Test passed (both build & autopkgtest)
[ Risks ]
No risk. Patch only avoid checking for last
node-caniuse-lite/node-caniuse-db
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-superagent/6.1.0-4
diff --git a/debian/changelog b/debian/changelog
index c548473..9195095 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+node-superagent (6.1.0-4) unstable; urgency=medium
+
+ [ Yadd ]
+ * Fix GitHub tags regex
+ * Uploaders: replace Leo Iannacone by myself, thanks for your work!
+
+ [ Pirate Praveen ]
+ * Drop browsers option in .lib.babelrc file (Closes: #991656)
+
+ -- Yadd Thu, 29 Jul 2021 22:01:16 +0200
+
node-superagent (6.1.0-3) unstable; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index 032f1c5..9f6ccd3 100644
--- a/debian/control
+++ b/debian/control
@@ -3,7 +3,7 @@ Section: javascript
Testsuite: autopkgtest-pkg-nodejs
Priority: optional
Maintainer: Debian Javascript Maintainers
-Uploaders: Leo Iannacone
+Uploaders: Yadd
Build-Depends: debhelper-compat (= 13)
, dh-sequence-nodejs
, node-babel7
diff --git a/debian/copyright b/debian/copyright
index ac0162e..b6cf45a 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -22,7 +22,7 @@ License: Expat
Files: debian/*
Copyright: 2014 Leo Iannacone
- 2019, Xavier Guimard
+ 2019, Yadd
License: Expat
Files: debian/tests/test_modules/append-field/*
diff --git a/debian/patches/remove-browsers-option-in-babelrc.patch
b/debian/patches/remove-browsers-option-in-babelrc.patch
new file mode 100644
index 000..abed9ee
--- /dev/null
+++ b/debian/patches/remove-browsers-option-in-babelrc.patch
@@ -0,0 +1,23 @@
+Description: Drop targets option to force .browserslistrc file
+Author: Pirate Praveen
+Bug-Debian: https://bugs.debian.org/991656
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-update: 2021-07-29
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991656
+
+--- a/.lib.babelrc
b/.lib.babelrc
+@@ -1,11 +1,3 @@
+ {
+- "presets": [
+-["@babel/env", {
+- "targets": {
+-"node": "6.4.0",
+-"browsers": [ "> 1%", "last 2 versions", "ie 9" ]
+- }
+-}]
+- ],
+ "sourceMaps": "inline"
+ }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..afa1432
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+remove-browsers-option-in-babelrc.patch
diff --git a/debian/watch b/debian/watch
index 24bcf2b..07e16a3 100644
--- a/debian/watch
+++ b/debian/watch
@@ -2,7 +2,7 @@ version=4
opts=\
dversionmangle=auto,\
filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-superagent-$1.tar.gz/ \
- https://github.com/visionmedia/superagent/tags .*/archive/v?([\d\.]+).tar.gz
+ https://github.com/visionmedia/superagent/tags
.*/archive/.*/v?([\d\.]+).tar.gz
# It is not recommended use npmregistry. Please investigate more.
# Take a look at https://wiki.debian.org/debian/watch/
Bug#991672: unblock: twitter-bootstrap4/4.5.2+dfsg1-7
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package twitter-bootstrap4
[ Reason ]
twitter-bootstrap4 fails to rebuild because it checks if node-caniuse-lite
is the latest available version (#991651).
[ Impact ]
FTBFS
[ Tests ]
Sadly no tests for this package
[ Risks ]
No risk, patch only avoid checking for last
node-caniuse-lite/node-caniuse-db
[ Checklist ]
[*] all changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in testing
[ Other info ]
I had to update install in debian/rules to fix autopkgtest
Cheers,
Yadd
unblock twitter-bootstrap4/4.5.2+dfsg1-7
diff --git a/debian/changelog b/debian/changelog
index 501299938..a563bd262 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+twitter-bootstrap4 (4.5.2+dfsg1-7) unstable; urgency=medium
+
+ [ Pirate Praveen ]
+ * Don't check for caniuse-lite updates during build (Closes: #991651)
+
+ [ Yadd ]
+ * Fix install after previous change
+
+ -- Yadd Fri, 30 Jul 2021 06:53:34 +0200
+
twitter-bootstrap4 (4.5.2+dfsg1-6) unstable; urgency=medium
* Duplicate symlink_to_dir command for stable update (Closes: #980546)
diff --git a/debian/control b/debian/control
index f8765c886..a2e170190 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,7 @@ Source: twitter-bootstrap4
Section: javascript
Priority: optional
Maintainer: Debian Javascript Maintainers
-Uploaders: Xavier Guimard
+Uploaders: Yadd
Build-Depends: debhelper-compat (= 13)
, libjs-popper.js (>= 1.14.6+ds2-2)
, node-autoprefixer
diff --git a/debian/patches/dont-check-for-caniuse-lite-update.patch
b/debian/patches/dont-check-for-caniuse-lite-update.patch
new file mode 100644
index 0..d55b8c512
--- /dev/null
+++ b/debian/patches/dont-check-for-caniuse-lite-update.patch
@@ -0,0 +1,19 @@
+Description: don't check for node-canuise-lite update
+Author: Pirate Praveen
+Bug-Debian: https://bugs.debian.org/991651
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-07-30
+
+--- a/.babelrc.js
b/.babelrc.js
+@@ -5,7 +5,8 @@
+ {
+ loose: true,
+ bugfixes: true,
+-modules: false
++modules: false,
++ignoreBrowserslistConfig: true
+ }
+ ]
+ ],
diff --git a/debian/patches/series b/debian/patches/series
index bed7775c4..65a68097b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
do-not-update-copyright-year.diff
+dont-check-for-caniuse-lite-update.patch
diff --git a/debian/rules b/debian/rules
index 581336c9c..7cdd8537a 100755
--- a/debian/rules
+++ b/debian/rules
@@ -1,5 +1,7 @@
#!/usr/bin/make -f
+export BROWSERSLIST_IGNORE_OLD_DATA=1
+
%:
dh $@
@@ -9,6 +11,7 @@ override_dh_auto_build:
sassc --sourcemap=auto scss/bootstrap-grid.scss
dist/tmp/bootstrap-grid.css
sassc --sourcemap=auto scss/bootstrap-reboot.scss
dist/tmp/bootstrap-reboot.css
node debian/postcss.js
+ cp -v dist/tmp/*.css dist/css/
sassc --sourcemap=auto --style compressed dist/tmp/bootstrap.css
dist/css/bootstrap.min.css
sassc --sourcemap=auto --style compressed dist/tmp/bootstrap-grid.css
dist/css/bootstrap-grid.min.css
sassc --sourcemap=auto --style compressed dist/tmp/bootstrap-reboot.css
dist/css/bootstrap-reboot.min.css
Bug#991733: unblock: node-browserslist/4.16.3+~cs5.4.72-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package node-browserslist [ Reason ] FTBFS due to STDERR warning [ Impact ] Fixes autopkgtest [ Tests ] autopkgtest fixed by this patch [ Risks ] No risk [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-browserslist/4.16.3+~cs5.4.72-3 diff --git a/debian/changelog b/debian/changelog index f53ddc3..cd122a7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-browserslist (4.16.3+~cs5.4.72-3) unstable; urgency=medium + + * Team upload + * Add "allow-stderr" to autopkgtest + + -- Yadd Sat, 31 Jul 2021 12:27:44 +0200 + node-browserslist (4.16.3+~cs5.4.72-2) unstable; urgency=medium * Team upload diff --git a/debian/tests/control b/debian/tests/control index 7fa009c..ec2ee3a 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -1,8 +1,9 @@ Test-Command: browserslist Depends: @ Features: test-name=binary-test +Restrictions: allow-stderr Test-Command: node debian/tests/CVE-2021-23364.js Depends: @ Features: test-name=CVE-2021-23364 -Restrictions: superficial +Restrictions: superficial, allow-stderr
Bug#991734: unblock: node-caniuse-api/3.0.0-3
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package node-caniuse-api [ Reason ] FTBFS due to STDERR warning [ Impact ] autopkgtest fails [ Tests ] Fixed [ Risks ] No risk [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-caniuse-api/3.0.0-3 diff --git a/debian/changelog b/debian/changelog index 5661f1f..24df880 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-caniuse-api (3.0.0-3) unstable; urgency=medium + + * Team upload + * Fix GitHub tags regex + * Allow stderr in autopkgtest + + -- Yadd Sat, 31 Jul 2021 12:39:34 +0200 + node-caniuse-api (3.0.0-2) unstable; urgency=medium * Build with Babel 7 diff --git a/debian/tests/autopkgtest-pkg-nodejs.conf b/debian/tests/autopkgtest-pkg-nodejs.conf new file mode 100644 index 000..f7694bb --- /dev/null +++ b/debian/tests/autopkgtest-pkg-nodejs.conf @@ -0,0 +1 @@ +extra_restrictions=allow-stderr diff --git a/debian/watch b/debian/watch index e878e7a..0b7b347 100644 --- a/debian/watch +++ b/debian/watch @@ -2,4 +2,4 @@ version=3 opts=\ dversionmangle=s/\+(debian|dfsg|ds|deb)(\.\d+)?$//,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-caniuse-api-$1.tar.gz/ \ - https://github.com/nyalab/caniuse-api/tags .*/archive/v?([\d\.]+).tar.gz + https://github.com/nyalab/caniuse-api/tags .*/archive/.*/v?([\d\.]+).tar.gz
Bug#991735: unblock: node-esquery/1.3.1~ds-4
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package node-esquery [ Reason ] FTBFS due to STDERR warning [ Impact ] FTBFS [ Tests ] Fixed [ Risks ] No risk [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-esquery/1.3.1~ds-4 diff --git a/debian/changelog b/debian/changelog index 8ef57fa..e291d89 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-esquery (1.3.1~ds-4) unstable; urgency=medium + + * Team upload + * Allow STDERR in autopkgtest + + -- Yadd Sat, 31 Jul 2021 12:46:10 +0200 + node-esquery (1.3.1~ds-3) unstable; urgency=medium * fix have autopkgtest depend on nodejs diff --git a/debian/tests/control b/debian/tests/control index dbf0d2d..05a9604 100644 --- a/debian/tests/control +++ b/debian/tests/control @@ -12,3 +12,4 @@ Depends: node-babel-register (>= 7), node-chai, node-esquery, +Restrictions: allow-stderr
Bug#991737: unblock: node-url-parse/1.5.3-1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package node-url-parse
[ Reason ]
node-url-parse 1.5.1 is vulnerable to URL redirection to untrusted
sites.
[ Impact ]
Medium security issue
[ Tests ]
Test passed (both build & autopkgtest)
[ Risks ]
Low risk: node-url-parse is a reverse dependency of:
* node-miragejs (Build only)
* node-original
* node-eventsource
I tested rebuild & autopkgtest with success:
rebuild node-miragejs ... PASS
autopkgtest node-original ... PASS
rebuild node-original ... PASS
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
I prefered to update node-url-parse instead of backporting changes since
all changes are related to this vulnerabilities (including test updates)
You will find 2 debdiff:
* full debdiff
* relevant debdiff (only index.js changes)
Cheers,
Yadd
unblock node-url-parse/1.5.3-1
diff --git a/index.js b/index.js
index 72b27c0..c6052d5 100644
--- a/index.js
+++ b/index.js
@@ -2,8 +2,9 @@
var required = require('requires-port')
, qs = require('querystringify')
- , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:[\\/]+/
- , protocolre = /^([a-z][a-z0-9.+-]*:)?([\\/]{1,})?([\S\s]*)/i
+ , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//
+ , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\\/]+)?([\S\s]*)/i
+ , windowsDriveLetter = /^[a-zA-Z]:/
, whitespace =
'[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]'
, left = new RegExp('^'+ whitespace +'+');
@@ -32,8 +33,8 @@ function trimLeft(str) {
var rules = [
['#', 'hash'],// Extract from the back.
['?', 'query'], // Extract from the back.
- function sanitize(address) { // Sanitize what is left of the address
-return address.replace('\\', '/');
+ function sanitize(address, url) { // Sanitize what is left of the address
+return isSpecial(url.protocol) ? address.replace(/\\/g, '/') : address;
},
['/', 'pathname'],// Extract from the back.
['@', 'auth', 1], // Extract from the front.
@@ -98,6 +99,24 @@ function lolcation(loc) {
return finaldestination;
}
+/**
+ * Check whether a protocol scheme is special.
+ *
+ * @param {String} The protocol scheme of the URL
+ * @return {Boolean} `true` if the protocol scheme is special, else `false`
+ * @private
+ */
+function isSpecial(scheme) {
+ return (
+scheme === 'file:' ||
+scheme === 'ftp:' ||
+scheme === 'http:' ||
+scheme === 'https:' ||
+scheme === 'ws:' ||
+scheme === 'wss:'
+ );
+}
+
/**
* @typedef ProtocolExtract
* @type Object
@@ -110,20 +129,56 @@ function lolcation(loc) {
* Extract protocol information from a URL with/without double slash ("//").
*
* @param {String} address URL we want to extract from.
+ * @param {Object} location
* @return {ProtocolExtract} Extracted information.
* @private
*/
-function extractProtocol(address) {
+function extractProtocol(address, location) {
address = trimLeft(address);
+ location = location || {};
+
+ var match = protocolre.exec(address);
+ var protocol = match[1] ? match[1].toLowerCase() : '';
+ var forwardSlashes = !!match[2];
+ var otherSlashes = !!match[3];
+ var slashesCount = 0;
+ var rest;
+
+ if (forwardSlashes) {
+if (otherSlashes) {
+ rest = match[2] + match[3] + match[4];
+ slashesCount = match[2].length + match[3].length;
+} else {
+ rest = match[2] + match[4];
+ slashesCount = match[2].length;
+}
+ } else {
+if (otherSlashes) {
+ rest = match[3] + match[4];
+ slashesCount = match[3].length;
+} else {
+ rest = match[4]
+}
+ }
- var match = protocolre.exec(address)
-, protocol = match[1] ? match[1].toLowerCase() : ''
-, slashes = !!(match[2] && match[2].length >= 2)
-, rest = match[2] && match[2].length === 1 ? '/' + match[3] : match[3];
+ if (protocol === 'file:') {
+if (slashesCount >= 2) {
+ rest = rest.slice(2);
+}
+ } else if (isSpecial(protocol)) {
+rest = match[4];
+ } else if (protocol) {
+if (forwardSlashes) {
+ rest = rest.slice(2);
+}
+ } else if (slashesCount >= 2 && isSpecial(location.protocol)) {
+rest = match[4];
+ }
return {
protocol: protocol,
-slashes: slashes,
+slashes: forwardSlashes || isSpecial(protocol),
+slashesCount: slashes
Bug#991737: unblock: node-url-parse/1.5.3-1
Le 31/07/2021 à 13:25, Yadd a écrit : > Package: release.debian.org > Severity: normal > User: release.debian@packages.debian.org > Usertags: unblock > > Please unblock package node-url-parse > > [ Reason ] > node-url-parse 1.5.1 is vulnerable to URL redirection to untrusted > sites. > > [ Impact ] > Medium security issue > > [ Tests ] > Test passed (both build & autopkgtest) > > [ Risks ] > Low risk: node-url-parse is a reverse dependency of: > * node-miragejs (Build only) > * node-original >* node-eventsource > > I tested rebuild & autopkgtest with success: > rebuild node-miragejs ... PASS > autopkgtest node-original ... PASS > rebuild node-original ... PASS > > [ Checklist ] > [X] all changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in testing > > [ Other info ] > I prefered to update node-url-parse instead of backporting changes since > all changes are related to this vulnerabilities (including test updates) References: * commits list: https://github.com/unshiftio/url-parse/commits/master * 1.5.2 changes: - Sanitize only special URLs (#209) https://github.com/unshiftio/url-parse/pull/209 * 1.5.3 changes: - Fix host parsing for file URLs (#210) https://github.com/unshiftio/url-parse/commit/c7984617 1.5.3 changes are based on 1.5.2 changes, that's why I can't backport only security fix. Cheers, Yadd
Bug#991974: unblock: twitter-bootstrap4/4.5.2+dfsg1-8
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: 991...@bugs.debian.org Please unblock package twitter-bootstrap4 [ Reason ] 4.5.2+dfsg1-7 changes missed some .map files (scss-to-css). This version reinstall them (RC bug #991939). [ Impact ] Nothing [ Tests ] No changes [ Risks ] No risks [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock twitter-bootstrap4/4.5.2+dfsg1-8 diff --git a/debian/changelog b/debian/changelog index a563bd262..679b41db1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +twitter-bootstrap4 (4.5.2+dfsg1-8) unstable; urgency=medium + + * Add missing .map files (Closes: #991939) + + -- Yadd Sat, 07 Aug 2021 07:07:47 +0200 + twitter-bootstrap4 (4.5.2+dfsg1-7) unstable; urgency=medium [ Pirate Praveen ] diff --git a/debian/rules b/debian/rules index 7cdd8537a..287468842 100755 --- a/debian/rules +++ b/debian/rules @@ -12,6 +12,7 @@ override_dh_auto_build: sassc --sourcemap=auto scss/bootstrap-reboot.scss dist/tmp/bootstrap-reboot.css node debian/postcss.js cp -v dist/tmp/*.css dist/css/ + cp -v dist/tmp/*.css.map dist/css/ sassc --sourcemap=auto --style compressed dist/tmp/bootstrap.css dist/css/bootstrap.min.css sassc --sourcemap=auto --style compressed dist/tmp/bootstrap-grid.css dist/css/bootstrap-grid.min.css sassc --sourcemap=auto --style compressed dist/tmp/bootstrap-reboot.css dist/css/bootstrap-reboot.min.css
Bug#991975: unblock: node-setimmediate/1.0.5-6
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: 969...@bugs.debian.org
Please unblock package node-setimmediate
[ Reason ]
node-setimmediate is RC-buggy (#969611):
* broken symlinks in node-setimmediate documentation
* unexistent suggested dependencies
[ Impact ]
Missing JS in HTML doc files
[ Tests ]
No changes
[ Risks ]
No risk, this just fixes links and dependencies
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-setimmediate/1.0.5-6
diff --git a/debian/changelog b/debian/changelog
index a7a5a3c..20055db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+node-setimmediate (1.0.5-6) unstable; urgency=medium
+
+ * Team upload
+ * Fix GitHub tags regex
+ * Replace libjs-mocha by mocha in suggested dependencies and fix related doc
+links (Closes: #969611)
+
+ -- Yadd Sat, 07 Aug 2021 07:28:56 +0200
+
node-setimmediate (1.0.5-5) unstable; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index c4531de..5f56b26 100644
--- a/debian/control
+++ b/debian/control
@@ -18,8 +18,8 @@ Package: node-setimmediate
Architecture: all
Depends: ${misc:Depends},
nodejs
-Suggests: libjs-mocha (>= 3),
- libjs-chai
+Suggests: mocha (>= 3),
+ chai
Description: shim for the setImmediate efficient script yielding API
setImmediate.js is a highly cross-browser implementation of the
setImmediate and clearImmediate APIs, proposed by Microsoft to
diff --git a/debian/rules b/debian/rules
index e1a396c..4e0335f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,10 +10,10 @@
override_dh_auto_build:
ifeq (,$(filter nodoc,$(DEB_BUILD_OPTIONS) $(DEB_BUILD_PROFILES)))
# add compat link
- ln -s /usr/share/javascript/mocha/mocha.css test/browserOnly/mocha.css
- ln -s /usr/share/javascript/mocha/mocha.js test/browserOnly/mocha.js
- ln -s /usr/share/javascript/chai/chai.js test/browserOnly/chai.js
- ln -s ../../setImmediate.js test/browserOnly/setImmediate.js
+ ln -s /usr/share/nodejs/mocha/mocha.css test/browserOnly/mocha.css
+ ln -s /usr/share/nodejs/mocha/lib/mocha.js test/browserOnly/mocha.js
+ ln -s /usr/share/nodejs/chai/lib/chai.js test/browserOnly/chai.js
+ ln -s /usr/share/nodejs/setimmediate/setImmediate.js
test/browserOnly/setImmediate.js
else
@echo '**'
@echo 'Skip building doc '
diff --git a/debian/watch b/debian/watch
index 5aba20b..0cd85da 100644
--- a/debian/watch
+++ b/debian/watch
@@ -2,5 +2,5 @@ version=3
opts=\
dversionmangle=s/\+(debian|dfsg|ds|deb)(\.\d+)?$//,\
filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-setimmediate-$1.tar.gz/ \
- https://github.com/YuzuJS/setImmediate/tags .*/archive/v?([\d\.]+).tar.gz
+ https://github.com/YuzuJS/setImmediate/tags .*/archive/.*/v?([\d\.]+).tar.gz
Bug#992114: bullseye-pu: package node-tar/6.0.5+ds1+~cs11.3.9-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-tar is vulnerable to 2 CVE:
* #992110, CVE-2021-32803: arbitrary File Creation/Overwrite
vulnerability via insufficient symlink protection
* #992111, CVE-2021-32804: arbitrary File Creation/Overwrite
vulnerability due to insufficient absolute path sanitization
[ Impact ]
2 medium vulnerabilities
[ Tests ]
Test updated (not fully launched because it needs a newer node-tap)
[ Risks ]
Low risk: test passed and upstream patch applied with minor changes
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Add new checks
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index f8f5426..e16bf2f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+node-tar (6.0.5+ds1+~cs11.3.9-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Remove paths from dirCache when no longer dirs
+(Closes: #992110, CVE-2021-32803)
+ * Strip absolute paths more comprehensively
+(Closes: #992111, CVE-2021-32804)
+
+ -- Yadd Wed, 11 Aug 2021 21:50:15 +0200
+
node-tar (6.0.5+ds1+~cs11.3.9-1) unstable; urgency=medium
[ Xavier Guimard ]
diff --git a/debian/patches/CVE-2021-32803.patch
b/debian/patches/CVE-2021-32803.patch
new file mode 100644
index 000..5328879
--- /dev/null
+++ b/debian/patches/CVE-2021-32803.patch
@@ -0,0 +1,106 @@
+Description: Remove paths from dirCache when no longer dirs
+Author: isaacs
+Origin: upstream, https://github.com/npm/node-tar/commit/9dbdeb6
+Bug: https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw
+Bug-Debian: https://bugs.debian.org/992110
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-08-11
+
+--- a/lib/unpack.js
b/lib/unpack.js
+@@ -461,6 +461,19 @@
+ this.reservations.reserve(paths, done => this[CHECKFS2](entry, done))
+ }
+ [CHECKFS2] (entry, done) {
++// if we are not creating a directory, and the path is in the dirCache,
++// then that means we are about to delete the directory we created
++// previously, and it is no longer going to be a directory, and neither
++// is any of its children.
++if (entry.type !== 'Directory') {
++ for (const path of this.dirCache.keys()) {
++if (path === entry.absolute ||
++path.indexOf(entry.absolute + '/') === 0 ||
++path.indexOf(entry.absolute + '\\') === 0)
++ this.dirCache.delete(path)
++ }
++}
++
+ this[MKDIR](path.dirname(entry.absolute), this.dmode, er => {
+ if (er) {
+ done()
+@@ -528,6 +541,15 @@
+ }
+
+ [CHECKFS] (entry) {
++if (entry.type !== 'Directory') {
++ for (const path of this.dirCache.keys()) {
++if (path === entry.absolute ||
++path.indexOf(entry.absolute + '/') === 0 ||
++path.indexOf(entry.absolute + '\\') === 0)
++ this.dirCache.delete(path)
++ }
++}
++
+ const er = this[MKDIR](path.dirname(entry.absolute), this.dmode,
neverCalled)
+ if (er)
+ return this[ONERROR](er, entry)
+--- a/test/unpack.js
b/test/unpack.js
+@@ -2577,3 +2577,56 @@
+ cwd: dir + '/sync', strict: true,
+ }).end(data), poop, 'sync')
+ })
++
++t.test('drop entry from dirCache if no longer a directory', t => {
++ const dir = path.resolve(unpackdir, 'dir-cache-error')
++ mkdirp.sync(dir + '/sync/y')
++ mkdirp.sync(dir + '/async/y')
++ const data = makeTar([
++{
++ path: 'x',
++ type: 'Directory',
++},
++{
++ path: 'x',
++ type: 'SymbolicLink',
++ linkpath: './y',
++},
++{
++ path: 'x/ginkoid',
++ type: 'File',
++ size: 'ginkoid'.length,
++},
++'ginkoid',
++'',
++'',
++ ])
++ t.plan(2)
++ const WARNINGS = {}
++ const check = (t, path) => {
++t.equal(fs.statSync(path + '/x').isDirectory(), true)
++t.equal(fs.lstatSync(path + '/x').isSymbolicLink(), true)
++t.equal(fs.statSync(path + '/y').isDirectory(), true)
++t.strictSame(fs.readdirSync(path + '/y'), [])
++t.throws(() => fs.readFileSync(path + '/x/ginkoid'), { code: 'ENOENT' })
++t.strictSame(WARNINGS[path], [
++ 'TAR_ENTRY_ERROR',
++ 'Cannot extract through symbolic link',
++])
++t.end()
++ }
++ t.test('async', t => {
++const path = dir + '/async'
++new Unpack({ cwd: path })
++ .on('warn', (code, msg) => WARNINGS[path] = [code,
Bug#992117: buster-pu: package node-tar/4.4.6+ds1-3+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-tar is vulnerable to 2 CVE:
* #992110, CVE-2021-32803: arbitrary File Creation/Overwrite
vulnerability via insufficient symlink protection
* #992111, CVE-2021-32804: arbitrary File Creation/Overwrite
vulnerability due to insufficient absolute path sanitization
[ Impact ]
2 medium vulnerabilities
[ Tests ]
Test not launched in Buster
[ Risks ]
Low risk: test passed and upstream patch applied with minor changes
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Add new checks
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 83bacd9..8b3a42d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+node-tar (4.4.6+ds1-3+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Remove paths from dirCache when no longer dirs
+(Closes: #992110, CVE-2021-32803)
+ * Strip absolute paths more comprehensively
+(Closes: #992111, CVE-2021-32804)
+
+ -- Yadd Thu, 12 Aug 2021 00:06:36 +0200
+
node-tar (4.4.6+ds1-3) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-32803.patch
b/debian/patches/CVE-2021-32803.patch
new file mode 100644
index 000..44e29a4
--- /dev/null
+++ b/debian/patches/CVE-2021-32803.patch
@@ -0,0 +1,106 @@
+Description: Remove paths from dirCache when no longer dirs
+Author: isaacs
+Origin: upstream, https://github.com/npm/node-tar/commit/46fe3508
+Bug: https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw
+Bug-Debian: https://bugs.debian.org/992110
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-08-11
+
+--- a/lib/unpack.js
b/lib/unpack.js
+@@ -407,6 +407,20 @@
+ // check if a thing is there, and if so, try to clobber it
+ [CHECKFS] (entry) {
+ this[PEND]()
++
++// if we are not creating a directory, and the path is in the dirCache,
++// then that means we are about to delete the directory we created
++// previously, and it is no longer going to be a directory, and neither
++// is any of its children.
++if (entry.type !== 'Directory') {
++ for (const path of this.dirCache.keys()) {
++if (path === entry.absolute ||
++path.indexOf(entry.absolute + '/') === 0 ||
++path.indexOf(entry.absolute + '\\') === 0)
++ this.dirCache.delete(path)
++ }
++}
++
+ this[MKDIR](path.dirname(entry.absolute), this.dmode, er => {
+ if (er)
+ return this[ONERROR](er, entry)
+@@ -468,6 +482,15 @@
+ }
+
+ [CHECKFS] (entry) {
++if (entry.type !== 'Directory') {
++ for (const path of this.dirCache.keys()) {
++if (path === entry.absolute ||
++path.indexOf(entry.absolute + '/') === 0 ||
++path.indexOf(entry.absolute + '\\') === 0)
++ this.dirCache.delete(path)
++ }
++}
++
+ const er = this[MKDIR](path.dirname(entry.absolute), this.dmode)
+ if (er)
+ return this[ONERROR](er, entry)
+--- a/test/unpack.js
b/test/unpack.js
+@@ -2417,3 +2417,55 @@
+
+ t.end()
+ })
++
++t.test('drop entry from dirCache if no longer a directory', t => {
++ const dir = path.resolve(unpackdir, 'dir-cache-error')
++ mkdirp.sync(dir + '/sync/y')
++ mkdirp.sync(dir + '/async/y')
++ const data = makeTar([
++{
++ path: 'x',
++ type: 'Directory',
++},
++{
++ path: 'x',
++ type: 'SymbolicLink',
++ linkpath: './y',
++},
++{
++ path: 'x/ginkoid',
++ type: 'File',
++ size: 'ginkoid'.length,
++},
++'ginkoid',
++'',
++'',
++ ])
++ t.plan(2)
++ const WARNINGS = {}
++ const check = (t, path) => {
++t.equal(fs.statSync(path + '/x').isDirectory(), true)
++t.equal(fs.lstatSync(path + '/x').isSymbolicLink(), true)
++t.equal(fs.statSync(path + '/y').isDirectory(), true)
++t.strictSame(fs.readdirSync(path + '/y'), [])
++t.throws(() => fs.readFileSync(path + '/x/ginkoid'), { code: 'ENOENT' })
++t.strictSame(WARNINGS[path], [
++ 'Cannot extract through symbolic link',
++])
++t.end()
++ }
++ t.test('async', t => {
++const path = dir + '/async'
++new Unpack({ cwd: path })
++ .on('warn', (msg) => WARNINGS[path] = [msg])
++ .on('end', () => check(t, path))
++ .end(data)
++ })
++ t.test('sync', t => {
++const path = dir + '/sync'
++new UnpackSync({
Bug#992843: bullseye-pu: package apr/1.7.0-6+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
An out-of-bounds array read in the apr_time_exp*() functions was fixed in
the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for
this issue was not carried forward to the APR 1.7.x branch, and hence
version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same
issue.
[ Impact ]
Medium vulnerability
[ Tests ]
No change in test (test launched only during build, no autopkgtest here)
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
This patch just adds some little checks (a month should not be outside
of [1-12]
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 2331e3e..355b51a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+apr (1.7.0-6+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+
+ [ Salvatore Bonaccorso ]
+ * Out-of-bounds array dereference in apr_time_exp*() functions
+(CVE-2021-35940) (Closes: #992789)
+
+ -- Yadd Tue, 24 Aug 2021 09:18:26 +0200
+
apr (1.7.0-6) unstable; urgency=medium
[ John Paul Adrian Glaubitz ]
diff --git a/debian/patches/CVE-2021-35940.patch
b/debian/patches/CVE-2021-35940.patch
new file mode 100644
index 000..6f215fc
--- /dev/null
+++ b/debian/patches/CVE-2021-35940.patch
@@ -0,0 +1,47 @@
+Description: SECURITY: CVE-2021-35940 (cve.mitre.org)
+ Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though
+ was addressed in 1.6.x in 1.6.3 and later via r1807976.
+ .
+ The fix was merged back to 1.7.x in r1891198.
+ .
+ Since this was a regression in 1.7.0, a new CVE name has been assigned
+ to track this, CVE-2021-35940.
+Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1891198
+Bug-Debian: https://bugs.debian.org/992789
+Forwarded: not-needed
+Last-Update: 2021-08-20
+
+--- a/time/unix/time.c
b/time/unix/time.c
+@@ -142,6 +142,9 @@ APR_DECLARE(apr_status_t) apr_time_exp_g
+ static const int dayoffset[12] =
+ {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+
++if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++return APR_EBADDATE;
++
+ /* shift new year to 1st March in order to make leap year calc easy */
+
+ if (xt->tm_mon < 2)
+--- a/time/win32/time.c
b/time/win32/time.c
+@@ -54,6 +54,9 @@ static void SystemTimeToAprExpTime(apr_t
+ static const int dayoffset[12] =
+ {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334};
+
++if (tm->wMonth < 1 || tm->wMonth > 12)
++return APR_EBADDATE;
++
+ /* Note; the caller is responsible for filling in detailed tm_usec,
+ * tm_gmtoff and tm_isdst data when applicable.
+ */
+@@ -228,6 +231,9 @@ APR_DECLARE(apr_status_t) apr_time_exp_g
+ static const int dayoffset[12] =
+ {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275};
+
++if (xt->tm_mon < 0 || xt->tm_mon >= 12)
++return APR_EBADDATE;
++
+ /* shift new year to 1st March in order to make leap year calc easy */
+
+ if (xt->tm_mon < 2)
diff --git a/debian/patches/series b/debian/patches/series
index 6d8be19..4003573 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -12,3 +12,4 @@ use_fcntl_locking.patch
cross.patch
python3-hashbang.patch
generic-64bit-atomics.patch
+CVE-2021-35940.patch
Bug#993489: bullseye-pu: package cyrus-imapd/3.2.6-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] cyrus-imapd before 3.2.8 allows remote attackers to cause a denial of service (multiple-minute daemon hang) via input that is mishandled during hash-table interaction. Because there are many insertions into a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8, and 3.0.16. [ Impact ] Medium vulnerability [ Tests ] The new cunit/strhash.testc passed. [ Risks ] Low risk, patch is easy to read [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] New string hashing algorithm and test. Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index c8259297..bd11af8d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +cyrus-imapd (3.2.6-2+deb11u1) bullseye; urgency=medium + + * Replace string hashing algorithm (Closes: #993433, CVE-2021-33582) + + -- Yadd Wed, 01 Sep 2021 07:58:38 +0200 + cyrus-imapd (3.2.6-2) unstable; urgency=medium * Update gbp.conf for Bullseye branch diff --git a/debian/control b/debian/control index 3a4556b0..9b31670e 100644 --- a/debian/control +++ b/debian/control @@ -3,7 +3,7 @@ Maintainer: Debian Cyrus Team Uploaders: Henrique de Moraes Holschuh , Ondřej Surý , Anthony Prades , - Xavier Guimard + Yadd Section: mail Priority: optional Build-Depends: bison, diff --git a/debian/patches/CVE-2021-33582.patch b/debian/patches/CVE-2021-33582.patch new file mode 100644 index ..af48b338 --- /dev/null +++ b/debian/patches/CVE-2021-33582.patch @@ -0,0 +1,632 @@ +Description: Fixed CVE-2021-33582 + Certain user inputs are used as hash table keys during processing. A + poorly chosen string hashing algorithm meant that the user could control + which bucket their data was stored in, allowing a malicious user to direct + many inputs to a single bucket. Each subsequent insertion to the same bucket + requires a strcmp of every other entry in it. At tens of thousands of + entries, each new insertion could keep the CPU busy in a strcmp loop for + minutes. + . + The string hashing algorithm has been replaced with a better one, and now + also uses a random seed per hash table, so malicious inputs cannot be + precomputed. + . + Discovered by Matthew Horsfall, Fastmail +Author: ellie timoney +Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/compare/cyrus-imapd-3.2.7...cyrus-imapd-3.2.8 +Bug: https://security-tracker.debian.org/tracker/CVE-2021-33582 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2021-09-01 + +--- a/Makefile.am b/Makefile.am +@@ -677,6 +677,7 @@ + cunit/squat.testc \ + cunit/strarray.testc \ + cunit/strconcat.testc \ ++ cunit/strhash.testc \ + cunit/times.testc \ + cunit/tok.testc \ + cunit/vparse.testc +--- a/configure.ac b/configure.ac +@@ -191,7 +191,7 @@ + + AC_CHECK_HEADERS(unistd.h sys/select.h sys/param.h stdarg.h) + AC_REPLACE_FUNCS(memmove strcasecmp ftruncate strerror posix_fadvise strsep memmem memrchr) +-AC_CHECK_FUNCS(strlcat strlcpy strnchr getgrouplist fmemopen pselect futimens futimes) ++AC_CHECK_FUNCS(strlcat strlcpy strnchr getgrouplist fmemopen pselect futimens futimes getline) + AC_HEADER_DIRENT + + dnl check whether to use getpassphrase or getpass +--- a/cunit/hash.testc b/cunit/hash.testc +@@ -117,6 +117,9 @@ + hash_enumerate(&ht, count_cb, &count); + CU_ASSERT_EQUAL(0, count); + ++/* check hash_numrecords */ ++CU_ASSERT_EQUAL(0, hash_numrecords(&ht)); ++ + /* free the hash table */ + free_hash_table(&ht, NULL); + } +@@ -146,6 +149,9 @@ + hash_enumerate(&ht, count_cb, &count); + CU_ASSERT_EQUAL(1, count); + ++/* check hash_numrecords */ ++CU_ASSERT_EQUAL(1, hash_numrecords(&ht)); ++ + /* re-insert into the hash table */ + d = hash_insert(KEY0, VALUE1, &ht); + /* get the old value back */ +@@ -160,6 +166,9 @@ + hash_enumerate(&ht, count_cb, &count); + CU_ASSERT_EQUAL(1, count); + ++/* check hash_numrecords */ ++CU_ASSERT_EQUAL(1, hash_numrecords(&ht)); ++ + /* delete from the hash table */ + d = hash_del(KEY0, &ht); + CU_ASSERT_PTR_EQUAL(VALUE1, d); +@@ -173,6 +182,9 @@ + hash_enumerate(&ht, count_cb, &count); + CU_ASSERT_EQUAL(0, count); + ++/* check hash_numrecords */ ++CU_ASSERT_EQUAL(0, hash_numrecords(&ht)); ++ + /* free the hash table */ + free_hash_table(&ht, NULL); + } +@@ -239,6 +251,9 @@ + hash_enumerate(&ht, count_cb, &count); + CU_ASSERT_EQUAL(N, count); + ++/* check hash_numrecords */ ++CU_ASSERT_EQUAL(N, hash_numrecords(&ht)); ++ + /* delete from the hash t
Bug#993492: buster-pu: package cyrus-imapd/3.0.8-6+deb10u6
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
cyrus-imapd before 3.0.16 allows remote attackers to cause a denial of
service (multiple-minute daemon hang) via input that is mishandled
during hash-table interaction. Because there are many insertions into
a single bucket, strcmp becomes slow. This is fixed in 3.4.2, 3.2.8,
and 3.0.16.
[ Impact ]
Medium vulnerability
[ Tests ]
The new cunit/strhash.testc passed.
[ Risks ]
Low risk, patch is easy to read
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
New string hashing algorithm and test.
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 240d1f4d..02f57603 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+cyrus-imapd (3.0.8-6+deb10u6) buster; urgency=medium
+
+ * Replace string hashing algorithm (Closes: #993433, CVE-2021-33582)
+
+ -- Yadd Thu, 02 Sep 2021 07:14:26 +0200
+
cyrus-imapd (3.0.8-6+deb10u5) buster; urgency=medium
* Fix cron script (Closes: #980240)
diff --git a/debian/patches/CVE-2021-33582.patch
b/debian/patches/CVE-2021-33582.patch
new file mode 100644
index ..4d74118d
--- /dev/null
+++ b/debian/patches/CVE-2021-33582.patch
@@ -0,0 +1,567 @@
+Description: Fixed CVE-2021-33582
+ Certain user inputs are used as hash table keys during processing. A
+ poorly chosen string hashing algorithm meant that the user could control
+ which bucket their data was stored in, allowing a malicious user to direct
+ many inputs to a single bucket. Each subsequent insertion to the same bucket
+ requires a strcmp of every other entry in it. At tens of thousands of
+ entries, each new insertion could keep the CPU busy in a strcmp loop for
+ minutes.
+ .
+ The string hashing algorithm has been replaced with a better one, and now
+ also uses a random seed per hash table, so malicious inputs cannot be
+ precomputed.
+ .
+ Discovered by Matthew Horsfall, Fastmail
+Author: ellie timoney
+Origin: upstream,
https://github.com/cyrusimap/cyrus-imapd/compare/cyrus-imapd-3.2.7...cyrus-imapd-3.2.8
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-33582
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-09-02
+
+--- a/Makefile.am
b/Makefile.am
+@@ -651,6 +651,7 @@
+ cunit/squat.testc \
+ cunit/strarray.testc \
+ cunit/strconcat.testc \
++ cunit/strhash.testc \
+ cunit/times.testc \
+ cunit/tok.testc \
+ cunit/vparse.testc
+--- a/configure.ac
b/configure.ac
+@@ -180,7 +180,7 @@
+
+ AC_CHECK_HEADERS(unistd.h sys/select.h sys/param.h stdarg.h)
+ AC_REPLACE_FUNCS(memmove strcasecmp ftruncate strerror posix_fadvise strsep
memmem)
+-AC_CHECK_FUNCS(strlcat strlcpy strnchr getgrouplist fmemopen pselect)
++AC_CHECK_FUNCS(strlcat strlcpy strnchr getgrouplist fmemopen pselect getline)
+ AC_HEADER_DIRENT
+
+ dnl check whether to use getpassphrase or getpass
+--- a/cunit/hash.testc
b/cunit/hash.testc
+@@ -117,6 +117,9 @@
+ hash_enumerate(&ht, count_cb, &count);
+ CU_ASSERT_EQUAL(0, count);
+
++/* check hash_numrecords */
++CU_ASSERT_EQUAL(0, hash_numrecords(&ht));
++
+ /* free the hash table */
+ free_hash_table(&ht, NULL);
+ }
+@@ -146,6 +149,9 @@
+ hash_enumerate(&ht, count_cb, &count);
+ CU_ASSERT_EQUAL(1, count);
+
++/* check hash_numrecords */
++CU_ASSERT_EQUAL(1, hash_numrecords(&ht));
++
+ /* re-insert into the hash table */
+ d = hash_insert(KEY0, VALUE1, &ht);
+ /* get the old value back */
+@@ -160,6 +166,9 @@
+ hash_enumerate(&ht, count_cb, &count);
+ CU_ASSERT_EQUAL(1, count);
+
++/* check hash_numrecords */
++CU_ASSERT_EQUAL(1, hash_numrecords(&ht));
++
+ /* delete from the hash table */
+ d = hash_del(KEY0, &ht);
+ CU_ASSERT_PTR_EQUAL(VALUE1, d);
+@@ -173,6 +182,9 @@
+ hash_enumerate(&ht, count_cb, &count);
+ CU_ASSERT_EQUAL(0, count);
+
++/* check hash_numrecords */
++CU_ASSERT_EQUAL(0, hash_numrecords(&ht));
++
+ /* free the hash table */
+ free_hash_table(&ht, NULL);
+ }
+@@ -239,6 +251,9 @@
+ hash_enumerate(&ht, count_cb, &count);
+ CU_ASSERT_EQUAL(N, count);
+
++/* check hash_numrecords */
++CU_ASSERT_EQUAL(N, hash_numrecords(&ht));
++
+ /* delete from the hash table */
+ for (i = 0 ; i < N ; i++) {
+ d = hash_del(key(i), &ht);
+@@ -256,6 +271,9 @@
+ hash_enumerate(&ht, count_cb, &count);
+ CU_ASSERT_EQUAL(0, count);
+
++/* check hash_numrecords */
++CU_ASSERT_EQUAL(0, hash_numrecords(&ht));
++
+ /* free the hash table */
+ freed_count = 0;
+ free_hash_table(&ht, lincoln);
+@@ -286,6 +304,9 @@
+ hash_e
Bug#993708: bullseye-pu: package node-axios/0.21.1+dfsg-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-axios is vulnerable to a Regex Denial of Service
[ Impact ]
Little vulnerability
[ Tests ]
Test passed
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Regex update
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 17d3b55..5db1f2c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-axios (0.21.1+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-3749)
+
+ -- Yadd Sun, 05 Sep 2021 08:28:15 +0200
+
node-axios (0.21.1+dfsg-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-3749.patch
b/debian/patches/CVE-2021-3749.patch
new file mode 100644
index 000..1c99a9b
--- /dev/null
+++ b/debian/patches/CVE-2021-3749.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: ready-research <72916209+ready-resea...@users.noreply.github.com>
+Origin: upstream, https://github.com/axios/axios/commit/eef56014
+Bug: https://github.com/axios/axios/pull/3980
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-09-05
+
+--- a/lib/utils.js
b/lib/utils.js
+@@ -187,7 +187,7 @@
+ * @returns {String} The String freed of excess whitespace
+ */
+ function trim(str) {
+- return str.replace(/^\s*/, '').replace(/\s*$/, '');
++return str.trim ? str.trim() : str.replace(/^\s+|\s+$/g, '');
+ }
+
+ /**
diff --git a/debian/patches/series b/debian/patches/series
index 7133bc2..84cf811 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ use-webpack3.patch
use-webpack4.patch
fix-bootstrap-path.diff
adapt-example.diff
+CVE-2021-3749.patch
Bug#985488: unblock: pinball/0.3.20201218-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock X-Debbugs-Cc: r...@users.sf.net Please unblock package pinball [ Reason ] pinball has a RC bug due to a bad build dependency to libstdc++ [ Impact ] Unusable for Bullseye [ Tests ] Upstream provided no test for this game [ Risks ] No risk, the change is just a better build-dependency version [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock pinball/0.3.20201218-2
Bug#985488: unblock: pinball/0.3.20201218-2
diff --git a/debian/changelog b/debian/changelog
index d89bef9..4d8dcd6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+pinball (0.3.20201218-2) unstable; urgency=medium
+
+ * d/control: Update preferred libstdc++ version (Closes: #985440)
+ * d/control: Update standards to latest
+
+ -- Philippe Coval Thu, 18 Mar 2021 12:06:12 +0100
+
pinball (0.3.20201218-1) unstable; urgency=medium
* New upstream release
diff --git a/debian/control b/debian/control
index cedb1ec..0f6bdf7 100644
--- a/debian/control
+++ b/debian/control
@@ -22,7 +22,7 @@ Build-Depends: debhelper-compat (= 13),
libtool-bin,
libltdl-dev,
pkg-config
-Standards-Version: 4.5.0
+Standards-Version: 4.5.1
Vcs-Browser: https://sourceforge.net/p/pinball/code/ci/master/tree/
Vcs-Git: https://git.code.sf.net/p/pinball/code.git
Homepage: https://sourceforge.net/projects/pinball/
@@ -51,7 +51,7 @@ Architecture: any
Depends: ${misc:Depends},
libc6-dev,
pinball (= ${binary:Version}),
- libstdc++6-4.4-dev | libstdc++-dev
+ libstdc++-10-dev | libstdc++-dev
Description: Development files for the Emilia Pinball Emulator
The Emilia Pinball Project is a pinball simulator for Linux and other Unix
systems. There are only two levels to play with, but they are very addictive.
Bug#985488: New debdiff for pinball 0.3.20201218-3
Control: reopen -1
Control: tags -1 - moreinfo
Control: retitle -1 unblock: pinball/0.3.20201218-3
Hi,
Philippe added an autopkgtest to pinball. Since this game has no reverse
dependencies (except its pinball tables [2]), I think it is not risky to
unblock it.
Debian Package Tracker[1] mentions a manual block by release team,
that's why I'm reopening this issue.
Cheers,
Xavier
[1]: tracker: https://tracker.debian.org/pkg/pinball
[2]: rdeps: pinball-table-gnu, pinball-table-hurd
recommended rdeps: games-arcade, games-finest, games-simulation
unblock pinball/0.3.20201218-3
diff -Nru pinball-0.3.20201218/debian/changelog
pinball-0.3.20201218/debian/changelog
--- pinball-0.3.20201218/debian/changelog 2020-12-18 22:43:37.0
+0100
+++ pinball-0.3.20201218/debian/changelog 2021-03-20 22:33:28.0
+0100
@@ -1,3 +1,19 @@
+pinball (0.3.20201218-3) unstable; urgency=medium
+
+ * Pick 0.3.20201218-2 changes on 0.3.20201218-1 base
+ * d/control: Drop C++ dep
+ * d/control: Set team maintenance
+ * d/tests: Add help test (Closes: #985488)
+
+ -- Philippe Coval Sat, 20 Mar 2021 22:33:28 +0100
+
+pinball (0.3.20201218-2) unstable; urgency=medium
+
+ * d/control: Update preferred libstdc++ version (Closes: #985440)
+ * d/control: Update standards to latest
+
+ -- Philippe Coval Thu, 18 Mar 2021 12:06:12 +0100
+
pinball (0.3.20201218-1) unstable; urgency=medium
* New upstream release
diff -Nru pinball-0.3.20201218/debian/control
pinball-0.3.20201218/debian/control
--- pinball-0.3.20201218/debian/control 2020-12-18 22:43:37.0 +0100
+++ pinball-0.3.20201218/debian/control 2021-03-20 22:33:28.0 +0100
@@ -1,5 +1,7 @@
Source: pinball
-Maintainer: Philippe Coval
+Maintainer: Debian Games Team
+Uploaders:
+ Philippe Coval
Section: games
Priority: optional
Build-Depends: debhelper-compat (= 13),
@@ -23,8 +25,8 @@
libltdl-dev,
pkg-config
Standards-Version: 4.5.0
-Vcs-Browser: https://sourceforge.net/p/pinball/code/ci/debian/master/tree/
-Vcs-Git: https://git.code.sf.net/p/pinball/code.git
+Vcs-Browser: https://salsa.debian.org/games-team/pinball/-/tree/debian/master
+Vcs-Git: https://salsa.debian.org/games-team/pinball.git
Homepage: https://sourceforge.net/projects/pinball/
Rules-Requires-Root: binary-targets
@@ -50,8 +52,7 @@
Architecture: any
Depends: ${misc:Depends},
libc6-dev,
- pinball (= ${binary:Version}),
- libstdc++6-4.4-dev | libstdc++-dev
+ pinball (= ${binary:Version})
Description: Development files for the Emilia Pinball Emulator
The Emilia Pinball Project is a pinball simulator for Linux and other Unix
systems. There are only two levels to play with, but they are very addictive.
diff -Nru pinball-0.3.20201218/debian/tests/control
pinball-0.3.20201218/debian/tests/control
--- pinball-0.3.20201218/debian/tests/control 1970-01-01 01:00:00.0
+0100
+++ pinball-0.3.20201218/debian/tests/control 2021-03-20 22:33:28.0
+0100
@@ -0,0 +1,3 @@
+Tests: smoke
+Depends: @
+Restrictions: allow-stderr
diff -Nru pinball-0.3.20201218/debian/tests/smoke
pinball-0.3.20201218/debian/tests/smoke
--- pinball-0.3.20201218/debian/tests/smoke 1970-01-01 01:00:00.0
+0100
+++ pinball-0.3.20201218/debian/tests/smoke 2021-03-20 22:33:28.0
+0100
@@ -0,0 +1,4 @@
+#!/bin/sh -e
+
+export HOME=${AUTOPKGTEST_TMP:-${TMPDIR:-/tmp}}
+pinball -dir | grep '/usr/share/games/pinball'
Bug#985943: buster-pu: package node-hosted-git-info/2.7.1-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
[ Reason ]
node-hosted-git-info is vulnerable to RegExp Denial of Service
[ Impact ]
Medium security risk
[ Tests ]
Upstream test still pass with this patch
[ Risks ]
Trivial change
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
shortcutMatch regex is cut in two piece:
- a more simple regexp
- a distinc change to remove .git suffix
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index b4038a0..f8baeef 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-hosted-git-info (2.7.1-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix ReDoS risk (Closes: CVE-2021-23362)
+
+ -- Yadd Fri, 26 Mar 2021 15:17:21 +0100
+
node-hosted-git-info (2.7.1-1) unstable; urgency=medium
* New upstream version 2.7.1
diff --git a/debian/patches/CVE-2021-23362.patch
b/debian/patches/CVE-2021-23362.patch
new file mode 100644
index 000..cadac62
--- /dev/null
+++ b/debian/patches/CVE-2021-23362.patch
@@ -0,0 +1,28 @@
+Description: avoid ReDoS
+Author: nlf
+Origin: upstream, https://github.com/npm/hosted-git-info/commit/bede0dc3
+Bug: https://snyk.io/vuln/SNYK-JS-HOSTEDGITINFO-1088355
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2021-03-26
+
+--- a/index.js
b/index.js
+@@ -42,7 +42,7 @@
+ isGitHubShorthand(giturl) ? 'github:' + giturl : giturl
+ )
+ var parsed = parseGitUrl(url)
+- var shortcutMatch = url.match(new
RegExp('^([^:]+):(?:(?:[^@:]+(?:[^@]+)?@)?([^/]*))[/](.+?)(?:[.]git)?($|#)'))
++ var shortcutMatch = url.match(/^([^:]+):(?:[^@]+@)?(?:([^/]*)\/)?([^#]+)/)
+ var matches = Object.keys(gitHosts).map(function (gitHostName) {
+ try {
+ var gitHostInfo = gitHosts[gitHostName]
+@@ -56,7 +56,7 @@
+ var defaultRepresentation = null
+ if (shortcutMatch && shortcutMatch[1] === gitHostName) {
+ user = shortcutMatch[2] && decodeURIComponent(shortcutMatch[2])
+-project = decodeURIComponent(shortcutMatch[3])
++project = decodeURIComponent(shortcutMatch[3].replace(/\.git$/, ''))
+ defaultRepresentation = 'shortcut'
+ } else {
+ if (parsed.host && parsed.host !== gitHostInfo.domain &&
parsed.host.replace(/^www[.]/, '') !== gitHostInfo.domain) return
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..cc0f664
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23362.patch
Bug#985488: New debdiff for pinball 0.3.20201218-3
Control: tags -1 - moreinfo Le 28/03/2021 à 22:24, Paul Gevers a écrit : > Control: tags -1 moreinfo > > Hi, > > On 25-03-2021 15:04, Yadd wrote: >> Philippe added an autopkgtest to pinball. > > The autopkgtest doesn't test the installed binaries substantially. It > must be marked as superficial. > > When that is fixed (and nothing else is changed along the way), it can > be unblocked. Hi Paul, thanks! Done in 0.3.20201218-4 Cheers, Xavier
Bug#986175: unblock: underscore/1.9.1~dfsg-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
Please unblock package underscore
[ Reason ]
underscore is vulnerable to arbitrary code execution (#986171,
CVE-2021-23358)
[ Impact ]
CVE provided a PoC to prove arbitrary code execution
[ Tests ]
I added a test to prove that bug is fixed (based on PoC). Test fails
with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2
[ Risks ]
Patch is trivial. Note: I imported also Janitor changes: this breaks
nothing
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other ]
I downgrade autopkgtest to "superficial" since nothing was really tested
(just a node "require"). That's why I'm filing this ;-)
Regards,
Yadd
unblock underscore/1.9.1~dfsg-2
diff --git a/debian/changelog b/debian/changelog
index 02cd807..fed9aa8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,26 @@
+underscore (1.9.1~dfsg-2) unstable; urgency=medium
+
+ * Team upload
+
+ [ Debian Janitor ]
+ * Bump debhelper dependency to >= 9, since that's what is used in
+debian/compat.
+ * Bump debhelper from old 9 to 12.
+ * Set debhelper-compat version in Build-Depends.
+ * Set upstream metadata fields: Bug-Database, Repository, Repository-
+Browse.
+ * Update standards version to 4.4.1, no changes needed.
+ * Set upstream metadata fields: Bug-Submit.
+ * Update standards version to 4.5.0, no changes needed.
+ * Apply multi-arch hints.
++ node-underscore: Add Multi-Arch: foreign.
+
+ [ Yadd ]
+ * Mark autopkgtest as superficial
+ * Fix arbitrary code execution and add a test (Closes: #986171)
+
+ -- Yadd Tue, 30 Mar 2021 22:40:59 +0200
+
underscore (1.9.1~dfsg-1) unstable; urgency=medium
[ upstream ]
diff --git a/debian/compat b/debian/compat
deleted file mode 100644
index ec63514..000
--- a/debian/compat
+++ /dev/null
@@ -1 +0,0 @@
-9
diff --git a/debian/control b/debian/control
index cb1e7e9..fc1d26b 100644
--- a/debian/control
+++ b/debian/control
@@ -7,11 +7,11 @@ Uploaders:
David Paleino ,
Build-Depends:
brotli,
- debhelper,
+ debhelper-compat (= 12),
node-source-map,
pigz,
uglifyjs (>= 3),
-Standards-Version: 4.3.0
+Standards-Version: 4.5.0
Homepage: https://underscorejs.org/
Vcs-Browser: https://salsa.debian.org/js-team/underscore
Vcs-Git: https://salsa.debian.org/js-team/underscore.git
@@ -44,6 +44,7 @@ Depends:
libjs-underscore,
nodejs,
${misc:Depends},
+Multi-Arch: foreign
Description: JavaScript's functional programming helper library - NodeJS
Underscore is a utility-belt library for JavaScript that provides a lot
of the functional programming support that you would expect in
diff --git a/debian/patches/CVE-2021-23358.patch
b/debian/patches/CVE-2021-23358.patch
new file mode 100644
index 000..2ba4118
--- /dev/null
+++ b/debian/patches/CVE-2021-23358.patch
@@ -0,0 +1,62 @@
+Description: fix arbitrary code execution
+Author: Julian Gonggrijp
+Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d
+Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
+Bug-Debian: https://bugs.debian.org/986171
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2021-03-30
+
+--- a/underscore.js
b/underscore.js
+@@ -1550,6 +1550,13 @@
+ return '\\' + escapes[match];
+ };
+
++ // In order to prevent third-party code injection through
++ // `_.templateSettings.variable`, we test it against the following regular
++ // expression. It is intentionally a bit more liberal than just matching
valid
++ // identifiers, but still prevents possible loopholes through defaults or
++ // destructuring assignment.
++ var bareIdentifier = /^\s*(\w|\$)+\s*$/;
++
+ // JavaScript micro-templating, similar to John Resig's implementation.
+ // Underscore templating handles arbitrary delimiters, preserves whitespace,
+ // and correctly escapes quotes within interpolated code.
+@@ -1585,8 +1592,17 @@
+ });
+ source += "';\n";
+
+-// If a variable is not specified, place data values in local scope.
+-if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
++var argument = settings.variable;
++if (argument) {
++ // Insure against third-party code injection.
++ if (!bareIdentifier.test(argument)) throw new Error(
++'variable is not a bare identifier: ' + argument
++ );
++} else {
++ // If a variable is not specified, place data values in local scope.
++ source = 'with(obj||{}){\n' + source + '}\n';
++ argument = 'obj';
++}
+
+ source = "var __t,__p='',__j=Array.prototype.join," +
+ "print=function(){__p+=__j.call(arguments
Bug#986175: unblock: underscore/1.9.1~dfsg-2
Control: tags -1 - moreinfo
Le 31/03/2021 à 09:52, Sebastian Ramacher a écrit :
> Control: tags -1 moreinfo
>
> On 2021-03-30 22:49:43, Yadd wrote:
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian@packages.debian.org
>> Usertags: unblock
>> X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
>>
>> Please unblock package underscore
>>
>> [ Reason ]
>> underscore is vulnerable to arbitrary code execution (#986171,
>> CVE-2021-23358)
>>
>> [ Impact ]
>> CVE provided a PoC to prove arbitrary code execution
>>
>> [ Tests ]
>> I added a test to prove that bug is fixed (based on PoC). Test fails
>> with 1.9.1~dfsg-1 and passes with 1.9.1~dfsg-2
>>
>> [ Risks ]
>> Patch is trivial. Note: I imported also Janitor changes: this breaks
>> nothing
>
> The patch looks fine, but please upload a version without the janitor
> changes. It's too late for those changes and they can wait for bookworm.
>
> Cheers
Hi,
thanks, done in version 1.9.1~dfsg-3
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 02cd807..3936261 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,33 @@
+underscore (1.9.1~dfsg-3) unstable; urgency=medium
+
+ * Team upload
+ * Revert Janitor changes as required by release team (#986175)
+
+ -- Yadd Wed, 31 Mar 2021 14:21:21 +0200
+
+underscore (1.9.1~dfsg-2) unstable; urgency=medium
+
+ * Team upload
+
+ [ Debian Janitor ]
+ * Bump debhelper dependency to >= 9, since that's what is used in
+debian/compat.
+ * Bump debhelper from old 9 to 12.
+ * Set debhelper-compat version in Build-Depends.
+ * Set upstream metadata fields: Bug-Database, Repository, Repository-
+Browse.
+ * Update standards version to 4.4.1, no changes needed.
+ * Set upstream metadata fields: Bug-Submit.
+ * Update standards version to 4.5.0, no changes needed.
+ * Apply multi-arch hints.
++ node-underscore: Add Multi-Arch: foreign.
+
+ [ Yadd ]
+ * Mark autopkgtest as superficial
+ * Fix arbitrary code execution and add a test (Closes: #986171)
+
+ -- Yadd Tue, 30 Mar 2021 22:40:59 +0200
+
underscore (1.9.1~dfsg-1) unstable; urgency=medium
[ upstream ]
diff --git a/debian/patches/CVE-2021-23358.patch
b/debian/patches/CVE-2021-23358.patch
new file mode 100644
index 000..2ba4118
--- /dev/null
+++ b/debian/patches/CVE-2021-23358.patch
@@ -0,0 +1,62 @@
+Description: fix arbitrary code execution
+Author: Julian Gonggrijp
+Origin: upstream, https://github.com/jashkenas/underscore/commit/4c73526d
+Bug: https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
+Bug-Debian: https://bugs.debian.org/986171
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2021-03-30
+
+--- a/underscore.js
b/underscore.js
+@@ -1550,6 +1550,13 @@
+ return '\\' + escapes[match];
+ };
+
++ // In order to prevent third-party code injection through
++ // `_.templateSettings.variable`, we test it against the following regular
++ // expression. It is intentionally a bit more liberal than just matching
valid
++ // identifiers, but still prevents possible loopholes through defaults or
++ // destructuring assignment.
++ var bareIdentifier = /^\s*(\w|\$)+\s*$/;
++
+ // JavaScript micro-templating, similar to John Resig's implementation.
+ // Underscore templating handles arbitrary delimiters, preserves whitespace,
+ // and correctly escapes quotes within interpolated code.
+@@ -1585,8 +1592,17 @@
+ });
+ source += "';\n";
+
+-// If a variable is not specified, place data values in local scope.
+-if (!settings.variable) source = 'with(obj||{}){\n' + source + '}\n';
++var argument = settings.variable;
++if (argument) {
++ // Insure against third-party code injection.
++ if (!bareIdentifier.test(argument)) throw new Error(
++'variable is not a bare identifier: ' + argument
++ );
++} else {
++ // If a variable is not specified, place data values in local scope.
++ source = 'with(obj||{}){\n' + source + '}\n';
++ argument = 'obj';
++}
+
+ source = "var __t,__p='',__j=Array.prototype.join," +
+ "print=function(){__p+=__j.call(arguments,'');};\n" +
+@@ -1594,7 +1610,7 @@
+
+ var render;
+ try {
+- render = new Function(settings.variable || 'obj', '_', source);
++ render = new Function(argument, '_', source);
+ } catch (e) {
+ e.source = source;
+ throw e;
+@@ -1605,7 +1621,6 @@
+ };
+
+ // Provide the compiled source as a convenience for precompilation.
+-var argument = settings.variable || 'obj';
+ template.source = 'function(' + argument + '){\n' + s
Bug#986406: unblock: node-d3-dsv/1.1.1-4
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-javascript-de...@lists.debian.org
Please unblock package node-d3-dsv
[ Reason ]
node-d3-dsv has a RC bug (#985518) due to bad links in /usr/bin.
[ Impact ]
Unusable binary commands, however package works fine when used by JS
files.
[ Tests ]
No, change just fixed links
[ Risks ]
No risk, changes are:
* fix links using dh-sequence-nodejs (debian/links moved to
debian/nodejs/links and fixed)
* Add missing Rules-Requires-Root
* Clean unneeded versionned dependencies
* Remove useless debian/webpack.config.js
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-d3-dsv/1.1.1-4
diff --git a/debian/changelog b/debian/changelog
index 2678e16..dffccb2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,20 @@
+node-d3-dsv (1.1.1-4) unstable; urgency=medium
+
+ * Team upload
+
+ [ Pirate Praveen ]
+ * Drop node unused debian/webpack.config.js (we switched to rollup)
+
+ [ Yadd ]
+ * Bump debhelper compatibility level to 13
+ * Add "Rules-Requires-Root: no"
+ * Add debian/gbp.conf
+ * Modernize debian/watch
+ * Use dh-sequence-nodejs
+ * Fix links (Closes: #985518)
+
+ -- Yadd Sat, 20 Mar 2021 12:08:15 +0100
+
node-d3-dsv (1.1.1-3) unstable; urgency=medium
[ Debian Janitor ]
diff --git a/debian/control b/debian/control
index 6489133..ee4d80b 100644
--- a/debian/control
+++ b/debian/control
@@ -1,30 +1,29 @@
Source: node-d3-dsv
-Section: javascript
-Priority: optional
Maintainer: Debian Javascript Maintainers
Uploaders: Pirate Praveen
-Build-Depends:
- debhelper-compat (= 12)
- , nodejs
- , pkg-js-tools
- , rollup
+Section: javascript
+Testsuite: autopkgtest-pkg-nodejs
+Priority: optional
+Build-Depends: debhelper-compat (= 13)
+ , dh-sequence-nodejs
+ , node-csv-spectrum
, node-rollup-plugin-terser
, node-tape
- , node-csv-spectrum
+ , nodejs
+ , rollup
Standards-Version: 4.5.1
-Homepage: https://d3js.org/d3-dsv/
-Vcs-Git: https://salsa.debian.org/js-team/node-d3-dsv.git
Vcs-Browser: https://salsa.debian.org/js-team/node-d3-dsv
-Testsuite: autopkgtest-pkg-nodejs
+Vcs-Git: https://salsa.debian.org/js-team/node-d3-dsv.git
+Homepage: https://d3js.org/d3-dsv/
+Rules-Requires-Root: no
Package: node-d3-dsv
Architecture: all
-Depends:
- ${misc:Depends}
+Depends: ${misc:Depends}
+ , node-commander
+ , node-iconv
+ , node-rw
, nodejs
- , node-iconv (>= 0.4)
- , node-rw (>= 1)
- , node-commander (>= 2)
Description: parser and formatter for delimiter-separated values, such as CSV
This module provides a parser and formatter for delimiter-separated values,
most commonly comma-separated values (CSV) or tab-separated values (TSV).
diff --git a/debian/copyright b/debian/copyright
index c3995ef..bd2f526 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -11,7 +11,7 @@ Files: debian/*
Copyright: 2017 Pirate Praveen
License: BSD-3-Clause
-License: BSD-3-clause
+License: BSD-3-Clause
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
@@ -35,4 +35,3 @@ License: BSD-3-clause
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..b713356
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,5 @@
+[DEFAULT]
+pristine-tar = True
+
+[import-orig]
+filter = [ '.gitignore', '.travis.yml', '.git*' ]
diff --git a/debian/links b/debian/links
deleted file mode 100644
index 2d71628..000
--- a/debian/links
+++ /dev/null
@@ -1,9 +0,0 @@
-usr/lib/nodejs/d3-dsv/bin/dsv2dsv usr/bin/csv2tsv
-usr/lib/nodejs/d3-dsv/bin/json2dsv usr/bin/json2csv
-usr/lib/nodejs/d3-dsv/bin/json2dsv usr/bin/json2tsv
-usr/lib/nodejs/d3-dsv/bin/dsv2json usr/bin/dsv2json
-usr/lib/nodejs/d3-dsv/bin/dsv2dsv usr/bin/dsv2dsv
-usr/lib/nodejs/d3-dsv/bin/dsv2json usr/bin/csv2json
-usr/lib/nodejs/d3-dsv/bin/dsv2json usr/bin/tsv2json
-usr/lib/nodejs/d3-dsv/bin/json2dsv usr/bin/json2dsv
-usr/lib/nodejs/d3-dsv/bin/dsv2dsv usr/bin/tsv2csv
diff --git a/debian/nodejs/links b/debian/nodejs/links
new file mode 100644
index 000..43ed1f6
--- /dev/null
+++ b/debian/nodejs/links
@@ -0,0 +1,9 @@
+d3-dsv/bin/dsv2dsv /usr/bin/csv2tsv
+d3-dsv/bin/json2dsv /usr/bin/json2csv
+d3-dsv/bin/json2dsv /usr/bin/json2tsv
+d3-dsv/bin/dsv2json /usr/bin/dsv2json
+d3-dsv/bin/dsv2dsv /usr/bin/dsv2dsv
+d3-dsv/bin/dsv2json /usr/bin/csv2json
+d3-dsv/bin/dsv2json /usr/bin/tsv2json
+d3-dsv/bin/json2dsv /usr/bin/json2dsv
+d3-dsv/bin/dsv2dsv /usr/bin/tsv2csv
diff --git a/debian/rules b/debian/rules
index
Bug#986406: unblock: node-d3-dsv/1.1.1-4
Control: tags -1 - moreinfo
Le 05/04/2021 à 13:28, Sebastian Ramacher a écrit :
> [...]
> The dependencies seem to be wrong:
>
> $ json2dsv
> internal/modules/cjs/loader.js:818
> throw err;
> ^
>
> Error: Cannot find module 'iconv-lite'
> Require stack:
> - /usr/share/nodejs/d3-dsv/bin/json2dsv
> at Function.Module._resolveFilename
> (internal/modules/cjs/loader.js:815:15)
> at Function.Module._load (internal/modules/cjs/loader.js:667:27)
> at Module.require (internal/modules/cjs/loader.js:887:19)
> at require (internal/modules/cjs/helpers.js:74:18)
> at Object. (/usr/share/nodejs/d3-dsv/bin/json2dsv:6:13)
> at Module._compile (internal/modules/cjs/loader.js:999:30)
> at Object.Module._extensions..js (internal/modules/cjs/loader.js:1027:10)
> at Module.load (internal/modules/cjs/loader.js:863:32)
> at Function.Module._load (internal/modules/cjs/loader.js:708:14)
> at Function.executeUserEntryPoint [as runMain]
> (internal/modules/run_main.js:60:12) {
> code: 'MODULE_NOT_FOUND',
> requireStack: [ '/usr/share/nodejs/d3-dsv/bin/json2dsv' ]
> }
Hi,
Fixed and tested (build + autopkgtest):
rebuild node-d3-fetch ... PASS
rebuild node-d3-hierarchy ... PASS
rebuild node-d3 ... PASS
autopkgtest node-d3 ... PASS
autopkgtest node-d3-fetch ... PASS
>> * Remove useless debian/webpack.config.js
>>
>> [ Checklist ]
>> [X] all changes are documented in the d/changelog
>> [X] I reviewed all changes and I approve them
>> [X] attach debdiff against the package in testing
>>
>> Cheers,
>> Yadd
>>
>> unblock node-d3-dsv/1.1.1-4
>
>> diff --git a/debian/changelog b/debian/changelog
>> index 2678e16..dffccb2 100644
>> --- a/debian/changelog
>> +++ b/debian/changelog
>> @@ -1,3 +1,20 @@
>> +node-d3-dsv (1.1.1-4) unstable; urgency=medium
>> +
>> + * Team upload
>> +
>> + [ Pirate Praveen ]
>> + * Drop node unused debian/webpack.config.js (we switched to rollup)
>> +
>> + [ Yadd ]
>> + * Bump debhelper compatibility level to 13
>
> Please revert this change. It's no longer appropriate at this stage of
> the freeze.
Done
>> + * Add "Rules-Requires-Root: no"
>> + * Add debian/gbp.conf
>> + * Modernize debian/watch
>> + * Use dh-sequence-nodejs
>
> This also just adds noise too the diff.
Done
> Cheers
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 2678e16..6b7d5f7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,29 @@
+node-d3-dsv (1.1.1-5) unstable; urgency=medium
+
+ * Team upload
+ * Revert debhelper upgrade due to freeze
+ * Update debian/watch due to GitHub changes
+ * Replace node-iconv by node-iconv-lite in dependencies as required by
package.json
+
+ -- Yadd Mon, 05 Apr 2021 19:51:03 +0200
+
+node-d3-dsv (1.1.1-4) unstable; urgency=medium
+
+ * Team upload
+
+ [ Pirate Praveen ]
+ * Drop node unused debian/webpack.config.js (we switched to rollup)
+
+ [ Yadd ]
+ * Bump debhelper compatibility level to 13
+ * Add "Rules-Requires-Root: no"
+ * Add debian/gbp.conf
+ * Modernize debian/watch
+ * Use dh-sequence-nodejs
+ * Fix links (Closes: #985518)
+
+ -- Yadd Sat, 20 Mar 2021 12:08:15 +0100
+
node-d3-dsv (1.1.1-3) unstable; urgency=medium
[ Debian Janitor ]
diff --git a/debian/control b/debian/control
index 6489133..23503df 100644
--- a/debian/control
+++ b/debian/control
@@ -22,7 +22,7 @@ Architecture: all
Depends:
${misc:Depends}
, nodejs
- , node-iconv (>= 0.4)
+ , node-iconv-lite (>= 0.4)
, node-rw (>= 1)
, node-commander (>= 2)
Description: parser and formatter for delimiter-separated values, such as CSV
diff --git a/debian/copyright b/debian/copyright
index c3995ef..bd2f526 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -11,7 +11,7 @@ Files: debian/*
Copyright: 2017 Pirate Praveen
License: BSD-3-Clause
-License: BSD-3-clause
+License: BSD-3-Clause
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
@@ -35,4 +35,3 @@ License: BSD-3-clause
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
diff --git a/debian/gbp.conf b/debian/gbp.conf
new file mode 100644
index 000..b713356
--- /dev/null
+++ b/debian/gbp.conf
@@ -0,0 +1,5 @@
+[DEFAULT]
+pristine-tar = True
+
+[import-orig]
+filter = [ '.gitignore', '.travis.yml', '.git*' ]
diff --git a/debian/links b/debian/links
deleted file mode 100644
index 2d71628..000
-
Bug#986617: unblock: node-rollup-pluginutils/4.1.0+~2.8.2-3
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package node-rollup-pluginutils
[ Reason ]
node-rollup-pluginutils has a broken symlink due to
node-typescript-types deprecation. This patch updates dependencies to
package that ship the good @types/* files (#985702)
[ Impact ]
A broken symlink and maybe missing dependencies when using
node-rollup-pluginutils with tsc (node-typescript)
[ Tests ]
Tests passed because some build dependencies are updated
[ Risks ]
Trivial patch, just updates dependencies (node-typescript-types is now a
transitional package that points to virtual node-types-node)
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock node-rollup-pluginutils/4.1.0+~2.8.2-3
diff --git a/debian/changelog b/debian/changelog
index ff4da4b..68603db 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-rollup-pluginutils (4.1.0+~2.8.2-3) unstable; urgency=medium
+
+ * Team upload
+ * Replace deprecated dependency to node-typescript-types by dependencies to
+node-types-estree and node-types-node (Closes: #979762, #979775, #985702)
+
+ -- Yadd Mon, 22 Mar 2021 12:45:55 +0100
+
node-rollup-pluginutils (4.1.0+~2.8.2-2) unstable; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index 6f6f43d..c5ab2ea 100644
--- a/debian/control
+++ b/debian/control
@@ -15,7 +15,7 @@ Build-Depends:
, node-rollup-plugin-node-resolve
, node-rollup-plugin-typescript
, node-typescript (>= 3.7~)
- , node-typescript-types
+ , node-types-estree
, nodejs (>= 10~)
, dh-sequence-nodejs
, rollup (>= 1)
@@ -31,7 +31,8 @@ Depends:
${misc:Depends}
, node-estree-walker
, node-micromatch (>= 4.0~)
- , node-typescript-types
+ , node-types-estree
+ , node-types-node
Breaks: rollup (<< 1)
Suggests: node-rollup-plugin-typescript
Description: Base functionality for rollup plugins
Bug#986831: unblock: node-core-js/3.8.2-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package node-core-js [ Reason ] node-core-js provides a broken and useless symlink (#985697). [ Impact ] No real impact, just a uselss broken symlink [ Tests ] Test & autopkgtest still works [ Risks ] No risk [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing Cheers, Yadd unblock node-core-js/3.8.2-2 diff --git a/debian/changelog b/debian/changelog index 666b438..35d757b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +node-core-js (3.8.2-2) unstable; urgency=medium + + * Team upload + * Remove useless and broken symlink (Closes: #985697) + + -- Yadd Mon, 22 Mar 2021 11:42:29 +0100 + node-core-js (3.8.2-1) unstable; urgency=medium * Team upload diff --git a/debian/copyright b/debian/copyright index 287bf91..6cce180 100644 --- a/debian/copyright +++ b/debian/copyright @@ -9,7 +9,7 @@ License: Expat Files: debian/* Copyright: 2016, Sruthi Chandran - 2019, Xavier Guimard + 2019, Yadd License: Expat License: Expat diff --git a/debian/rules b/debian/rules index af0314f..a7cb47a 100755 --- a/debian/rules +++ b/debian/rules @@ -9,7 +9,7 @@ override_dh_auto_build: node packages/core-js-compat/src/build-data node packages/core-js-compat/src/build-entries node packages/core-js-compat/src/build-modules-by-versions - for i in es features internals modules proposals scripts stable stage web configurator.js postinstall.js; do \ + for i in es features internals modules proposals stable stage web configurator.js postinstall.js; do \ ln -s ../../packages/core-js/$$i packages/core-js-pure/$$i; \ done cp packages/core-js/index.js packages/core-js-pure/
Bug#986976: unblock: node-postcss/8.2.1+~cs5.3.23-6
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package node-postcss
[ Reason ]
node-postcss is vulnerable to de RegExp Denial of Service during source
map parsing (CVE-2021-23368)
[ Impact ]
Medium vulnerability
[ Tests ]
Upstream tests were disabled due to missing ts-jest. Now, it is packaged
then if release team agree, I can enable them (not done here to minimize
diff). Note that current autopkgtest should be tagged as "superficial".
Launched locally, tests pass with and without this fix.
[ Risks ]
The change in regexps consists to not allow optional whitespaces (there
are never whitespaces in normal source maps)
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock node-postcss/8.2.1+~cs5.3.23-6
diff --git a/debian/changelog b/debian/changelog
index 9dba3f7..f7ffc04 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-postcss (8.2.1+~cs5.3.23-6) unstable; urgency=medium
+
+ * Team upload
+ * Fix ReDoS vulnerability (Closes: CVE-2021-23368)
+
+ -- Yadd Wed, 14 Apr 2021 21:43:54 +0200
+
node-postcss (8.2.1+~cs5.3.23-5) unstable; urgency=medium
* Update Breaks: node-css-loader (<< 5.0.1+~cs14.0.5-1~)
diff --git a/debian/patches/CVE-2021-23368.patch
b/debian/patches/CVE-2021-23368.patch
new file mode 100644
index 000..90351b3
--- /dev/null
+++ b/debian/patches/CVE-2021-23368.patch
@@ -0,0 +1,27 @@
+Description: fix unsafe regexp
+Author: Andrey Sitnik
+Origin: upstream,
+ https://github.com/postcss/postcss/commit/8682b1e4
+ https://github.com/postcss/postcss/commit/b6f3e4d5
+Bug: https://snyk.io/vuln/SNYK-JS-POSTCSS-1090595
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-04-14
+
+--- a/lib/previous-map.js
b/lib/previous-map.js
+@@ -49,12 +49,12 @@
+
+ getAnnotationURL (sourceMapString) {
+ return sourceMapString
+- .match(/\/\*\s*# sourceMappingURL=(.*)\s*\*\//)[1]
++ .match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1]
+ .trim()
+ }
+
+ loadAnnotation (css) {
+-let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\s*\*\//gm)
++let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm)
+
+ if (annotations && annotations.length > 0) {
+ // Locate the last sourceMappingURL to avoid picking up
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..1be7968
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23368.patch
Bug#987039: buster-pu: package dojo/1.14.2+dfsg1-1+deb10u3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
[ Reason ]
dojo/dijit is vulnerable to cross-site-scripting (#97,
CVE-2020-4051).
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed during build, including upstream new checks
[ Risks ]
Upstream patch applied without any changes, not trivial but not a big
change. From patch comment:
This update should minimally affect production applications:
* The behavior of existing links with HTML content will be unchanged
* Existing links that are edited and saved will be filtered (this is only if
the link is edited, other content within the editor can be edited without
affecting the link)
* Newly created links will be filtered by default
* For production code to continue working as-is with new data the application
code will have to be updated to specify `true` for the `LinkDialog` plugin's
`allowUnsafeHtml` option
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
in plugin dijit/_editor/plugins/LinkDialog.js, a new chack was added
I didn't add any debian/NEWS entry since risk is tagged as "low". Do you
think it is required here? Maybe something inspired from comment below.
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index d4aae875..407f7c48 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+dojo (1.14.2+dfsg1-1+deb10u3) buster; urgency=medium
+
+ * Team upload
+ * Fix cross-site-scripting vulnerability (Closes: #97, CVE-2020-4051)
+
+ -- Yadd Fri, 16 Apr 2021 09:39:01 +0200
+
dojo (1.14.2+dfsg1-1+deb10u2) buster; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2020-4051.patch
b/debian/patches/CVE-2020-4051.patch
new file mode 100644
index ..714b93d2
--- /dev/null
+++ b/debian/patches/CVE-2020-4051.patch
@@ -0,0 +1,135 @@
+Description: fix cross-site scripting vulnerability in the Editor's LinkDialog
plugin
+ * Add config option `allowUnsafeHtml`: default is `false` which results in
+ `<` being replaced with `<`
+ * Add config option `linkFilter`: can be a function or array of filter pairs
+ to control exactly what filtering is applied
+ .
+ This update should minimally affect production applications:
+ .
+ * The behavior of existing links with HTML content will be unchanged
+ * Existing links that are edited and saved will be filtered (this is only if
+ the link is edited, other content within the editor can be edited without
+ affecting the link)
+ * Newly created links will be filtered by default
+ * For production code to continue working as-is with new data the application
+ code will have to be updated to specify `true` for the `LinkDialog` plugin's
+ `allowUnsafeHtml` option
+Author: Mangala Sadhu Sangeet Singh Khalsa
+Origin: upstream, https://github.com/dojo/dijit/commit/7d9d4927
+Bug: https://github.com/dojo/dijit/security/advisories/GHSA-cxjc-r2fp-7mq6
+Bug-Debian: https://bugs.debian.org/97
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-04-16
+
+--- a/dijit/_editor/plugins/LinkDialog.js
b/dijit/_editor/plugins/LinkDialog.js
+@@ -1,5 +1,6 @@
+ define([
+ "require",
++ "dojo/_base/array",
+ "dojo/_base/declare", // declare
+ "dojo/dom-attr", // domAttr.get
+ "dojo/keys", // keys.ENTER
+@@ -11,7 +12,7 @@
+ "../_Plugin",
+ "../../form/DropDownButton",
+ "../range"
+-], function(require, declare, domAttr, keys, lang, on, has, query, string,
++], function(require, array, declare, domAttr, keys, lang, on, has, query,
string,
+ _Plugin, DropDownButton, rangeapi){
+
+ // module:
+@@ -26,6 +27,21 @@
+ //
+ // - createLink
+
++ // allowUnsafeHtml: boolean
++ // If false (default), the link description will
be filtered to prevent HTML content.
++ // If true no filtering is done, allowing for HTML
content within the link element.
++ // The filter can be specified with the
'linkFilter' option.
++ allowUnsafeHtml: false,
++
++ // linkFilter: function or array of replacement pairs
++ // If 'allowUnsafeHtml' is false then this filter
will be applied to the link Description value.
++ // function: the function will be invoked with the
string value of the Description field and its
++ // return value will be used
++ // array: each array item should be an array of
two values to pass to String#replace
++ linkFilter: [
++ [/
+
+
Bug#987041: unblock: node-handlebars/4.7.6+~4.1.0-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package node-handlebars
[ Reason ]
node-handlebars is vulnerable to Remote Code Execution (RCE)
(CVE-2021-23369).
[ Impact ]
Medium vulnerability
[ Tests ]
Yes, code passed (build & autopkgtest), including new checks
[ Risks ]
Low risk; change is trivial (upstream patch applied without any change)
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-handlebars/4.7.6+~4.1.0-2
diff --git a/debian/changelog b/debian/changelog
index 675dba0..215d5a2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-handlebars (3:4.7.6+~4.1.0-2) unstable; urgency=medium
+
+ * Team upload
+ * Fix remote code execution (Closes: CVE-2021-23369)
+
+ -- Yadd Fri, 16 Apr 2021 10:19:56 +0200
+
node-handlebars (3:4.7.6+~4.1.0-1) unstable; urgency=medium
[ Xavier Guimard ]
diff --git a/debian/patches/CVE-2021-23369.patch
b/debian/patches/CVE-2021-23369.patch
new file mode 100644
index 000..98ee3fc
--- /dev/null
+++ b/debian/patches/CVE-2021-23369.patch
@@ -0,0 +1,80 @@
+Description: fix Remote Code Execution (RCE)
+ when selecting certain compiling options to compile templates coming from an
+ untrusted source.
+Author: Nils Knappmeier
+Origin: upstream,
https://github.com/handlebars-lang/handlebars.js/commit/b6d3de71
+ https://github.com/handlebars-lang/handlebars.js/commit/f0589701
+Bug: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-1056767
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-04-16
+
+--- a/lib/handlebars/compiler/javascript-compiler.js
b/lib/handlebars/compiler/javascript-compiler.js
+@@ -16,7 +16,12 @@
+ return this.internalNameLookup(parent, name);
+ },
+ depthedLookup: function(name) {
+-return [this.aliasable('container.lookup'), '(depths, "', name, '")'];
++return [
++ this.aliasable('container.lookup'),
++ '(depths, ',
++ JSON.stringify(name),
++ ')'
++];
+ },
+
+ compilerInfo: function() {
+--- a/lib/handlebars/runtime.js
b/lib/handlebars/runtime.js
+@@ -124,7 +124,7 @@
+ loc: loc
+ });
+ }
+- return obj[name];
++ return container.lookupProperty(obj, name);
+ },
+ lookupProperty: function(parent, propertyName) {
+ let result = parent[propertyName];
+--- a/spec/security.js
b/spec/security.js
+@@ -320,6 +320,10 @@
+ checkProtoPropertyAccess({ compat: true });
+ });
+
++ describe('in strict-mode', function() {
++checkProtoPropertyAccess({ strict: true });
++ });
++
+ function checkProtoPropertyAccess(compileOptions) {
+ it('should be prohibited by default and log a warning', function() {
+ var spy = sinon.spy(console, 'error');
+@@ -418,6 +422,28 @@
+ });
+ });
+ });
++
++ describe('escapes template variables', function() {
++it('in compat mode', function() {
++ expectTemplate("{{'a\\b'}}")
++.withCompileOptions({ compat: true })
++.withInput({ 'a\\b': 'c' })
++.toCompileTo('c');
++});
++
++it('in default mode', function() {
++ expectTemplate("{{'a\\b'}}")
++.withCompileOptions()
++.withInput({ 'a\\b': 'c' })
++.toCompileTo('c');
++});
++it('in default mode', function() {
++ expectTemplate("{{'a\\b'}}")
++.withCompileOptions({ strict: true })
++.withInput({ 'a\\b': 'c' })
++.toCompileTo('c');
++});
++ });
+ });
+
+ function wrapToAdjustContainer(precompiledTemplateFunction) {
diff --git a/debian/patches/series b/debian/patches/series
index 35bc292..d613930 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ skip-some-modules.patch
disable-bg-shell-plugin.patch
use-babel7.patch
use-global-object-this.patch
+CVE-2021-23369.patch
Bug#987042: buster-pu: package node-handlebars/4.1.0-1+deb10u3
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: utka...@debian.org
[ Reason ]
node-handlebars is vulnerable to Arbitrary Code Execution and Remote
Code Execution (CVE-2019-20920 and CVE-2021-23369)
[ Impact ]
Medium vulnerabilities
[ Tests ]
Sadly there are no test launched in Buster even if upstream added some
checks
[ Risks ]
Medium risk, upstream patches were applied without changes
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
More checks for given arguments
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index e49c409..e55d497 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-handlebars (3:4.1.0-1+deb10u3) buster; urgency=medium
+
+ * Team upload
+ * Fix arbitrary code execution (Closes: CVE-2019-20920)
+ * Fix remote code execution (Closes: CVE-2021-23369)
+
+ -- Yadd Fri, 16 Apr 2021 10:31:24 +0200
+
node-handlebars (3:4.1.0-1+deb10u2) buster; urgency=medium
* Fix regression introduced in 3:4.1.0-1+deb10u1
diff --git a/debian/patches/CVE-2019-20920.patch
b/debian/patches/CVE-2019-20920.patch
new file mode 100644
index 000..54e3bd3
--- /dev/null
+++ b/debian/patches/CVE-2019-20920.patch
@@ -0,0 +1,114 @@
+Description: fix for CVE-2019-20920
+Author: Nils Knappmeier
+Origin: upstream,
https://github.com/handlebars-lang/handlebars.js/commit/1988878
+Bug: https://snyk.io/vuln/SNYK-JS-HANDLEBARS-534478
+Forwarded: not-needed
+Reviewed-By: Xavier Guimard
+Last-Update: 2020-10-12
+
+--- a/lib/handlebars/compiler/compiler.js
b/lib/handlebars/compiler/compiler.js
+@@ -56,7 +56,7 @@
+
+ // These changes will propagate to the other compiler components
+ let knownHelpers = options.knownHelpers;
+-options.knownHelpers = {
++options.knownHelpers = extend(Object.create(null), {
+ 'helperMissing': true,
+ 'blockHelperMissing': true,
+ 'each': true,
+@@ -65,15 +65,7 @@
+ 'with': true,
+ 'log': true,
+ 'lookup': true
+-};
+-if (knownHelpers) {
+- // the next line should use "Object.keys", but the code has been like
this a long time and changing it, might
+- // cause backwards-compatibility issues... It's an old library...
+- // eslint-disable-next-line guard-for-in
+- for (let name in knownHelpers) {
+- this.options.knownHelpers[name] = knownHelpers[name];
+- }
+-}
++}, options.knownHelpers);
+
+ return this.accept(program);
+ },
+--- a/lib/handlebars/compiler/javascript-compiler.js
b/lib/handlebars/compiler/javascript-compiler.js
+@@ -2,6 +2,7 @@
+ import Exception from '../exception';
+ import {isArray} from '../utils';
+ import CodeGen from './code-gen';
++import {dangerousPropertyRegex} from '../helpers/lookup';
+
+ function Literal(value) {
+ this.value = value;
+@@ -13,8 +14,9 @@
+ // PUBLIC API: You can override these methods in a subclass to provide
+ // alternative compiled forms for name lookup and buffering semantics
+ nameLookup: function(parent, name/* , type*/) {
+-if (name === 'constructor') {
+- return ['(', parent, '.propertyIsEnumerable(\'constructor\') ? ',
parent, '.constructor : undefined', ')'];
++if (dangerousPropertyRegex.test(name)) {
++ const isEnumerable = [
this.aliasable('container.propertyIsEnumerable'), '.call(', parent, ',',
JSON.stringify(name), ')'];
++ return ['(', isEnumerable, '?', _actualLookup(), ' : undefined)'];
+ }
+ if (JavaScriptCompiler.isValidJavaScriptVariableName(name)) {
+ return [parent, '.', name];
+--- a/lib/handlebars/helpers/lookup.js
b/lib/handlebars/helpers/lookup.js
+@@ -1,5 +1,13 @@
++export const dangerousPropertyRegex =
/^(constructor|__defineGetter__|__defineSetter__|__lookupGetter__|__proto__)$/;
++
+ export default function(instance) {
+ instance.registerHelper('lookup', function(obj, field) {
+-return obj && obj[field];
++if (!obj) {
++ return obj;
++}
++if (dangerousPropertyRegex.test(String(field)) &&
!obj.propertyIsEnumerable(field)) {
++ return undefined;
++}
++return obj[field];
+ });
+ }
+--- a/spec/security.js
b/spec/security.js
+@@ -21,6 +21,36 @@
+ });
+ });
+
++describe('GH-1563', function() {
++it('should not allow to access constructor after overriding via
__defineGetter__', function() {
++if (({}).__defineGetter__ == null || ({}).__lookupGetter__ ==
null)
Bug#987047: unblock: node-glob-parent/5.1.1+~5.1.0-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package node-glob-parent
[ Reason ]
node-glob-parent is vulnerable to Regex Denial of Service (ReDoS),
CVE-2020-28469
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed (build & autopkgtest), including new upstream check related
to this vulnerability
[ Risks ]
Low risk: upstream patch applied without any change
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
Patch is trivial, just a regex update
Cheers,
Yadd
unblock node-glob-parent/5.1.1+~5.1.0-2
diff --git a/debian/changelog b/debian/changelog
index 3e6f1d0..e60f126 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-glob-parent (5.1.1+~5.1.0-2) unstable; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2020-28469)
+
+ -- Yadd Fri, 16 Apr 2021 13:34:51 +0200
+
node-glob-parent (5.1.1+~5.1.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2020-28469.patch
b/debian/patches/CVE-2020-28469.patch
new file mode 100644
index 000..99478a6
--- /dev/null
+++ b/debian/patches/CVE-2020-28469.patch
@@ -0,0 +1,36 @@
+Description: fix ReDoS vulnerability
+ This change fixes a regular expression denial of service vulnerability.
+Author: Rich Trott
+Origin: upstream, https://github.com/gulpjs/glob-parent/commit/f9231168
+Bug: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-04-16
+
+--- a/index.js
b/index.js
+@@ -6,7 +6,7 @@
+
+ var slash = '/';
+ var backslash = /\\/g;
+-var enclosure = /[\{\[].*[\/]*.*[\}\]]$/;
++var enclosure = /[\{\[].*[\}\]]$/;
+ var globby = /(^|[^\\])([\{\[]|\([^\)]+$)/;
+ var escaped = /\\([\!\*\?\|\[\]\(\)\{\}])/g;
+
+--- a/test/index.test.js
b/test/index.test.js
+@@ -209,6 +209,13 @@
+
+ done();
+ });
++
++ it('should not be susceptible to SNYK-JS-GLOBPARENT-1016905',
function(done) {
++// This will time out if susceptible.
++gp('{' + '/'.repeat(5000));
++
++done();
++ });
+ });
+
+ if (isWin32) {
diff --git a/debian/patches/series b/debian/patches/series
index 439519e..421e1b0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
is-glob-4-compat.patch
+CVE-2020-28469.patch
Bug#987048: buster-pu: package node-glob-parent/3.1.0-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-glob-parent is vulnerable to Regex Denial of Service (ReDoS)
CVE-2020-28469
[ Impact ]
Low vulnerability risk
[ Tests ]
No test backported from 5.1.0 branch
[ Risks ]
Trivial patch
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just a better regex check. Patch from upstream adapted to 3.1.0
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 74d0753..46486a7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-glob-parent (3.1.0-1+deb10u1) unstable; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2020-28469)
+
+ -- Yadd Fri, 16 Apr 2021 13:46:41 +0200
+
node-glob-parent (3.1.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2020-28469.patch
b/debian/patches/CVE-2020-28469.patch
new file mode 100644
index 000..663e173
--- /dev/null
+++ b/debian/patches/CVE-2020-28469.patch
@@ -0,0 +1,20 @@
+Description: fix ReDoS vulnerability
+ This change fixes a regular expression denial of service vulnerability.
+Author: Rich Trott
+Origin: upstream, https://github.com/gulpjs/glob-parent/commit/f9231168
+Bug: https://snyk.io/vuln/SNYK-JS-GLOBPARENT-1016905
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-04-16
+
+--- a/index.js
b/index.js
+@@ -10,7 +10,7 @@
+ if (isWin32 && str.indexOf('/') < 0) str = str.split('\\').join('/');
+
+ // special case for strings ending in enclosure containing path
separator
+- if (/[\{\[].*[\/]*.*[\}\]]$/.test(str)) str += '/';
++ if (/[\{\[].*[\}\]]$/.test(str)) str += '/';
+
+ // preserves full path in case of trailing path separator
+ str += 'a';
diff --git a/debian/patches/series b/debian/patches/series
index 439519e..421e1b0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
is-glob-4-compat.patch
+CVE-2020-28469.patch
Bug#987538: buster-pu: package node-end-of-stream/1.4.1-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
[ Reason ]
node-end-of-stream test is RC-buggy. This little patch workaround this
bug which seems not related to node-end-of-stream itself
[ Impact ]
No impact, just fix test
[ Tests ]
No change except one ignored failure
[ Risks ]
No risks
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Test wanted 8 successful checks. The patch requires only 7, so allows
one failure (function not launched probably due to a nodejs change)
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index e08c7c7..4c026c2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-end-of-stream (1.4.1-1+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Workaround test bug (Closes: #987530)
+
+ -- Yadd Sun, 25 Apr 2021 11:56:20 +0200
+
node-end-of-stream (1.4.1-1) unstable; urgency=medium
* New upstream version
diff --git a/debian/patches/01-fix-test.patch b/debian/patches/01-fix-test.patch
new file mode 100644
index 000..38a917e
--- /dev/null
+++ b/debian/patches/01-fix-test.patch
@@ -0,0 +1,22 @@
+Description: decrease min successful test to allow one error
+ Test wanted 8 (all) checks to be successful. It seems that nodejs changes
+ breaks last test (lines 67 to 81): eos(socket,...) isn't launched.
+ .
+ This bug seems not linked to end-of-stream itself but related to nodejs "net"
+ use in this test. So this patch is just a workaround, not a real fix.
+Author: Yadd
+Bug-Debian: https://bugs.debian.org/987530
+Forwarded: not-needed
+Last-Update: 2021-04-25
+
+--- a/test.js
b/test.js
+@@ -1,7 +1,7 @@
+ var assert = require('assert');
+ var eos = require('./index');
+
+-var expected = 8;
++var expected = 7;
+ var fs = require('fs');
+ var cp = require('child_process');
+ var net = require('net');
diff --git a/debian/patches/series b/debian/patches/series
index 6a9cea4..a9118e6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
00-fix_test.diff
+01-fix-test.patch
Bug#987546: unblock: node-redis/3.0.2+~cs5.18.1-3
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package node-redis
[ Reason ]
node-redis is vulnearable to a Regex Denial of Service
[ Impact ]
Medium security risk
[ Tests ]
No change in tests. Both build & autopkgtest passed
[ Risks ]
Change is trivial: just a regex fix. node-redis has no reverse
dependencies for now, so no risk for other packages
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
Patch also includes:
* uploaders list update: Leo is MIA
* GitHub regex fix in debian/watch
unblock node-redis/3.0.2+~cs5.18.1-3
diff --git a/debian/changelog b/debian/changelog
index 4f546a6..f25dee1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,14 @@
+node-redis (3.0.2+~cs5.18.1-3) UNRELEASED; urgency=medium
+
+ * Fix GitHub tags regex
+ * Uploaders: remove Leo Iannacone, thanks for your work!
+ * Fix potential ReDoS (Closes: CVE-2021-29469)
+
+ -- Yadd Sun, 25 Apr 2021 13:54:43 +0200
+
node-redis (3.0.2+~cs5.18.1-2) unstable; urgency=medium
+ [ Xavier Guimard ]
* Add node-lodash-packages in test dependencies
-- Xavier Guimard Mon, 21 Dec 2020 06:13:22 +0100
diff --git a/debian/control b/debian/control
index 8fecf53..de2c694 100644
--- a/debian/control
+++ b/debian/control
@@ -1,6 +1,6 @@
Source: node-redis
Maintainer: Debian Javascript Maintainers
-Uploaders: Leo Iannacone , Xavier Guimard
+Uploaders: Yadd
Section: javascript
Priority: optional
Build-Depends: debhelper-compat (= 13)
diff --git a/debian/copyright b/debian/copyright
index 24794c5..b0ec804 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -21,7 +21,7 @@ License: Expat
Files: debian/*
Copyright: 2014 Leo Iannacone
- 2019-2020 Xavier Guimard
+ 2019-2020 Yadd
License: GPL-3
Files: debian/tests/test_modules/intercept-stdout/*
diff --git a/debian/patches/CVE-2021-29469.patch
b/debian/patches/CVE-2021-29469.patch
new file mode 100644
index 000..d074802
--- /dev/null
+++ b/debian/patches/CVE-2021-29469.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: Leibale Eidelman
+Origin: upstream, https://github.com/NodeRedis/node-redis/commit/2d11b6dc
+Bug: https://github.com/NodeRedis/node-redis/issues/1569
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-04-25
+
+--- a/lib/utils.js
b/lib/utils.js
+@@ -127,7 +127,7 @@
+ reply_to_object: replyToObject,
+ print: print,
+ err_code: /^([A-Z]+)\s+(.+)$/,
+-monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\]( ".+?")+$/,
++monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\].*"$/,
+ clone: convenienceClone,
+ callback_or_emit: callbackOrEmit,
+ reply_in_order: replyInOrder
diff --git a/debian/patches/series b/debian/patches/series
index 73eead0..250556a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
avoid-failing-test.diff
disable-tests-failing-with-redis-5.6.diff
remove-cross-spawn.patch
+CVE-2021-29469.patch
diff --git a/debian/watch b/debian/watch
index ebfa712..34f812e 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,7 +1,7 @@
version=4
opts=filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-redis-$1.tar.gz/ \
- https://github.com/NodeRedis/node_redis/tags .*/archive/v?\.?([\d\.]+).tar.gz
group
+ https://github.com/NodeRedis/node_redis/tags
.*/archive/.*/v?\.?([\d\.]+).tar.gz group
opts="searchmode=plain,pgpmode=none,ctype=nodejs,component=redis-commands" \
https://registry.npmjs.org/redis-commands
https://registry.npmjs.org/redis-commands/-/redis-commands-(\d[\d\.]*)@ARCHIVE_EXT@
checksum
Bug#987548: buster-pu: package node-redis/2.8.0-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
rode-redis is vulnerable ro ReDoS (CVE-2021-29469
[ Impact ]
Medium risk
[ Tests ]
No
[ Risks ]
No risk, node-redis has no reverse dependencies and patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Regex update
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index e865de4..5994010 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-redis (2.8.0-1+deb10u1) unstable; urgency=medium
+
+ * Fix potential ReDoS (Closes: CVE-2021-29469)
+
+ -- Yadd Sun, 25 Apr 2021 14:09:33 +0200
+
node-redis (2.8.0-1) unstable; urgency=medium
* Add components in gbp.conf and debian/watch (used for test only):
diff --git a/debian/patches/CVE-2021-29469.patch
b/debian/patches/CVE-2021-29469.patch
new file mode 100644
index 000..d074802
--- /dev/null
+++ b/debian/patches/CVE-2021-29469.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: Leibale Eidelman
+Origin: upstream, https://github.com/NodeRedis/node-redis/commit/2d11b6dc
+Bug: https://github.com/NodeRedis/node-redis/issues/1569
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-04-25
+
+--- a/lib/utils.js
b/lib/utils.js
+@@ -127,7 +127,7 @@
+ reply_to_object: replyToObject,
+ print: print,
+ err_code: /^([A-Z]+)\s+(.+)$/,
+-monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\]( ".+?")+$/,
++monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\].*"$/,
+ clone: convenienceClone,
+ callback_or_emit: callbackOrEmit,
+ reply_in_order: replyInOrder
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..1d28461
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-29469.patch
Bug#987767: unblock: node-postcss/8.2.1+~cs5.3.23-7
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
Please unblock package node-postcss
[ Reason ]
node-postcss is vulnerable to a Regex Denial of Service (ReDoS)
[ Impact ]
Medium vulnerability
[ Tests ]
I added tests for CVE-2021-23368 and CVE-2021-23382 inspired from CVE
prove of concepts
[ Risks ]
No risk, this is just a regex improvement.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-postcss/8.2.1+~cs5.3.23-7
diff --git a/debian/changelog b/debian/changelog
index f7ffc04..a66396e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-postcss (8.2.1+~cs5.3.23-7) unstable; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-23382)
+ * Add autopkgtest files for CVE-2021-23368 and CVE-2021-23382
+
+ -- Yadd Thu, 29 Apr 2021 10:24:48 +0200
+
node-postcss (8.2.1+~cs5.3.23-6) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-23382.patch
b/debian/patches/CVE-2021-23382.patch
new file mode 100644
index 000..a953851
--- /dev/null
+++ b/debian/patches/CVE-2021-23382.patch
@@ -0,0 +1,25 @@
+Description: Fix ReDoS in previous-map
+Author: Yeting Li
+Origin: upstream, https://github.com/postcss/postcss/commit/2ad1ca9b
+Bug: https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-04-29
+
+--- a/lib/previous-map.js
b/lib/previous-map.js
+@@ -49,12 +49,12 @@
+
+ getAnnotationURL (sourceMapString) {
+ return sourceMapString
+- .match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1]
++ .match(/\/\*\s*# sourceMappingURL=((?:(?!sourceMappingURL=).)*)\*\//)[1]
+ .trim()
+ }
+
+ loadAnnotation (css) {
+-let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm)
++let annotations = css.match(/\/\*\s*#
sourceMappingURL=(?:(?!sourceMappingURL=).)*\*\//gm)
+
+ if (annotations && annotations.length > 0) {
+ // Locate the last sourceMappingURL to avoid picking up
diff --git a/debian/patches/series b/debian/patches/series
index 1be7968..2e873a9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
CVE-2021-23368.patch
+CVE-2021-23382.patch
diff --git a/debian/tests/CVE-2021-23368.js b/debian/tests/CVE-2021-23368.js
new file mode 100644
index 000..1a8b09c
--- /dev/null
+++ b/debian/tests/CVE-2021-23368.js
@@ -0,0 +1,32 @@
+var postcss = require("postcss")
+
+const startTime = Date.now();
+
+function build_attack(n) {
+var ret = "a{}/*# sourceMappingURL="
+for (var i = 0; i < n; i++) {
+ret += " "
+}
+return ret + "!";
+}
+
+// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')
+for(var i = 1; i <= 50; i++) {
+if (i % 1 == 0) {
+var time = Date.now();
+var attack_str = build_attack(i)
+try{
+postcss.parse(attack_str)
+var time_cost = Date.now() - time;
+console.log("attack_str.length: " + attack_str.length + ": " +
time_cost+" ms");
+}
+catch(e){
+var time_cost = Date.now() - time;
+console.log("attack_str.length: " + attack_str.length + ": " +
time_cost+" ms");
+}
+}
+if(Date.now() - time > 1) {
+console.error('Vulnerable to CVE-2021-23368');
+process.exit(1);
+}
+}
diff --git a/debian/tests/CVE-2021-23382.js b/debian/tests/CVE-2021-23382.js
new file mode 100644
index 000..c891279
--- /dev/null
+++ b/debian/tests/CVE-2021-23382.js
@@ -0,0 +1,32 @@
+var postcss = require("postcss")
+
+const startTime = Date.now();
+
+function build_attack(n) {
+var ret = "a{}"
+for (var i = 0; i < n; i++) {
+ret += "/*# sourceMappingURL="
+}
+return ret + "!";
+}
+
+// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')
+for(var i = 1; i <= 50; i++) {
+if (i % 1000 == 0) {
+var time = Date.now();
+var attack_str = build_attack(i)
+try{
+postcss.parse(attack_str)
+var time_cost = Date.now() - time;
+console.log("attack_str.length: " + attack_str.length + ": " +
time_cost+" ms");
+}
+catch(e){
+var time_cost = Date.now() - time;
+console.log("attack_str.length: " + attack_str.length + ": " +
time_cost+" ms");
+}
+}
+if(Date.now() - time > 1) {
+console.error('Vulnerable to CVE-2021-23368');
+process.exit(1);
+}
+}
diff --git a/debian/tests/control b/debian/tests/cont
Bug#987767: unblock: node-postcss/8.2.1+~cs5.3.23-8
Le 29/04/2021 à 10:32, Yadd a écrit :
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
>
> Please unblock package node-postcss
>
> [ Reason ]
> node-postcss is vulnerable to a Regex Denial of Service (ReDoS)
>
> [ Impact ]
> Medium vulnerability
>
> [ Tests ]
> I added tests for CVE-2021-23368 and CVE-2021-23382 inspired from CVE
> prove of concepts
>
> [ Risks ]
> No risk, this is just a regex improvement.
>
> [ Checklist ]
> [X] all changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in testing
>
> Cheers,
> Yadd
>
> unblock node-postcss/8.2.1+~cs5.3.23-7
I added a missing `set -e` in security test. autopkgtest works fine with
my patch and fail without.
Cheers,
Yadd
unblock node-postcss/8.2.1+~cs5.3.23-8
diff --git a/debian/changelog b/debian/changelog
index f7ffc04..cf21277 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+node-postcss (8.2.1+~cs5.3.23-8) unstable; urgency=medium
+
+ * Team upload
+ * Add missing `set -e` in security test
+
+ -- Yadd Thu, 29 Apr 2021 10:44:29 +0200
+
+node-postcss (8.2.1+~cs5.3.23-7) unstable; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-23382)
+ * Add autopkgtest files for CVE-2021-23368 and CVE-2021-23382
+
+ -- Yadd Thu, 29 Apr 2021 10:24:48 +0200
+
node-postcss (8.2.1+~cs5.3.23-6) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-23382.patch
b/debian/patches/CVE-2021-23382.patch
new file mode 100644
index 000..a953851
--- /dev/null
+++ b/debian/patches/CVE-2021-23382.patch
@@ -0,0 +1,25 @@
+Description: Fix ReDoS in previous-map
+Author: Yeting Li
+Origin: upstream, https://github.com/postcss/postcss/commit/2ad1ca9b
+Bug: https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-04-29
+
+--- a/lib/previous-map.js
b/lib/previous-map.js
+@@ -49,12 +49,12 @@
+
+ getAnnotationURL (sourceMapString) {
+ return sourceMapString
+- .match(/\/\*\s*# sourceMappingURL=(.*)\*\//)[1]
++ .match(/\/\*\s*# sourceMappingURL=((?:(?!sourceMappingURL=).)*)\*\//)[1]
+ .trim()
+ }
+
+ loadAnnotation (css) {
+-let annotations = css.match(/\/\*\s*# sourceMappingURL=.*\*\//gm)
++let annotations = css.match(/\/\*\s*#
sourceMappingURL=(?:(?!sourceMappingURL=).)*\*\//gm)
+
+ if (annotations && annotations.length > 0) {
+ // Locate the last sourceMappingURL to avoid picking up
diff --git a/debian/patches/series b/debian/patches/series
index 1be7968..2e873a9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
CVE-2021-23368.patch
+CVE-2021-23382.patch
diff --git a/debian/tests/CVE-2021-23368.js b/debian/tests/CVE-2021-23368.js
new file mode 100644
index 000..1a8b09c
--- /dev/null
+++ b/debian/tests/CVE-2021-23368.js
@@ -0,0 +1,32 @@
+var postcss = require("postcss")
+
+const startTime = Date.now();
+
+function build_attack(n) {
+var ret = "a{}/*# sourceMappingURL="
+for (var i = 0; i < n; i++) {
+ret += " "
+}
+return ret + "!";
+}
+
+// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')
+for(var i = 1; i <= 50; i++) {
+if (i % 1 == 0) {
+var time = Date.now();
+var attack_str = build_attack(i)
+try{
+postcss.parse(attack_str)
+var time_cost = Date.now() - time;
+console.log("attack_str.length: " + attack_str.length + ": " +
time_cost+" ms");
+}
+catch(e){
+var time_cost = Date.now() - time;
+console.log("attack_str.length: " + attack_str.length + ": " +
time_cost+" ms");
+}
+}
+if(Date.now() - time > 1) {
+console.error('Vulnerable to CVE-2021-23368');
+process.exit(1);
+}
+}
diff --git a/debian/tests/CVE-2021-23382.js b/debian/tests/CVE-2021-23382.js
new file mode 100644
index 000..c891279
--- /dev/null
+++ b/debian/tests/CVE-2021-23382.js
@@ -0,0 +1,32 @@
+var postcss = require("postcss")
+
+const startTime = Date.now();
+
+function build_attack(n) {
+var ret = "a{}"
+for (var i = 0; i < n; i++) {
+ret += "/*# sourceMappingURL="
+}
+return ret + "!";
+}
+
+// postcss.parse('a{}/*# sourceMappingURL=a.css.map */')
+for(var i = 1; i <= 50; i++) {
+if (i % 1000 == 0) {
+var time = Date.now();
+var attack_str = build_attack(i)
+try{
+postcss.parse(attack_str)
+var time_cost = Date.now() - time;
+console.log(&quo
Bug#987767: unblock: node-postcss/8.2.1+~cs5.3.23-8
Le 29/04/2021 à 10:50, Yadd a écrit : > Le 29/04/2021 à 10:32, Yadd a écrit : >> Package: release.debian.org >> Severity: normal >> User: release.debian@packages.debian.org >> Usertags: unblock >> X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org >> >> Please unblock package node-postcss >> >> [ Reason ] >> node-postcss is vulnerable to a Regex Denial of Service (ReDoS) >> >> [ Impact ] >> Medium vulnerability >> >> [ Tests ] >> I added tests for CVE-2021-23368 and CVE-2021-23382 inspired from CVE >> prove of concepts >> >> [ Risks ] >> No risk, this is just a regex improvement. >> >> [ Checklist ] >> [X] all changes are documented in the d/changelog >> [X] I reviewed all changes and I approve them >> [X] attach debdiff against the package in testing >> >> Cheers, >> Yadd >> >> unblock node-postcss/8.2.1+~cs5.3.23-7 > > I added a missing `set -e` in security test. autopkgtest works fine with > my patch and fail without. > > Cheers, > Yadd > > unblock node-postcss/8.2.1+~cs5.3.23-8 Note: this fix is an improvement of previous fix (node-postcss/8.2.1+~cs5.3.23-6): patch fixes the same regular expressions.
Bug#987790: unblock: node-browserslist/4.16.3+~cs5.4.72-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
Please unblock package node-browserslist
[ Reason ]
node-browserslist is vulnerable to a Regex Denial of Service (ReDoS)
(CVE-2021-23364)
[ Impact ]
Medium vulnerability
[ Tests ]
I added a autopkgtest file to prove that CVE is fixed
[ Risks ]
Patch is a little big, I launched rebuilds to verify that all is OK:
rebuild node-autoprefixer ... PASS
rebuild node-babel7 ... PASS
rebuild node-caniuse-api ... PASS
rebuild node-core-js ... PASS
rebuild node-jest ... PASS
rebuild node-katex... PASS
Of course autopkgtest is OK
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock node-browserslist/4.16.3+~cs5.4.72-2
diff --git a/debian/changelog b/debian/changelog
index ee4d58f..f53ddc3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+node-browserslist (4.16.3+~cs5.4.72-2) unstable; urgency=medium
+
+ * Team upload
+ * Fix GitHub tags regex
+ * Fix ReDoS (Closes: CVE-2021-23364)
+ * Add CVE-2021-23364 test
+
+ -- Yadd Thu, 29 Apr 2021 20:04:29 +0200
+
node-browserslist (4.16.3+~cs5.4.72-1) unstable; urgency=medium
* Team upload
diff --git a/debian/copyright b/debian/copyright
index 8f089e4..5166ddf 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -12,7 +12,7 @@ License: Expat
Files: debian/*
Copyright: 2017 Pirate Praveen
- 2020 Xavier Guimard
+ 2020 Yadd
License: Expat
Files: debian/tests/test_modules/*
diff --git a/debian/patches/CVE-2021-23364.patch
b/debian/patches/CVE-2021-23364.patch
new file mode 100644
index 000..d02d08b
--- /dev/null
+++ b/debian/patches/CVE-2021-23364.patch
@@ -0,0 +1,391 @@
+Description: Fix ReDoS
+Author: Andrey Sitnik
+ Yeting Li
+Origin: upstream, https://github.com/browserslist/browserslist/commit/c0919169
+ https://github.com/browserslist/browserslist/commit/433d5b8d
+Bug: https://snyk.io/vuln/SNYK-JS-BROWSERSLIST-1090194
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-04-29
+
+--- a/index.js
b/index.js
+@@ -614,6 +614,68 @@
+ }, 0)
+ }
+
++function nodeQuery (context, version) {
++ var nodeReleases = jsReleases.filter(function (i) {
++return i.name === 'nodejs'
++ })
++ var matched = nodeReleases.filter(function (i) {
++return isVersionsMatch(i.version, version)
++ })
++ if (matched.length === 0) {
++if (context.ignoreUnknownVersions) {
++ return []
++} else {
++ throw new BrowserslistError('Unknown version ' + version + ' of
Node.js')
++}
++ }
++ return ['node ' + matched[matched.length - 1].version]
++}
++
++function sinceQuery (context, year, month, date) {
++ year = parseInt(year)
++ month = parseInt(month || '01') - 1
++ date = parseInt(date || '01')
++ return filterByYear(Date.UTC(year, month, date, 0, 0, 0), context)
++}
++
++function coverQuery (context, coverage, statMode) {
++ coverage = parseFloat(coverage)
++ var usage = browserslist.usage.global
++ if (statMode) {
++if (statMode.match(/^my\s+stats$/)) {
++ if (!context.customUsage) {
++throw new BrowserslistError(
++ 'Custom usage statistics was not provided'
++)
++ }
++ usage = context.customUsage
++} else {
++ var place
++ if (statMode.length === 2) {
++place = statMode.toUpperCase()
++ } else {
++place = statMode.toLowerCase()
++ }
++ env.loadCountry(browserslist.usage, place, browserslist.data)
++ usage = browserslist.usage[place]
++}
++ }
++ var versions = Object.keys(usage).sort(function (a, b) {
++return usage[b] - usage[a]
++ })
++ var coveraged = 0
++ var result = []
++ var version
++ for (var i = 0; i <= versions.length; i++) {
++version = versions[i]
++if (usage[version] === 0) break
++coveraged += usage[version]
++result.push(version)
++if (coveraged >= coverage) break
++ }
++ return result
++}
++
+ var QUERIES = [
+ {
+ regexp: /^last\s+(\d+)\s+major\s+versions?$/i,
+@@ -669,9 +731,11 @@
+ {
+ regexp: /^last\s+(\d+)\s+electron\s+versions?$/i,
+ select: function (context, versions) {
+- return Object.keys(e2c).slice(-versions).map(function (i) {
+-return 'chrome ' + e2c[i]
+- })
++ return Object.keys(e2c)
++.slice(-versions)
++.map(function (i) {
++ return 'chrome ' + e2c[i]
++})
+ }
+ },
+ {
+@@ -709,9 +773,11 @@
+ regexp: /^unreleased\s+(\w+)\s+versions?$/i,
+ select: function (context, name) {
+ var data = checkName(name, context)
+- return data.versions.filter(function (v) {
+-return da
Bug#988234: unblock: acorn/8.0.5+ds+~cs19.19.27-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package acorn
[ Reason ]
Buster to Bullseye transition needs a real node-acorn package (#986134)
[ Impact ]
Failure in update to Bullseye
[ Tests ]
No need
[ Risks ]
No risk, just a transitional package
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other ]
acorn is in NEW queue since March 30th 2021
Cheers,
Yadd
unblock acorn/8.0.5+ds+~cs19.19.27-2
diff --git a/debian/changelog b/debian/changelog
index 0d8362d..84d2473 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+acorn (8.0.5+ds+~cs19.19.27-2) unstable; urgency=medium
+
+ * Team upload
+
+ [ Yadd ]
+ * Fix GitHub tags regex
+
+ [ Andreas Beckmann ]
+ * Reintroduce node-acorn as transitional package for smooth upgrades from
+buster (Closes: #986134)
+
+ -- Yadd Tue, 30 Mar 2021 12:23:12 +0200
+
acorn (8.0.5+ds+~cs19.19.27-1) unstable; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index 0d66dab..f016e2d 100644
--- a/debian/control
+++ b/debian/control
@@ -58,3 +58,11 @@ Description: ECMAScript parser for Node.js
acorn-numeric-separator, acorn-private-methods.
.
Node.js is an event-based server-side JavaScript engine.
+
+Package: node-acorn
+Architecture: all
+Depends: node-debbundle-acorn (= ${binary:Version}),
+ ${misc:Depends},
+Description: Transitional dummy package for upgrading to node-debbundle-acorn
+ This is a transitional dummy package to ease upgrading to
+ node-debbundle-acorn. It can be safely removed.
diff --git a/debian/copyright b/debian/copyright
index 507f0f1..ec9c19a 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -102,7 +102,7 @@ License: BSD-2-clause
Files: debian/*
Copyright: 2016-2019 Julien Puydt
2017-2019 Bastien Roucariès
- 2020 Xavier Guimard
+ 2020 Yadd
License: Expat
Files: node-acorn-globals/*
diff --git a/debian/node-debbundle-acorn.install
b/debian/node-debbundle-acorn.install
new file mode 100644
index 000..6c74403
--- /dev/null
+++ b/debian/node-debbundle-acorn.install
@@ -0,0 +1 @@
+usr/share/nodejs
diff --git a/debian/watch b/debian/watch
index b34ce67..46c45fd 100644
--- a/debian/watch
+++ b/debian/watch
@@ -59,4 +59,4 @@ opts=\
component=node-acorn-globals,\
dversionmangle=auto,\
filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-acorn-globals-$1.tar.gz/ \
- https://github.com/ForbesLindesay/acorn-globals/tags
.*/archive/v?([\d\.]+).tar.gz checksum
+ https://github.com/ForbesLindesay/acorn-globals/tags
.*/archive/.*/v?([\d\.]+).tar.gz checksum
Bug#988332: [pre-approval] unblock: cyrus-imapd/3.2.6-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: secur...@debian.org
Please unblock package cyrus-imapd
[ Reason ]
Cyrus-Imapd is vulnerable to CVE-2021-32056: it allows remote authenticated
users to bypass intended access restrictions on server annotations and
consequently cause replication to stall.
[ Impact ]
Security issue (not yet tagged by Security Team
[ Tests ]
No changes in test
[ Risks ]
Patch seems trivial, just a better permission check
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd (from hospital ;-))
unblock cyrus-imapd/3.2.6-2
diff --git a/debian/changelog b/debian/changelog
index bc383a9c..150929df 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+cyrus-imapd (3.2.6-2) unstable; urgency=medium
+
+ * Update gbp.conf for Bullseye branch
+ * annotate: don't allow everyone to write shared server entries (Closes:
CVE-2021-32056)
+
+ -- Yadd Mon, 10 May 2021 19:24:53 +0200
+
cyrus-imapd (3.2.6-1) unstable; urgency=medium
* New upstream version 3.2.6
diff --git a/debian/gbp.conf b/debian/gbp.conf
index c747fcb7..ee87ac45 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,7 +1,7 @@
[DEFAULT]
-debian-branch = master
+debian-branch = bullseye
debian-tag = debian/%(version)s
-upstream-branch = upstream
+upstream-branch = upstream-bullseye
upstream-tag = upstream/%(version)s
pristine-tar = True
diff --git a/debian/patches/CVE-2021-32056.patch
b/debian/patches/CVE-2021-32056.patch
new file mode 100644
index ..9a50abe1
--- /dev/null
+++ b/debian/patches/CVE-2021-32056.patch
@@ -0,0 +1,50 @@
+Description: annotate: don't allow everyone to write shared server entries
+Author: Bron Gondwana
+Origin: upstream, https://github.com/cyrusimap/cyrus-imapd/commit/621f9e41
+Bug: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32056
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-05-10
+
+--- a/imap/annotate.c
b/imap/annotate.c
+@@ -2788,15 +2788,20 @@
+
+ keylen = make_key(mboxname, uid, entry, userid, key, sizeof(key));
+
+-if (mailbox) {
+-struct annotate_metadata oldmdata;
+-r = read_old_value(d, key, keylen, &oldval, &oldmdata);
+-if (r) goto out;
++struct annotate_metadata oldmdata;
++r = read_old_value(d, key, keylen, &oldval, &oldmdata);
++if (r) goto out;
++
++/* if the value is identical, don't touch the mailbox */
++if (oldval.len == value->len && (!value->len || !memcmp(oldval.s,
value->s, value->len)))
++goto out;
+
+-/* if the value is identical, don't touch the mailbox */
+-if (oldval.len == value->len && (!value->len || !memcmp(oldval.s,
value->s, value->len)))
+-goto out;
++if (!maywrite) {
++r = IMAP_PERMISSION_DENIED;
++if (r) goto out;
++}
+
++if (mailbox) {
+ if (!ignorequota) {
+ quota_t qdiffs[QUOTA_NUMRESOURCES] =
QUOTA_DIFFS_DONTCARE_INITIALIZER;
+ qdiffs[QUOTA_ANNOTSTORAGE] = value->len - (quota_t)oldval.len;
+@@ -2804,11 +2809,6 @@
+ if (r) goto out;
+ }
+
+-if (!maywrite) {
+-r = IMAP_PERMISSION_DENIED;
+-if (r) goto out;
+-}
+-
+ /* do the annot-changed here before altering the DB */
+ mailbox_annot_changed(mailbox, uid, entry, userid, &oldval, value,
silent);
+
diff --git a/debian/patches/series b/debian/patches/series
index 3fab10aa..27fc0ec9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@
0011-Fix-extra-libpci-in-SNMP_LIBS.patch
0012-Use-UnicodeData.txt-from-system.patch
0018-increase-test-timeout.patch
+CVE-2021-32056.patch
Bug#988338: unblock: pkg-js-tools/0.9.65
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
Please unblock package pkg-js-tools
[ Reason ]
pkg-js-tools provides dh-sequence-nodejs. It simulates npm install
features to install node modules in the right places.
Since 0.9.52, it reads .npmignore to not install some files. But I
missed to force package.json install, this is fixed by this version
(0.9.65). This unblock is required to fix node-got RC bug (#988334)
[ Impact ]
If not unblocked, node-got and maybe some other node packages may be
broken
[ Tests ]
No specific test
[ Risks ]
This patch includes:
* some doc fixes
* GitHub tags update
* package.json install even if removed by .npmignore
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd (from hospital)
unblock pkg-js-tools/0.9.65
diff --git a/debian/changelog b/debian/changelog
index 9647851..def7239 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+pkg-js-tools (0.9.65) unstable; urgency=medium
+
+ * Force package.json install even if removed by .npmignore (Closes: #988194)
+
+ -- Yadd Mon, 10 May 2021 20:03:59 +0200
+
+pkg-js-tools (0.9.64) unstable; urgency=medium
+
+ * Fix doc, thanks to Andrius Merkys (Closes: #980549)
+ * Set SALSA_CI_CONFIG_PATH to "debian/salsa-ci.yml" in pkg-js-salsa.conf
+ * Fix GitHub tags template
+ * Update copyright
+
+ -- Yadd Sat, 27 Mar 2021 07:12:38 +0100
+
pkg-js-tools (0.9.63) unstable; urgency=medium
* autopkgtest: fix regexp that parse debian/nodejs/ext* (Closes: #980195)
diff --git a/debian/control b/debian/control
index 6a1f4bd..9c2fef5 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,7 @@
Source: pkg-js-tools
Maintainer: Debian Javascript Maintainers
Uploaders:
- Xavier Guimard ,
+ Yadd ,
Section: devel
Testsuite: autopkgtest-pkg-perl
Priority: optional
@@ -65,12 +65,12 @@ Depends:
libjson-perl,
${misc:Depends},
${perl:Depends},
-Description: collection of autopktest scripts for Nodejs packages
+Description: collection of autopkgtest scripts for Nodejs packages
This package contains test runners
to be used with the autopkgtest infrastructure for Nodejs packages.
.
Packages using the tests with autopkgtests in this package
- can simply set "Testsuite: autopkgtest-nodejs" in debian/control.
+ can simply set "Testsuite: autopkgtest-pkg-nodejs" in debian/control.
.
- Cf. /usr/share/doc/pkg-js-autopkgtest/README.autopkgtest.md
+ Cf. /usr/share/doc/pkg-js-autopkgtest/README.md
for information on the tests and how to tweak them.
diff --git a/debian/copyright b/debian/copyright
index 522c406..be27528 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -3,7 +3,7 @@ Upstream-Name: pkg-js-tools
Source: https://salsa.debian.org/js-team/pkg-js-tools
Files: *
-Copyright: 2019-2020, Xavier Guimard
+Copyright: 2019-2020, Yadd
License: GPL-2+
Files: lintian/*
@@ -12,7 +12,7 @@ Copyright: 2013, Niels Thykier
2013, 2014, Axel Beckert
2014, Damyan Ivanov
2018, Florian Schlichting
- 2019, Xavier Guimard
+ 2019-2021, Yadd
License: GPL-2+
Files: tools/dh-make-node
diff --git a/doc/tools/README.md b/doc/tools/README.md
index 5f8a885..5be8c51 100644
--- a/doc/tools/README.md
+++ b/doc/tools/README.md
@@ -146,7 +146,7 @@ Example:
```
...
-Testsuite: autopkgtest-nodejs
+Testsuite: autopkgtest-pkg-nodejs
Build-Depends: dh-sequence-nodejs
...
```
diff --git a/lib/Debian/Debhelper/Buildsystem/nodejs.pm
b/lib/Debian/Debhelper/Buildsystem/nodejs.pm
index 8e060ac..d02138c 100644
--- a/lib/Debian/Debhelper/Buildsystem/nodejs.pm
+++ b/lib/Debian/Debhelper/Buildsystem/nodejs.pm
@@ -390,7 +390,8 @@ sub install_module {
$mainFile = "$mainFile/index.js" if -d $mainFile;
warning "MAIN: $mainFile\n" if (DEBUG);
$mainFile =~ s#//+#/#g;
-my $foundMain = 0;
+my $foundMain= 0;
+my $foundPkgJson = 0;
foreach my $p (@files) {
my $pattern;
@@ -466,7 +467,9 @@ sub install_module {
else {
unless ( grep { $_ } @tests ) {
push @dest, [ $d, $File::Find::name ];
-$foundMain = 1 if $File::Find::name eq $mainFile;
+$foundMain= 1 if $File::Find::name eq $mainFile;
+$foundPkgJson = 1
+ if $File::Find::name eq 'package.json';
}
# Debug
@@ -507,6 +510,9 @@ EOF
push @dest, [ $ldir, $mainFile ];
}
}
+unless ($foundPkgJson) {
+push @dest, [ '', "$dir/package.json" ];
+}
foreach (@dest) {
$self->doit_in_builddir( 'mkdir', '-p', "$path/$_->[0]&q
Bug#988340: unblock: node-got/11.8.1+~cs53.13.17-2
Package: release.debian.org Severity: normal User: release.debian@packages.debian.org Usertags: unblock Please unblock package node-got Due to pkg-js-tools bug, some node-got submodule ar broken due to missing package.json. [ Reason ] Some node-got features are broken (see #988194) [ Impact ] Part of node-got is unusable [ Tests ] No changes in test, this is just a rebuild [ Risks ] No risk but it requires pkg-js-tools unblock [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing [ Other ] Patch includes debian/watch update due to GitHub changes Cheers, Yadd (from hospital) unblock node-got/11.8.1+~cs53.13.17-2 diff --git a/debian/changelog b/debian/changelog index b70fffc..c1ca5b3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-got (11.8.1+~cs53.13.17-2) unstable; urgency=medium + + * Team upload + * Fix GitHub tags regex + * Rebuild using pkg-js-tools ≥ 0.9.65 (Closes: #988334) + + -- Yadd Mon, 10 May 2021 20:06:44 +0200 + node-got (11.8.1+~cs53.13.17-1) unstable; urgency=medium * Team upload diff --git a/debian/control b/debian/control index 0b42ce9..9ac53ed 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,7 @@ Priority: optional Maintainer: Debian Javascript Maintainers Uploaders: Pirate Praveen Build-Depends: debhelper-compat (= 13) - , dh-sequence-nodejs + , dh-sequence-nodejs (>= 0.9.65~) , node-decompress-response , node-get-stream , node-json-buffer diff --git a/debian/copyright b/debian/copyright index 5c7586f..589318f 100644 --- a/debian/copyright +++ b/debian/copyright @@ -55,7 +55,7 @@ License: Expat Files: debian/* Copyright: 2017 Pirate Praveen - 2020 Xavier Guimard + 2020 Yadd License: Expat Files: debian/build_modules/* diff --git a/debian/watch b/debian/watch index cab480d..72f98c0 100644 --- a/debian/watch +++ b/debian/watch @@ -2,21 +2,21 @@ version=4 opts=\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-got-$1.tar.gz/ \ - https://github.com/sindresorhus/got/tags .*/archive/v?([\d\.]+).tar.gz group + https://github.com/sindresorhus/got/tags .*/archive/.*/v?([\d\.]+).tar.gz group opts=\ ctype=nodejs,\ component=cacheable-lookup,\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-cacheable-lookup-$1.tar.gz/ \ - https://github.com/szmarczak/cacheable-lookup/tags .*/archive/v?([\d\.]+).tar.gz checksum + https://github.com/szmarczak/cacheable-lookup/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum opts=\ ctype=nodejs,\ component=cacheable-request,\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-cacheable-request-$1.tar.gz/ \ - https://github.com/lukechilds/cacheable-request/tags .*/archive/v?([\d\.]+).tar.gz checksum + https://github.com/lukechilds/cacheable-request/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum # It is not recommended use npmregistry. Please investigate more. # Take a look at https://wiki.debian.org/debian/watch/ @@ -28,21 +28,21 @@ ctype=nodejs,\ component=clone-response,\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-clone-response-$1.tar.gz/ \ - https://github.com/lukechilds/clone-response/tags .*/archive/v?([\d\.]+).tar.gz checksum + https://github.com/lukechilds/clone-response/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum opts=\ ctype=nodejs,\ component=defer-to-connect,\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-defer-to-connect-$1.tar.gz/ \ - https://github.com/szmarczak/defer-to-connect/tags .*/archive/v?([\d\.]+).tar.gz checksum + https://github.com/szmarczak/defer-to-connect/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum opts=\ ctype=nodejs,\ component=http-cache-semantics,\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-http-cache-semantics-$1.tar.gz/ \ - https://github.com/kornelski/http-cache-semantics/tags .*/archive/v?([\d\.]+).tar.gz checksum + https://github.com/kornelski/http-cache-semantics/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum # It is not recommended use npmregistry. Please investigate more. # Take a look at https://wiki.debian.org/debian/watch/ @@ -59,7 +59,7 @@ ctype=nodejs,\ component=keyv,\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-keyv-$1.tar.gz/ \ - https://github.com/lukechilds/keyv/tags .*/archive/v?([\d\.]+).tar.gz checksum + https://github.com/lukechilds/keyv/tags .*/archive/.*/v?([\d\.]+).tar.gz checksum # It is not recommended use npmregistry. Please investigate more. # Take a look at https://wiki.debian.org/debian/watch/ @@ -71,21 +71,21 @@ ctype=nodejs,\ component=normalize-url,\ dversionmangle=auto,\ filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-normalize-url-$1.tar.gz/ \ - https://github.com/sindresorhus/normalize-url/tags .*/archive/v?([\d\.]+).tar.gz checksum + https://github.com/sindresor
Bug#988503: unblock: node-millstone/0.6.19-4
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-javascript-de...@lists.debian.org
Please unblock package node-millstone
[ Reason ]
During autopkgtest, node-millstone downloads files from upstream
repository. One of this files is missing, causing autopkgtest to fail
(#988495)
[ Impact ]
No user impact, this just fixes autopkgtest
[ Tests ]
One check dropped
[ Risks ]
No risk: no code change
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
This patch also:
* update GitHub tags regex in debian/watch
* mark autopkgtest with 'needs-internet' (which was missing)
Cheers,
Yadd (still from hospital ;-))
unblock node-millstone/0.6.19-4
diff --git a/debian/changelog b/debian/changelog
index 3e8d5a7..772caee 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+node-millstone (0.6.19-4) unstable; urgency=medium
+
+ * Team upload
+ * Fix GitHub tags regex
+ * Disable one check in test: upstream deleted test file (Closes: #988495)
+ * Mark autopkgtest with "needs-internet"
+
+ -- Yadd Fri, 14 May 2021 11:51:08 +0200
+
node-millstone (0.6.19-3) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/disable-one-test.diff
b/debian/patches/disable-one-test.diff
index 562c276..20e5058 100644
--- a/debian/patches/disable-one-test.diff
+++ b/debian/patches/disable-one-test.diff
@@ -1,8 +1,24 @@
-Description: disable one test
-Author: Xavier Guimard
+Description: disable some checks
+ Upstream deleted test files in its repo
+Author: Yadd
Forwarded: not-needed
-Last-Update: 2020-10-21
+Last-Update: 2021-05-14
+--- a/test/markers.test.js
b/test/markers.test.js
+@@ -42,6 +42,7 @@
+ });
+ });
+
++/*
+ it('correctly localizes zipped json', function(done) {
+ var mml = JSON.parse(fs.readFileSync(path.join(__dirname,
'zipped-json/project.mml')));
+
+@@ -70,3 +71,4 @@
+ done();
+ });
+ });
++*/
--- a/test/test.js
+++ b/test/test.js
@@ -126,6 +126,7 @@
diff --git a/debian/tests/control b/debian/tests/control
index 459e3df..d054e74 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -19,6 +19,6 @@ Depends: @
, node-step
, node-underscore
, node-zipfile
-Restrictions: allow-stderr, skippable,
+Restrictions: allow-stderr, skippable, needs-internet
Architecture: amd64
Features: test-name=pkg-js-autopkgtest
diff --git a/debian/watch b/debian/watch
index 5f294dc..672fe6b 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,4 +1,4 @@
version=3
opts=filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-millstone-$1.tar.gz/ \
-https://github.com/mapbox/millstone/tags .*/archive/v?([\d\.]+).tar.gz
+https://github.com/mapbox/millstone/tags .*/archive/.*/v?([\d\.]+).tar.gz
Bug#988883: unblock: libbusiness-us-usps-webtools-perl/1.125-1
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-p...@lists.debian.org
Please unblock package libbusiness-us-usps-webtools-perl
[ Reason ]
USPS is sending notices that HTTP access will be turned off shortly, in favor
of HTTPS. libbusiness-us-usps-webtools-perl 1.125 includes only this fix
and included our patch.
[ Impact ]
Given that is a web service that will break in the wild.
[ Tests ]
Upstream updated its test.
[ Risks ]
Patch isn't so big, just URL updates
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
Cheers,
Yadd
unblock libbusiness-us-usps-webtools-perl/1.125-1
diff --git a/Changes b/Changes
index ad21fdc..0134ec1 100644
--- a/Changes
+++ b/Changes
@@ -1,5 +1,21 @@
Revision history for Perl module Business::US::USPS::WebTools
+1.125 2021-05-19
+* Updated API endpoints. Always use HTTPS.
+
+* Removed two tests that started failing due to changes in the API
+ response.
+
+* Skip tracking tests (which are disabled anyway) rather than failing
if
+ test credentials aren't set.
+
+* Access to the testing/staging environment is no longer granted by
+ default and testing against the production environment is allowed
+ (load/stress testing isn't), so tests are now run against the
+ production API by default. To run against the testing/staging
+ environment, set USPS_WEBTOOLS_ENVIRONMENT to TESTING while setting
up
+ your credentials.
+
1.124 2020-09-18
* New maintainer
diff --git a/META.json b/META.json
index 8bdd808..21d2a96 100644
--- a/META.json
+++ b/META.json
@@ -55,6 +55,6 @@
"web" : "https://github.com/ssimms/business-us-usps-webtools";
}
},
- "version" : "1.124",
+ "version" : "1.125",
"x_serialization_backend" : "JSON::PP version 2.97001"
}
diff --git a/META.yml b/META.yml
index 242e04a..c3b908a 100644
--- a/META.yml
+++ b/META.yml
@@ -27,5 +27,5 @@ resources:
bugtracker: https://github.com/ssimms/business-us-usps-webtools/issues
homepage: https://github.com/ssimms/business-us-usps-webtools
repository: https://github.com/ssimms/business-us-usps-webtools.git
-version: '1.124'
+version: '1.125'
x_serialization_backend: 'CPAN::Meta::YAML version 0.018'
diff --git a/debian/changelog b/debian/changelog
index 7cfe053..5e96703 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libbusiness-us-usps-webtools-perl (1.125-1) unstable; urgency=medium
+
+ * Import upstream version 1.125 (Closes: #988330)
+ * Remove patch, now included in upstream
+
+ -- Yadd Thu, 20 May 2021 19:23:56 +0200
+
libbusiness-us-usps-webtools-perl (1.124-1) unstable; urgency=medium
[ gregor herrmann ]
diff --git a/debian/patches/series b/debian/patches/series
deleted file mode 100644
index 3ee9145..000
--- a/debian/patches/series
+++ /dev/null
@@ -1 +0,0 @@
-skip-network-test.diff
diff --git a/debian/patches/skip-network-test.diff
b/debian/patches/skip-network-test.diff
deleted file mode 100644
index 2b6407a..000
--- a/debian/patches/skip-network-test.diff
+++ /dev/null
@@ -1,21 +0,0 @@
-Description: skip test that require network + USPS account
-Author: Xavier Guimard
-Forwarded: https://github.com/ssimms/business-us-usps-webtools/pull/1
-Last-Update: 2020-09-22
-
a/t/track_confirm.t
-+++ b/t/track_confirm.t
-@@ -6,6 +6,13 @@
- my $class = "Business::US::USPS::WebTools::TrackConfirm";
- my $method = 'track';
-
-+# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
-+unless( $ENV{USPS_WEBTOOLS_USERID} and $ENV{USPS_WEBTOOLS_PASSWORD} )
-+ {
-+ plan skip_all =>
-+ "You must set the USPS_WEBTOOLS_USERID and USPS_WEBTOOLS_PASSWORD " .
-+ "environment variables to run these tests\n";
-+ }
-
- # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
- subtest setup => sub {
diff --git a/lib/Business/US/USPS/WebTools.pm b/lib/Business/US/USPS/WebTools.pm
index 819307d..7547253 100644
--- a/lib/Business/US/USPS/WebTools.pm
+++ b/lib/Business/US/USPS/WebTools.pm
@@ -10,7 +10,7 @@ use Carp qw(carp croak);
use subs qw();
use vars qw($VERSION);
-$VERSION = '1.124';
+$VERSION = '1.125';
=encoding utf8
@@ -125,7 +125,7 @@ sub _api_path {
$_[0]->_live ?
"/ShippingAPI.dll"
:
- "/ShippingAPITest.dll"
+ "/ShippingAPI.dll"
}
sub _make_url {
@@ -133,7 +133,7 @@ sub _make_url {
my( $self, $hash ) = @_;
$self->{url} = Mojo::URL->n
Bug#988977: buster-pu: package libbusiness-us-usps-webtools-perl/1.122-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: debian-p...@lists.debian.org
[ Reason ]
USPS is sending notices that HTTP access will be turned off shortly, in
favor of HTTPS.
Given that is a web service that will break in the wild, in addition to
a regular update for unstable, we should update buster (and stretch)
via stable-updates (and oldstable-updates).
[ Impact ]
libbusiness-us-usps-webtools-perl will be unusable after June 24th,
2021.
[ Tests ]
(What automated or manual tests cover the affected code?)
[ Risks ]
Patch is a backport of 1.124 -> 1.125 adapted for 1.122. Even if there
is a little risk (since I'm not able to fully test it), not updating
this package is a more elevated risk.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
API change
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3a65ac0..964b422 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libbusiness-us-usps-webtools-perl (1.122-1+deb10u1) buster; urgency=medium
+
+ * Update to new US-USPS API (Closes: #988330)
+
+ -- Yadd Sat, 22 May 2021 12:17:01 +0200
+
libbusiness-us-usps-webtools-perl (1.122-1) unstable; urgency=medium
[ gregor herrmann ]
diff --git a/debian/patches/series b/debian/patches/series
index 38edaa7..4562936 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
spelling-errors.patch
+update-us-usps-webtools-to-https.patch
diff --git a/debian/patches/update-us-usps-webtools-to-https.patch
b/debian/patches/update-us-usps-webtools-to-https.patch
new file mode 100644
index 000..7269fd1
--- /dev/null
+++ b/debian/patches/update-us-usps-webtools-to-https.patch
@@ -0,0 +1,307 @@
+Description: update due to US-USPS changes
+Author: Xavier Guimard
+Forwarded: not-needed
+Last-Update: 2021-05-21
+
+--- a/lib/Business/US/USPS/WebTools.pm
b/lib/Business/US/USPS/WebTools.pm
+@@ -41,7 +41,7 @@
+ =cut
+
+ my $LiveServer = "production.shippingapis.com";
+-my $TestServer = "testing.shippingapis.com";
++my $TestServer = "stg-production.shippingapis.com";
+
+ =item new( ANONYMOUS_HASH )
+
+@@ -123,7 +123,7 @@
+ $_[0]->_live ?
+ "/ShippingAPI.dll"
+ :
+- "/ShippingAPITest.dll"
++ "/ShippingAPI.dll"
+ }
+
+ sub _make_query_string {
+@@ -145,7 +145,7 @@
+ sub _make_url {
+ my( $self, $hash ) = @_;
+
+- $self->{url} = qq|http://| . $self->_api_host . $self->_api_path .
++ $self->{url} = qq|https://| . $self->_api_host . $self->_api_path .
+ "?" . $self->_make_query_string( $hash );
+ }
+
+--- a/t/address_verification.t
b/t/address_verification.t
+@@ -21,23 +21,35 @@
+ "environment variables to run these tests\n";
+ }
+
++my $is_testing = uc($ENV{USPS_WEBTOOLS_ENVIRONMENT}) eq 'TESTING';
++
+ # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
+ use_ok( $class );
+
+ my $verifier;
+-my $base =
qq|http://testing.shippingapis.com/ShippingAPITest.dll?API=Verify&XML=%3CAddressValidateRequest+USERID%3D%22$ENV{USPS_WEBTOOLS_USERID}%22+PASSWORD%3D%22$ENV{USPS_WEBTOOLS_PASSWORD}%22%3E%3CIncludeOptionalElements%3Etrue%3C%2FIncludeOptionalElements%3E%3CReturnCarrierRoute%3Etrue%3C%2FReturnCarrierRoute%3E|;
++
++my $base = 'https://' . ($is_testing ? 'stg-' : '') .
qq|production.shippingapis.com/ShippingAPI.dll?API=Verify&XML=%3CAddressValidateRequest+USERID%3D%22$ENV{USPS_WEBTOOLS_USERID}%22+PASSWORD%3D%22$ENV{USPS_WEBTOOLS_PASSWORD}%22%3E%3CIncludeOptionalElements%3Etrue%3C%2FIncludeOptionalElements%3E%3CReturnCarrierRoute%3Etrue%3C%2FReturnCarrierRoute%3E|;
+
+ subtest setup => sub {
+ $verifier = $class->new( {
+ UserID => $ENV{USPS_WEBTOOLS_USERID},
+ Password => $ENV{USPS_WEBTOOLS_PASSWORD},
+- Testing => 1,
++Testing => $is_testing,
+ } );
+ isa_ok( $verifier, $class );
+
+ can_ok( $verifier, $method );
+ };
+
++=pod
++
++2021-05-19: This test is failing because the API is no longer returning the
++expected output; it now includes the following warning:
++
++Default address: The address you entered was found but more information is
++needed (such as an apartment, suite, or box number) to match to a specific
++address.
++
+ # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
#
+ # Good response #1
+ subtest good_response_1 => sub {
+@@ -81,6 +93,8 @@
+ is( $hash->{Zip4}, '1441
Bug#994490: bullseye-pu: package node-set-value/3.0.1-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-javascript-de...@lists.alioth.debian.org
[ Reason ]
node-set-value is vulnerable to prototype pollution (#994448, CVE-2021-23440)
[ Impact ]
Medium vulnerability
[ Tests ]
New test added, inspired from PoC
[ Risks ]
No risk, patch itself is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
New check to verify key
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index a836bdb..1ae7498 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-set-value (3.0.1-2+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: #994448, CVE-2021-23440)
+ * Add test for CVE-2021-23440
+
+ -- Yadd Thu, 16 Sep 2021 18:17:19 +0200
+
node-set-value (3.0.1-2) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-23440.patch
b/debian/patches/CVE-2021-23440.patch
new file mode 100644
index 000..55a96f3
--- /dev/null
+++ b/debian/patches/CVE-2021-23440.patch
@@ -0,0 +1,20 @@
+Description: fix prototype pollution
+ Inspired from https://github.com/jonschlinkert/set-value/pull/33/files
+Author: Yadd
+Bug: https://snyk.io/vuln/SNYK-JS-SETVALUE-1540541
+Bug-Debian: https://bugs.debian.org/994448
+Forwarded: not-needed
+Last-Update: 2021-09-16
+
+--- a/index.js
b/index.js
+@@ -99,6 +99,9 @@
+ }
+
+ function isValidKey(key) {
++ if (typeof key !== 'string' && typeof key !== 'number') {
++key = String(key)
++ }
+ return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..22df165
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23440.patch
diff --git a/debian/tests/CVE-2021-23440 b/debian/tests/CVE-2021-23440
new file mode 100755
index 000..d756ed2
--- /dev/null
+++ b/debian/tests/CVE-2021-23440
@@ -0,0 +1,3 @@
+if node debian/tests/CVE-2021-23440.js; then
+ exit 1;
+fi
diff --git a/debian/tests/CVE-2021-23440.js b/debian/tests/CVE-2021-23440.js
new file mode 100644
index 000..177f1d3
--- /dev/null
+++ b/debian/tests/CVE-2021-23440.js
@@ -0,0 +1,9 @@
+const set = require("set-value")
+
+// set({}, ['__proto__','polluted'], 'yes');
+// console.log(polluted); // Error: Cannot set unsafe key: "__proto__"
+
+set({}, [['__proto__'],'polluted'], 'yes');
+if(polluted && polluted === 'yes') {
+ console.error('Vulnerable to CVE-2021-23440');
+}
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 000..b9d4e6c
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,3 @@
+Tests: CVE-2021-23440
+Depends: @, nodejs
+Restrictions: allow-stderr
Bug#994555: bullseye-pu: package node-object-path/0.11.5-3+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-object-path is vulnerable to prototye pollution (CVE-2021-23434 and
CVE-2021-3805
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed with these patches, including new checks
[ Risks ]
Low risk, package is not really different than the one pushed to
unstable (only doc differs).
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Better checks
[ Other info ]
Note that we could upload a 0.11.8-1~deb11u1: there is no differences
except a documentation update. If you agree, I prefer this way.
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index f1e6929..ce9339e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-object-path (0.11.5-3+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2021-23434)
+ * Fix prototype pollution (Closes: CVE-2021-3805)
+
+ -- Yadd Fri, 17 Sep 2021 18:38:10 +0200
+
node-object-path (0.11.5-3) unstable; urgency=medium
* Team upload
diff --git a/debian/gbp.conf b/debian/gbp.conf
index b713356..e11bcb5 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,6 @@
[DEFAULT]
pristine-tar = True
+debian-branch = bullseye
[import-orig]
filter = [ '.gitignore', '.travis.yml', '.git*' ]
diff --git a/debian/patches/CVE-2021-23434.patch
b/debian/patches/CVE-2021-23434.patch
new file mode 100644
index 000..8d08d2e
--- /dev/null
+++ b/debian/patches/CVE-2021-23434.patch
@@ -0,0 +1,67 @@
+Description: Fix prototype pollution when path components are not strings
+Author: Mario Casciaro https://github.com/mariocasciaro/object-path/commit/7bdf4abef
+Bug: https://snyk.io/vuln/SNYK-JS-OBJECTPATH-1569453
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-09-17
+
+--- a/index.js
b/index.js
+@@ -111,6 +111,9 @@
+ return set(obj, path.split('.').map(getKey), value, doNotReplace);
+ }
+ var currentPath = path[0];
++ if (typeof currentPath !== 'string' && typeof currentPath !== 'number')
{
++currentPath = String(currentPath)
++ }
+ var currentValue = getShallowProperty(obj, currentPath);
+ if (options.includeInheritedProps && (currentPath === '__proto__' ||
+ (currentPath === 'constructor' && typeof currentValue ===
'function'))) {
+--- a/test.js
b/test.js
+@@ -241,12 +241,18 @@
+ objectPath.set({}, '__proto__.injected', 'this is bad')
+ expect(Object.prototype.injected).to.be.undefined
+
++objectPath.set({}, [['__proto__'], 'injected'], 'this is bad')
++expect(Object.prototype.injected).to.be.undefined
++
+ function Clazz() {}
+ Clazz.prototype.test = 'original'
+
+ objectPath.set(new Clazz(), '__proto__.test', 'this is bad')
+ expect(Clazz.prototype.test).to.be.equal('original')
+
++objectPath.set(new Clazz(), [['__proto__'], 'test'], 'this is bad')
++expect(Clazz.prototype.test).to.be.equal('original')
++
+ objectPath.set(new Clazz(), 'constructor.prototype.test', 'this is bad')
+ expect(Clazz.prototype.test).to.be.equal('original')
+ })
+@@ -256,6 +262,11 @@
+ .to.throw('For security reasons')
+ expect(Object.prototype.injected).to.be.undefined
+
++expect(function() {
++ objectPath.withInheritedProps.set({}, [['__proto__'], 'injected'],
'this is bad')
++ expect(Object.prototype.injected).to.be.undefined
++}).to.throw('For security reasons')
++
+ function Clazz() {}
+ Clazz.prototype.test = 'original'
+
+@@ -267,8 +278,11 @@
+ .to.throw('For security reasons')
+ expect(Clazz.prototype.test).to.be.equal('original')
+
+-const obj = {}
+-expect(function() {objectPath.withInheritedProps.set(obj,
'constructor.prototype.injected', 'this is OK')})
++expect(function() {objectPath.withInheritedProps.set({},
'constructor.prototype.injected', 'this is OK')})
++ .to.throw('For security reasons')
++expect(Object.prototype.injected).to.be.undefined
++
++expect(function() {objectPath.withInheritedProps.set({},
[['constructor'], 'prototype', 'injected'], 'this is bad')})
+ .to.throw('For security reasons')
+ expect(Object.prototype.injected).to.be.undefined
+ })
diff --git a/debian/patches/CVE-2021-3805.patch
b/debian/patch
Bug#994583: buster-pu: package node-axios/0.17.1+dfsg-2+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
Another regex denial of service
[ Impact ]
Medium vulnerability
[ Tests ]
test passed
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Use trim() instead of a regex
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 88ae229..d73d015 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-axios (0.17.1+dfsg-2+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix reDoS (Closes: CVE-2021-3749)
+
+ -- Yadd Sat, 18 Sep 2021 07:31:53 +0200
+
node-axios (0.17.1+dfsg-2) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-3749.patch
b/debian/patches/CVE-2021-3749.patch
new file mode 100644
index 000..802174f
--- /dev/null
+++ b/debian/patches/CVE-2021-3749.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: ready-research <72916209+ready-resea...@users.noreply.github.com>
+Origin: upstream, https://github.com/axios/axios/commit/eef56014
+Bug: https://github.com/axios/axios/pull/3980
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-09-18
+
+--- a/lib/utils.js
b/lib/utils.js
+@@ -162,7 +162,7 @@
+ * @returns {String} The String freed of excess whitespace
+ */
+ function trim(str) {
+- return str.replace(/^\s*/, '').replace(/\s*$/, '');
++return str.trim ? str.trim() : str.replace(/^\s+|\s+$/g, '');
+ }
+
+ /**
diff --git a/debian/patches/series b/debian/patches/series
index 877fd7a..1f39c51 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
skip-unneeded-modules.patch
use-webpack3.patch
CVE-2019-10742.diff
+CVE-2021-3749.patch
diff --git a/debian/patches/skip-unneeded-modules.patch
b/debian/patches/skip-unneeded-modules.patch
index 9c63950..6f69f30 100644
--- a/debian/patches/skip-unneeded-modules.patch
+++ b/debian/patches/skip-unneeded-modules.patch
@@ -2,7 +2,7 @@ These are optional modules
--- a/package.json
+++ b/package.json
-@@ -38,10 +38,6 @@
+@@ -39,10 +39,6 @@
"grunt-cli": "^1.2.0",
"grunt-contrib-clean": "^1.0.0",
"grunt-contrib-nodeunit": "^1.0.0",
diff --git a/debian/patches/use-webpack3.patch
b/debian/patches/use-webpack3.patch
index 43e264b..8f140f7 100644
--- a/debian/patches/use-webpack3.patch
+++ b/debian/patches/use-webpack3.patch
@@ -10,7 +10,7 @@ Subject: [PATCH] Updating webpack to v3.x
--- a/package.json
+++ b/package.json
-@@ -38,7 +38,7 @@
+@@ -39,7 +39,7 @@
"grunt-cli": "^1.2.0",
"grunt-contrib-clean": "^1.0.0",
"grunt-contrib-nodeunit": "^1.0.0",
@@ -19,7 +19,7 @@ Subject: [PATCH] Updating webpack to v3.x
"istanbul-instrumenter-loader": "^1.0.0",
"jasmine-core": "^2.4.1",
"karma": "^1.3.0",
-@@ -58,10 +58,10 @@
+@@ -59,10 +59,10 @@
"minimist": "^1.2.0",
"phantomjs-prebuilt": "^2.1.7",
"sinon": "^1.17.4",
Bug#994828: bullseye-pu: package node-prismjs/1.23.0+dfsg-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-prismjs is vulnerable to a Regex Denial of Service (ReDoS)
(CVE-2021-40438)
[ Impact ]
Little vulnerability
[ Tests ]
No test change, passed.
[ Risks ]
No risk, patch is trvial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Regex improvement
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index f70003b..3ac8ca9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-40438)
+
+ -- Yadd Tue, 21 Sep 2021 14:45:33 +0200
+
node-prismjs (1.23.0+dfsg-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-40438.patch
b/debian/patches/CVE-2021-40438.patch
new file mode 100644
index 000..a0830ac
--- /dev/null
+++ b/debian/patches/CVE-2021-40438.patch
@@ -0,0 +1,17 @@
+Description: Markup: fixed ReDoS
+Author: ready-research
+Origin: upstream, https://github.com/prismjs/prism/commit/0ff371bb
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-40438
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-09-21
+
+--- a/components/prism-markup.js
b/components/prism-markup.js
+@@ -1,5 +1,5 @@
+ Prism.languages.markup = {
+- 'comment': //,
++ 'comment': //,
+ 'prolog': /<\?[\s\S]+?\?>/,
+ 'doctype': {
+ // https://www.w3.org/TR/xml/#NT-doctypedecl
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..7c70d57
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-40438.patch
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
index 33c3a64..6fd902a 100644
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@@ -1,4 +1,7 @@
---
+variables:
+ RELEASE: 'bullseye'
+
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
Bug#994829: buster-pu: package node-prismjs/1.11.0+dfsg-3+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-prismjs is vulnerable to a Regex Denial of Service (ReDoS)
(CVE-2021-40438)
[ Impact ]
Little vulnerability
[ Tests ]
No test change, passed.
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Regex improvement
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index c23771a..1d96c58 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-prismjs (1.11.0+dfsg-3+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-40438)
+
+ -- Yadd Tue, 21 Sep 2021 14:52:58 +0200
+
node-prismjs (1.11.0+dfsg-3) unstable; urgency=medium
* Fix mocha command in autopkgtest
diff --git a/debian/patches/CVE-2021-40438.patch
b/debian/patches/CVE-2021-40438.patch
new file mode 100644
index 000..2ec1d30
--- /dev/null
+++ b/debian/patches/CVE-2021-40438.patch
@@ -0,0 +1,17 @@
+Description: Markup: fixed ReDoS
+Author: ready-research
+Origin: upstream, https://github.com/prismjs/prism/commit/0ff371bb
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-40438
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-09-21
+
+--- a/components/prism-markup.js
b/components/prism-markup.js
+@@ -1,5 +1,5 @@
+ Prism.languages.markup = {
+- 'comment': //,
++ 'comment': //,
+ 'prolog': /<\?[\s\S]+?\?>/,
+ 'doctype': //i,
+ 'cdata': //i,
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..7c70d57
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-40438.patch
Bug#994861: bullseye-pu: package node-ansi-regex/5.0.1-1~deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-ansi-regex is vulnerable to a ReDoS (CVE-2021-3807)
[ Impact ]
Little vulnerability
[ Tests ]
Test passed (no change)
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Regex update.
[ Other info ]
I prefered to import new upstream release since change is exactly CVE
fix.
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 56d7a9c..c57aa87 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-ansi-regex (5.0.1-1~deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * New upstream version 5.0.1 (Closes: CVE-2021-3807)
+
+ -- Yadd Wed, 22 Sep 2021 09:00:21 +0200
+
node-ansi-regex (5.0.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/gbp.conf b/debian/gbp.conf
index b713356..638e285 100644
--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -1,5 +1,6 @@
[DEFAULT]
pristine-tar = True
+debian-branch=bullseye
[import-orig]
filter = [ '.gitignore', '.travis.yml', '.git*' ]
diff --git a/index.js b/index.js
index 35054aa..616ff83 100644
--- a/index.js
+++ b/index.js
@@ -2,7 +2,7 @@
module.exports = ({onlyFirst = false} = {}) => {
const pattern = [
-
'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+
'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
'(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PR-TZcf-ntqry=><~]))'
].join('|');
diff --git a/package.json b/package.json
index 7af801f..017f531 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "ansi-regex",
- "version": "5.0.0",
+ "version": "5.0.1",
"description": "Regular expression for matching ANSI escape codes",
"license": "MIT",
"repository": "chalk/ansi-regex",
diff --git a/readme.md b/readme.md
index 3c2b77c..4d848bc 100644
--- a/readme.md
+++ b/readme.md
@@ -1,4 +1,4 @@
-# ansi-regex [](https://travis-ci.org/chalk/ansi-regex)
+# ansi-regex
> Regular expression for matching [ANSI escape
> codes](https://en.wikipedia.org/wiki/ANSI_escape_code)
Bug#994862: buster-pu: package node-ansi-regex/3.0.0-1+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-ansi-regex is vulnerable to a ReDoS (CVE-2021-3807)
[ Impact ]
Little vulnerability
[ Tests ]
Test passed (no change)
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Regex improvement
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 92aa3dc..095e7f4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-ansi-regex (3.0.0-1+deb10u1) unstable; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-3807)
+
+ -- Yadd Wed, 22 Sep 2021 09:12:15 +0200
+
node-ansi-regex (3.0.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-3807.patch
b/debian/patches/CVE-2021-3807.patch
new file mode 100644
index 000..b5efa42
--- /dev/null
+++ b/debian/patches/CVE-2021-3807.patch
@@ -0,0 +1,19 @@
+Description: Fix potential ReDoS
+Author: Yeting Li
+Origin: upstream, https://github.com/chalk/ansi-regex/commit/8d1d7cdb
+Bug: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-09-22
+
+--- a/index.js
b/index.js
+@@ -2,7 +2,7 @@
+
+ module.exports = () => {
+ const pattern = [
+-
'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:[a-zA-Z\\d]*(?:;[a-zA-Z\\d]*)*)?\\u0007)',
++
'[\\u001B\\u009B][[\\]()#;?]*(?:(?:(?:(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]+)*|[a-zA-Z\\d]+(?:;[-a-zA-Z\\d\\/#&.:=?%@~_]*)*)?\\u0007)',
+ '(?:(?:\\d{1,4}(?:;\\d{0,4})*)?[\\dA-PRZcf-ntqry=><~]))'
+ ].join('|');
+
diff --git a/debian/patches/series b/debian/patches/series
index c508ffd..38e81d3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
00-mocha.diff
+CVE-2021-3807.patch
Bug#994828: bullseye-pu: package node-prismjs/1.23.0+dfsg-1+deb11u1
Control: tags -1 - moreinfo Le 30/09/2021 à 20:58, Adam D. Barratt a écrit : > Control: tags -1 + moreinfo > > On Tue, 2021-09-21 at 14:49 +0200, Yadd wrote: >> node-prismjs is vulnerable to a Regex Denial of Service (ReDoS) >> (CVE-2021-40438) >> > > According to the Security Tracker, that's an Apache mod-proxy issue. > > Regards, > > Adam Fixed and pushed, thanks!
Bug#994829: buster-pu: package node-prismjs/1.11.0+dfsg-3+deb10u1
Control: tags -1 - moreinfo Le 30/09/2021 à 21:33, Adam D. Barratt a écrit : > Control: tags -1 + moreinfo > > On Tue, 2021-09-21 at 14:56 +0200, Yadd wrote: >> node-prismjs is vulnerable to a Regex Denial of Service (ReDoS) >> (CVE-2021-40438) >> > > As with the bullseye request, that appears to be the wrong CVE number. > > Regards, > > Adam Fixed and pushed, thanks!
Bug#991632: buster-pu: package node-jszip/3.1.4+dfsg-1+deb10u1
Control: tags -1 - moreinfo Le 30/09/2021 à 21:45, Adam D. Barratt a écrit : > Control: tags -1 + moreinfo > > On Thu, 2021-07-29 at 13:07 +0200, Yadd wrote: >> node-jszip is vulnerable to a prototype pollution (CVE-2021-23413) >> > > + * Fix a null prototype object for this.files (Closes: CVE-2021- > 23413) > > As far as I can tell, you're fixing an issue by *using* a null > prototype object, whereas the changelog entry above implies that you're > removing such a use. > > Regards, Sorry, fixed and pushed (commit was "fix: use a null..."). Cheers, Yadd
Bug#996623: bullseye-pu: package node-getobject/0.1.0-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
Another prototype pollution (CVE-2020-28282)
[ Impact ]
Low sucurity issue
[ Tests ]
Sadly no test
[ Risks ]
No risk (patch is trivial)
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
New check
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 52c376a..2f4cbe9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-getobject (0.1.0-2+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2020-28282)
+
+ -- Yadd Sat, 16 Oct 2021 13:57:48 +0200
+
node-getobject (0.1.0-2) unstable; urgency=medium
* Fix Vcs-Git url
diff --git a/debian/patches/CVE-2020-28282.patch
b/debian/patches/CVE-2020-28282.patch
new file mode 100644
index 000..9fb7cc9
--- /dev/null
+++ b/debian/patches/CVE-2020-28282.patch
@@ -0,0 +1,20 @@
+Description: Do not allow setting of __proto__
+Author: Vlad Filippov
+Bug: https://security-tracker.debian.org/tracker/CVE-2020-28282
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-10-16
+
+--- a/lib/getobject.js
b/lib/getobject.js
+@@ -41,6 +41,10 @@
+ // as we go.
+ getobject.set = function(obj, parts, value) {
+ parts = getParts(parts);
++ if (parts.includes('__proto__')) {
++// do not allow setting of __proto__. See CVE-2020-28282.
++return;
++ }
+
+ var prop = parts.pop();
+ obj = getobject.get(obj, parts, true);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..b74a7fb
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2020-28282.patch
Bug#996624: buster-pu: package node-getobject/0.1.0-2+deb10u1
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
Another prototype pollution (CVE-2020-28282)
[ Impact ]
Low sucurity issue
[ Tests ]
Sadly no test
[ Risks ]
No risk (patch is trivial)
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
New check
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 52c376a..ebd18a4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-getobject (0.1.0-2+deb10u1) buster; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2020-28282)
+
+ -- Yadd Sat, 16 Oct 2021 13:55:46 +0200
+
node-getobject (0.1.0-2) unstable; urgency=medium
* Fix Vcs-Git url
diff --git a/debian/patches/CVE-2020-28282.patch
b/debian/patches/CVE-2020-28282.patch
new file mode 100644
index 000..9fb7cc9
--- /dev/null
+++ b/debian/patches/CVE-2020-28282.patch
@@ -0,0 +1,20 @@
+Description: Do not allow setting of __proto__
+Author: Vlad Filippov
+Bug: https://security-tracker.debian.org/tracker/CVE-2020-28282
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-10-16
+
+--- a/lib/getobject.js
b/lib/getobject.js
+@@ -41,6 +41,10 @@
+ // as we go.
+ getobject.set = function(obj, parts, value) {
+ parts = getParts(parts);
++ if (parts.includes('__proto__')) {
++// do not allow setting of __proto__. See CVE-2020-28282.
++return;
++ }
+
+ var prop = parts.pop();
+ obj = getobject.get(obj, parts, true);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..b74a7fb
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2020-28282.patch
Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: pkg-javascript-de...@lists-alith.debian.net
[ Reason ]
Jquery-UI is the official jQuery user interface library. Prior to version
1.13.0, accepting the value of the `of` option of the `.position()` util
from untrusted sources may execute untrusted code. The issue is fixed in
jQuery UI 1.13.0. Any string value passed to the `of` option is now treated
as a CSS selector. A workaround is to not accept the value of the `of`
option from untrusted sources. (CVE-2021-41184)
[ Impact ]
Medium security issue
[ Tests ]
No test launched for this package.
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just a security check
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index e137315..48b298f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Make sure `of` is treated as a CSS selector (Closes: CVE-2021-41184)
+
+ -- Yadd Mon, 08 Nov 2021 11:00:00 +0100
+
jqueryui (1.12.1+dfsg-8) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-41184.patch
b/debian/patches/CVE-2021-41184.patch
new file mode 100644
index 000..112a288
--- /dev/null
+++ b/debian/patches/CVE-2021-41184.patch
@@ -0,0 +1,23 @@
+Description: Make sure `of` is treated as a CSS selector (Closes:
CVE-2021-41184)
+ fix "option of the `.position()` util from untrusted sources may execute
untrusted code"
+Author: Michał Gołębiowski-Owczarek
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/effa323f
+Bug:
https://github.com/jquery/jquery-ui/security/advisories/GHSA-gpqq-952q-5327
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-11-08
+
+--- a/ui/position.js
b/ui/position.js
+@@ -144,7 +144,10 @@
+ options = $.extend( {}, options );
+
+ var atOffset, targetWidth, targetHeight, targetOffset, basePosition,
dimensions,
+- target = $( options.of ),
++ // Make sure string options are treated as CSS selectors
++ target = typeof options.of === "string" ?
++ $( document ).find( options.of ) :
++ $( options.of ),
+ within = $.position.getWithinInfo( options.within ),
+ scrollInfo = $.position.getScrollInfo( within ),
+ collision = ( options.collision || "flip" ).split( " " ),
diff --git a/debian/patches/series b/debian/patches/series
index a1fcccd..b2738aa 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
add_missing_semicolon.patch
match_css_source_to_release.patch
use_system_files_in_examples.patch
+CVE-2021-41184.patch
Bug#1000377: bullseye-pu: package node-json-schema/0.3.0+_7.0.6-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-json-schema is vulnerable to prototype pollution
[ Impact ]
Medium vulnerability
[ Tests ]
Sadly test wre not enable for this package
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Just an additional check
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index a50007b..bad7788 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-json-schema (0.3.0+~7.0.6-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: #999765, CVE-2021-3918)
+
+ -- Yadd Mon, 22 Nov 2021 10:40:35 +0100
+
node-json-schema (0.3.0+~7.0.6-1) unstable; urgency=medium
[ upstream ]
diff --git a/debian/patches/CVE-2021-3918.patch
b/debian/patches/CVE-2021-3918.patch
new file mode 100644
index 000..9cba185
--- /dev/null
+++ b/debian/patches/CVE-2021-3918.patch
@@ -0,0 +1,53 @@
+Description: fix Improperly Controlled Modification of Object Prototype
Attributes ('Prototype Pollution')
+ Don't allow __proto__ property to be used for schema default/coerce, fixes
+Author: Kris Zyp
+Origin: upstream, https://github.com/kriszyp/json-schema/commit/22f14611
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-3918
+Bug-Debian: https://bugs.debian.org/999765
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-11-22
+
+--- a/lib/validate.js
b/lib/validate.js
+@@ -207,7 +207,7 @@
+ }
+
+ for(var i in objTypeDef){
+- if(objTypeDef.hasOwnProperty(i)){
++ if(objTypeDef.hasOwnProperty(i) && i !=
'__proto__'){
+ var value = instance[i];
+ // skip _not_ specified properties
+ if (value === undefined &&
options.existingOnly) continue;
+--- a/test/tests.js
b/test/tests.js
+@@ -92,4 +92,29 @@
+ 'Json-Ref self-validates': assertSelfValidates('json-ref'),
+ 'Json-Ref/Hyper': assertValidates('json-ref', 'hyper-schema'),
+ 'Json-Ref/Core': assertValidates('json-ref', 'schema')
++prototypePollution: function() {
++console.log('testing')
++const instance = JSON.parse(`
++{
++"$schema":{
++"type": "object",
++"properties":{
++"__proto__": {
++"type": "object",
++"properties":{
++"polluted": {
++"type": "string",
++"default": "polluted"
++}
++}
++}
++},
++"__proto__": {}
++}
++}`);
++
++const a = {};
++validate(instance);
++assert.equal(a.polluted, undefined);
++}
+ }).export(module);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..082cdc9
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-3918.patch
Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
Control: tags -1 - moreinfo
On 03/12/2021 17:30, Adam D. Barratt wrote:
Control: tags -1 + moreinfo
On Tue, 2021-11-09 at 08:25 +0100, Salvatore Bonaccorso wrote:
Hi,
On Mon, Nov 08, 2021 at 12:27:03PM +0100, Yadd wrote:
[...]
Jquery-UI is the official jQuery user interface library. Prior to
version
1.13.0, accepting the value of the `of` option of the `.position()`
util
from untrusted sources may execute untrusted code. The issue is
fixed in
jQuery UI 1.13.0. Any string value passed to the `of` option is now
treated
as a CSS selector. A workaround is to not accept the value of the
`of`
option from untrusted sources. (CVE-2021-41184)
AFAICS there are two more CVEs for jqueryui which wree fixed in
1.13.0
and so covered in unstable already. Can those be backported as well
or
are they too intrusive?
Quick ping on this.
Regards,
Adam
Hi,
sorry, here is the new debdiff
Cheers,
Yadddiff --git a/debian/changelog b/debian/changelog
index e137315..3a6a587 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+jqueryui (1.12.1+dfsg-8+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Make sure altField is treated as a CSS selector (Closes: CVE-2021-41182)
+ * Make sure text option are text, shorten HTML strings
+(Closes: CVE-2021-41183)
+ * Make sure `of` is treated as a CSS selector (Closes: CVE-2021-41184)
+
+ -- Yadd Mon, 06 Dec 2021 08:29:59 +0100
+
jqueryui (1.12.1+dfsg-8) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-41182.patch
b/debian/patches/CVE-2021-41182.patch
new file mode 100644
index 000..975c627
--- /dev/null
+++ b/debian/patches/CVE-2021-41182.patch
@@ -0,0 +1,19 @@
+Description: Datepicker: Make sure altField is treated as a CSS selector
+Author: Michał Gołębiowski-Owczarek
+Origin: upstream, https://github.com/jquery/jquery-ui/commit/32850869
+Bug:
https://github.com/jquery/jquery-ui/security/advisories/GHSA-9gj3-hwp5-pmwc
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-12-06
+
+--- a/ui/widgets/datepicker.js
b/ui/widgets/datepicker.js
+@@ -1090,7 +1090,7 @@
+ altFormat = this._get( inst, "altFormat" ) ||
this._get( inst, "dateFormat" );
+ date = this._getDate( inst );
+ dateStr = this.formatDate( altFormat, date,
this._getFormatConfig( inst ) );
+- $( altField ).val( dateStr );
++ $( document ).find( altField ).val( dateStr );
+ }
+ },
+
diff --git a/debian/patches/CVE-2021-41183.patch
b/debian/patches/CVE-2021-41183.patch
new file mode 100644
index 000..b610ead
--- /dev/null
+++ b/debian/patches/CVE-2021-41183.patch
@@ -0,0 +1,179 @@
+Description: Make sure text option are text, shorten HTML strings
+Author: Michał Gołębiowski-Owczarek
+Origin: upstream, https://github.com/jquery/jquery-ui/pull/1953
+Bug:
https://github.com/jquery/jquery-ui/security/advisories/GHSA-j7qv-pgf6-hvh4
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-12-06
+
+--- a/ui/widgets/datepicker.js
b/ui/widgets/datepicker.js
+@@ -240,7 +240,9 @@
+ inst.append.remove();
+ }
+ if ( appendText ) {
+- inst.append = $( "" + appendText + "" );
++ inst.append = $( "" )
++ .addClass( this._appendClass )
++ .text( appendText );
+ input[ isRTL ? "before" : "after" ]( inst.append );
+ }
+
+@@ -257,12 +259,32 @@
+ if ( showOn === "button" || showOn === "both" ) { // pop-up
date picker when button clicked
+ buttonText = this._get( inst, "buttonText" );
+ buttonImage = this._get( inst, "buttonImage" );
+- inst.trigger = $( this._get( inst, "buttonImageOnly" ) ?
+- $( "" ).addClass( this._triggerClass ).
+- attr( { src: buttonImage, alt:
buttonText, title: buttonText } ) :
+- $( ""
).addClass( this._triggerClass ).
+- html( !buttonImage ? buttonText : $(
"" ).attr(
+- { src:buttonImage, alt:buttonText,
title:buttonText } ) ) );
++
++ if ( this._get( inst, "buttonImageOnly" ) ) {
++ inst.trigger = $( "" )
++ .addClass( this._triggerClass )
++ .attr( {
++ src: buttonImage,
++ alt: buttonText,
++ title: buttonText
++
Bug#998832: bullseye-pu: package jqueryui/1.12.1+dfsg-8+deb11u1
On 11/12/2021 18:42, Adam D. Barratt wrote: On Mon, 2021-12-06 at 08:39 +0100, Yadd wrote: sorry, here is the new debdiff Thanks. What's the rationale for this change? --- a/debian/rules +++ b/debian/rules @@ -89,8 +89,8 @@ override_dh_auto_test: jquery-ui.js jquery-ui.min.js themes/base/jquery-ui.css nodejs --check ui/i18n/jquery-ui-i18n.js # Reference files are taken from the quick download ZIP file from # http://jqueryui.com - diff -Bw debian/reference-jquery-ui.js jquery-ui.js - diff -Bw debian/reference-jquery-ui.css themes/base/jquery-ui.css + #diff -Bw debian/reference-jquery-ui.js jquery-ui.js + #diff -Bw debian/reference-jquery-ui.css themes/base/jquery-ui.css endif Hi, this package compared built jquery-ui with upstream version (stored in Debian). This fails now since we changed source
Bug#1003526: bullseye-pu: package node-follow-redirects/1.13.1-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
follow-redirects is vulnerable to Exposure of Private Personal Information
to an Unauthorized Actor
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed, no new test
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Drop Cookie header
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 5bfcaa7..63c3770 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-follow-redirects (1.13.1-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Drop Cookie header across domains (Closes: CVE-2022-0155)
+
+ -- Yadd Tue, 11 Jan 2022 12:11:11 +0100
+
node-follow-redirects (1.13.1-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-0155.patch
b/debian/patches/CVE-2022-0155.patch
new file mode 100644
index 000..0e8419f
--- /dev/null
+++ b/debian/patches/CVE-2022-0155.patch
@@ -0,0 +1,22 @@
+Description: Drop Cookie header across domains.
+Author: Ruben Verborgh
+Origin: upstream,
https://github.com/follow-redirects/follow-redirects/commit/8b347cbc
+Bug: https://github.com/follow-redirects/follow-redirects/issues/183
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-01-11
+
+--- a/index.js
b/index.js
+@@ -345,9 +345,9 @@
+ var redirectUrlParts = url.parse(redirectUrl);
+ Object.assign(this._options, redirectUrlParts);
+
+-// Drop the Authorization header if redirecting to another host
++// Drop the confidential headers when redirecting to another domain
+ if (redirectUrlParts.hostname !== previousHostName) {
+- removeMatchingHeaders(/^authorization$/i, this._options.headers);
++ removeMatchingHeaders(/^(?:authorization|cookie)$/i,
this._options.headers);
+ }
+
+ // Evaluate the beforeRedirect callback
diff --git a/debian/patches/series b/debian/patches/series
index a22cf9d..b90eb05 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
fix-test.patch
+CVE-2022-0155.patch
Bug#1003765: bullseye-pu: package node-markdown-it/10.0.0+dfsg-2+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-markdown-it is vulnerable to regex denial of service (CVE-2022-21670) [ Impact ] Little security issue [ Tests ] Test passed [ Risks ] Low risk, just a better check [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Replace regex by substitute Same patch applied to unstable. Cheers, Yadd
Bug#1003765: bullseye-pu: package node-markdown-it/10.0.0+dfsg-2+deb11u1
On 15/01/2022 12:52, Yadd wrote:
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-markdown-it is vulnerable to regex denial of service
(CVE-2022-21670)
[ Impact ]
Little security issue
[ Tests ]
Test passed
[ Risks ]
Low risk, just a better check
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Replace regex by substitute
Same patch applied to unstable.
Cheers,
Yadd
With the debdiff, sorrydiff --git a/debian/changelog b/debian/changelog
index 3f20b0f..1fa8e51 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-markdown-it (10.0.0+dfsg-2+deb11u1) bullseye; urgency=medium
+
+ * Fix ReDoS (Closes: CVE-2022-21670)
+
+ -- Yadd Sat, 15 Jan 2022 12:48:26 +0100
+
node-markdown-it (10.0.0+dfsg-2) unstable; urgency=medium
* Team Upload
diff --git a/debian/patches/CVE-2022-21670.patch b/debian/patches/CVE-2022-21670.patch
new file mode 100644
index 000..e801f06
--- /dev/null
+++ b/debian/patches/CVE-2022-21670.patch
@@ -0,0 +1,32 @@
+Description: Fix possible ReDOS in newline rule
+Author: Vitaly Puzrin
+Origin: upstream, https://github.com/markdown-it/markdown-it/commit/ffc49ab4
+Bug: https://github.com/markdown-it/markdown-it/security/advisories/GHSA-6vfc-qv3f-vr6c
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-01-15
+
+--- a/lib/rules_inline/newline.js
b/lib/rules_inline/newline.js
+@@ -6,7 +6,7 @@
+
+
+ module.exports = function newline(state, silent) {
+- var pmax, max, pos = state.pos;
++ var pmax, max, ws, pos = state.pos;
+
+ if (state.src.charCodeAt(pos) !== 0x0A/* \n */) { return false; }
+
+@@ -20,7 +20,11 @@
+ if (!silent) {
+ if (pmax >= 0 && state.pending.charCodeAt(pmax) === 0x20) {
+ if (pmax >= 1 && state.pending.charCodeAt(pmax - 1) === 0x20) {
+-state.pending = state.pending.replace(/ +$/, '');
++// Find whitespaces tail of pending chars.
++ws = pmax - 1;
++while (ws >= 1 && state.pending.charCodeAt(ws - 1) === 0x20) ws--;
++
++state.pending = state.pending.slice(0, ws);
+ state.push('hardbreak', 'br', 0);
+ } else {
+ state.pending = state.pending.slice(0, -1);
diff --git a/debian/patches/series b/debian/patches/series
index 8c5fbef..3d7d982 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
update_shebang
disable_babelmark-responder_test
+CVE-2022-21670.patch
Bug#1004033: bullseye-pu: package node-fetch/2.6.1-5+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-fetch is vulnerable to privacy breach (CVE-2022-0235)
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed
[ Risks ]
Low risk, patch just cleans headers
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Clean headers before request
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 7f3da38..31eb312 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-fetch (2.6.1-5+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Don't forward secure headers to 3th party (Closes: CVE-2022-0235)
+
+ -- Yadd Wed, 19 Jan 2022 16:46:28 +0100
+
node-fetch (2.6.1-5) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-0235.patch
b/debian/patches/CVE-2022-0235.patch
new file mode 100644
index 000..d97cd7a
--- /dev/null
+++ b/debian/patches/CVE-2022-0235.patch
@@ -0,0 +1,22 @@
+Description: don't forward secure headers to 3th party
+Author: Jimmy Wärting
+Origin: upstream, https://github.com/node-fetch/node-fetch/commit/f5d3cf5e
+Bug: https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7/
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-01-19
+
+--- a/src/index.js
b/src/index.js
+@@ -170,6 +170,11 @@
+ requestOpts.body =
undefined;
+
requestOpts.headers.delete('content-length');
+ }
++if (!isDomainOrSubdomain(request.url, locationURL)) {
++ for (const name of
['authorization', 'www-authenticate', 'cookie', 'cookie2']) {
++
requestOptions.headers.delete(name);
++ }
++ }
+
+ // HTTP-redirect fetch step 15
+ resolve(fetch(new
Request(locationURL, requestOpts)));
diff --git a/debian/patches/series b/debian/patches/series
index 882f8ed..20c4319 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
babelrc.patch
fix-default-export.diff
drop-legacy-rollup-babel-plugin.patch
+CVE-2022-0235.patch
Bug#1004384: bullseye-pu: package node-cached-path-relative/1.0.2-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-cached-path-relative is vulnerable to prototype pollution
(CVE-2021-23518)
[ Impact ]
Medium vulnerabilty
[ Tests ]
Test passed, no new check
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 9f42f71..fb79e59 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-cached-path-relative (1.0.2-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2021-23518)
+
+ -- Yadd Wed, 26 Jan 2022 14:36:03 +0100
+
node-cached-path-relative (1.0.2-1) unstable; urgency=medium
* New upstream version: fix prototype pollution vulnerability
diff --git a/debian/patches/CVE-2021-23518.patch
b/debian/patches/CVE-2021-23518.patch
new file mode 100644
index 000..99705bb
--- /dev/null
+++ b/debian/patches/CVE-2021-23518.patch
@@ -0,0 +1,28 @@
+Description: fix prototype pollution
+Origin: upstream,
https://github.com/ashaffer/cached-path-relative/commit/40c73bf70
+Author: Andrew
+Bug: https://security.snyk.io/vuln/SNYK-JS-CACHEDPATHRELATIVE-72573
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-01-26
+
+--- a/lib/index.js
b/lib/index.js
+@@ -27,7 +27,7 @@
+ // to invalidate the cache
+ var cwd = process.cwd()
+ if (cwd !== lastCwd) {
+-cache = {}
++cache = Object.create(null)
+ lastCwd = cwd
+ }
+
+@@ -35,7 +35,7 @@
+
+ var result = relative.call(path, from, to)
+
+- cache[from] = cache[from] || {}
++ cache[from] = cache[from] || Object.create(null)
+ cache[from][to] = result
+
+ return result
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..625c955
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-23518.patch
Bug#1005007: bullseye-pu: package node-trim-newlines/3.0.0-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
Regex Denial of Service (CVE-2021-33623)
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Replace regex by string parse
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index bfe52ab..84d1115 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-trim-newlines (3.0.0-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix Regex Denial of Service (Closes: CVE-2021-33623)
+
+ -- Yadd Sat, 05 Feb 2022 12:23:20 +0100
+
node-trim-newlines (3.0.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-33623.patch
b/debian/patches/CVE-2021-33623.patch
new file mode 100644
index 000..8ce1174
--- /dev/null
+++ b/debian/patches/CVE-2021-33623.patch
@@ -0,0 +1,34 @@
+Description: fix ReDoS
+Author: upstream
+Bug: https://github.com/advisories/GHSA-7p7h-4mm5-852v
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-02-05
+
+--- a/index.js
b/index.js
+@@ -1,4 +1,13 @@
+ 'use strict';
+ module.exports = string => string.replace(/^[\r\n]+/, '').replace(/[\r\n]+$/,
'');
+ module.exports.start = string => string.replace(/^[\r\n]+/, '');
+-module.exports.end = string => string.replace(/[\r\n]+$/, '');
++
++module.exports.end = string => {
++ let end = string.length;
++
++ while (end > 0 && (string[end - 1] === '\r' || string[end - 1] ===
'\n')) {
++ end--;
++ }
++
++ return end < string.length ? string.slice(0, end) : string;
++};
+--- a/package.json
b/package.json
+@@ -1,6 +1,6 @@
+ {
+ "name": "trim-newlines",
+- "version": "3.0.0",
++ "version": "3.0.1",
+ "description": "Trim newlines from the start and/or end of a string",
+ "license": "MIT",
+ "repository": "sindresorhus/trim-newlines",
diff --git a/debian/patches/series b/debian/patches/series
index 2cdbeba..2063155 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
replace-ava-by-tape.patch
+CVE-2021-33623.patch
Bug#1005010: bullseye-pu: package node-nth-check/2.0.0-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
Regex Denial of Service (CVE-2021-3803)
[ Impact ]
Medium vulnerability
[ Tests ]
Test passed
[ Risks ]
Low risk, patch isn't so complicated and test passed
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Replace regex with hand-rolled parser
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index b80a144..e2e201b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-nth-check (2.0.0-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Replace regex with hand-rolled parser (Closes: CVE-2021-3803)
+
+ -- Yadd Sat, 05 Feb 2022 12:42:20 +0100
+
node-nth-check (2.0.0-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-3803.patch
b/debian/patches/CVE-2021-3803.patch
new file mode 100644
index 000..da4870c
--- /dev/null
+++ b/debian/patches/CVE-2021-3803.patch
@@ -0,0 +1,107 @@
+Description: Replace regex with hand-rolled parser
+Author: Felix Böhm <188768+f...@users.noreply.github.com>
+Origin: upstream,
https://patch-diff.githubusercontent.com/raw/fb55/nth-check/pull/9.patch
+Bug: https://github.com/advisories/GHSA-rp65-9cf3-cjxr
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-02-05
+
+--- a/src/parse.ts
b/src/parse.ts
+@@ -1,7 +1,9 @@
+ // Following http://www.w3.org/TR/css3-selectors/#nth-child-pseudo
+
+-// [ ['-'|'+']? INTEGER? {N} [ S* ['-'|'+'] S* INTEGER ]?
+-const RE_NTH_ELEMENT = /^([+-]?\d*n)?\s*(?:([+-]?)\s*(\d+))?$/;
++// Whitespace as per https://www.w3.org/TR/selectors-3/#lex is " \t\r\n\f"
++const whitespace = new Set([9, 10, 12, 13, 32]);
++const ZERO = "0".charCodeAt(0);
++const NINE = "9".charCodeAt(0);
+
+ /**
+ * Parses an expression.
+@@ -19,24 +21,72 @@
+ return [2, 1];
+ }
+
+-const parsed = formula.match(RE_NTH_ELEMENT);
++// Parse [ ['-'|'+']? INTEGER? {N} [ S* ['-'|'+'] S* INTEGER ]?
+
+-if (!parsed) {
++let idx = 0;
++
++let a = 0;
++let sign = readSign();
++let number = readNumber();
++
++if (idx < formula.length && formula.charAt(idx) === "n") {
++idx++;
++a = sign * (number ?? 1);
++
++skipWhitespace();
++
++if (idx < formula.length) {
++sign = readSign();
++skipWhitespace();
++number = readNumber();
++} else {
++sign = number = 0;
++}
++}
++
++// Throw if there is anything else
++if (number === null || idx < formula.length) {
+ throw new Error(`n-th rule couldn't be parsed ('${formula}')`);
+ }
+
+-let a;
++return [a, sign * number];
+
+-if (parsed[1]) {
+-a = parseInt(parsed[1], 10);
+-if (isNaN(a)) {
+-a = parsed[1].startsWith("-") ? -1 : 1;
++function readSign() {
++if (formula.charAt(idx) === "-") {
++idx++;
++return -1;
+ }
+-} else a = 0;
+
+-const b =
+-(parsed[2] === "-" ? -1 : 1) *
+-(parsed[3] ? parseInt(parsed[3], 10) : 0);
++if (formula.charAt(idx) === "+") {
++idx++;
++}
++
++return 1;
++}
+
+-return [a, b];
++function readNumber() {
++const start = idx;
++let value = 0;
++
++while (
++idx < formula.length &&
++formula.charCodeAt(idx) >= ZERO &&
++formula.charCodeAt(idx) <= NINE
++) {
++value = value * 10 + (formula.charCodeAt(idx) - ZERO);
++idx++;
++}
++
++// Return `null` if we didn't read anything.
++return idx === start ? null : value;
++}
++
++function skipWhitespace() {
++while (
++idx < formula.length &&
++whitespace.has(formula.charCodeAt(idx))
++) {
++idx++;
++}
++}
+ }
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..4ac3e54
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+CVE-2021-3803.patch
Bug#1003526: Update to close CVE-2022-0536
Hi,
here is a new debdiff to close also CVE-2022-0536
Cheers,
Yadddiff --git a/debian/changelog b/debian/changelog
index 5bfcaa7..5e881cd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-follow-redirects (1.13.1-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Drop Cookie header across domains (Closes: CVE-2022-0155)
+ * Drop confidential headers across schemes (Closes: CVE-2022-0536)
+
+ -- Yadd Sat, 12 Feb 2022 12:05:01 +0100
+
node-follow-redirects (1.13.1-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2022-0155.patch
b/debian/patches/CVE-2022-0155.patch
new file mode 100644
index 000..0e8419f
--- /dev/null
+++ b/debian/patches/CVE-2022-0155.patch
@@ -0,0 +1,22 @@
+Description: Drop Cookie header across domains.
+Author: Ruben Verborgh
+Origin: upstream,
https://github.com/follow-redirects/follow-redirects/commit/8b347cbc
+Bug: https://github.com/follow-redirects/follow-redirects/issues/183
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-01-11
+
+--- a/index.js
b/index.js
+@@ -345,9 +345,9 @@
+ var redirectUrlParts = url.parse(redirectUrl);
+ Object.assign(this._options, redirectUrlParts);
+
+-// Drop the Authorization header if redirecting to another host
++// Drop the confidential headers when redirecting to another domain
+ if (redirectUrlParts.hostname !== previousHostName) {
+- removeMatchingHeaders(/^authorization$/i, this._options.headers);
++ removeMatchingHeaders(/^(?:authorization|cookie)$/i,
this._options.headers);
+ }
+
+ // Evaluate the beforeRedirect callback
diff --git a/debian/patches/CVE-2022-0536.patch
b/debian/patches/CVE-2022-0536.patch
new file mode 100644
index 000..fdb3d11
--- /dev/null
+++ b/debian/patches/CVE-2022-0536.patch
@@ -0,0 +1,99 @@
+Description: Drop confidential headers across schemes
+Author: Ruben Verborgh
+Origin: upstream,
https://github.com/follow-redirects/follow-redirects/commit/62e546a9
+Bug: https://github.com/advisories/GHSA-pw2r-vq6v-hr8c
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-02-12
+
+--- a/index.js
b/index.js
+@@ -335,8 +335,9 @@
+ }
+
+ // Drop the Host header, as the redirect might lead to a different host
+-var previousHostName = removeMatchingHeaders(/^host$/i,
this._options.headers) ||
+- url.parse(this._currentUrl).hostname;
++var currentHostHeader = removeMatchingHeaders(/^host$/i,
this._options.headers);
++var currentUrlParts = url.parse(this._currentUrl);
++var currentHost = currentHostHeader || currentUrlParts.host;
+
+ // Create the redirected request
+ var redirectUrl = url.resolve(this._currentUrl, location);
+@@ -345,8 +346,10 @@
+ var redirectUrlParts = url.parse(redirectUrl);
+ Object.assign(this._options, redirectUrlParts);
+
+-// Drop the confidential headers when redirecting to another domain
+-if (redirectUrlParts.hostname !== previousHostName) {
++// Drop the Host header, as the redirect might lead to a different host
++// Drop confidential headers when redirecting to another scheme:domain
++if (redirectUrlParts.protocol !== currentUrlParts.protocol ||
++ !isSameOrSubdomain(redirectUrlParts.host, currentHost)) {
+ removeMatchingHeaders(/^(?:authorization|cookie)$/i,
this._options.headers);
+ }
+
+@@ -499,6 +502,14 @@
+ return CustomError;
+ }
+
++function isSameOrSubdomain(subdomain, domain) {
++ if (subdomain === domain) {
++return true;
++ }
++ const dot = subdomain.length - domain.length - 1;
++ return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain);
++}
++
+ // Exports
+ module.exports = wrap({ http: http, https: https });
+ module.exports.wrap = wrap;
+--- a/test/test.js
b/test/test.js
+@@ -730,6 +730,38 @@
+ });
+ });
+ });
++
++ });
++
++ [
++"Authorization",
++"Cookie",
++ ].forEach(function (header) {
++describe("when the client passes an header named " + header, function () {
++ it("ignores it when null", function () {
++app.get("/a", redirectsTo(302, "http://localhost:3600/b";));
++app.get("/b", function (req, res) {
++ res.end(JSON.stringify(req.headers));
++});
++
++var opts = url.parse("http://127.0.0.1:3600/a";);
++opts.headers = { host: "localhost" };
++opts.headers[header] = null;
++
++return server.start(app)
++ .then(asPromise(function (resolve, reject) {
++http.get(opts, resolve).on("error", reject);
++ }))
++ .then(asPromise(function (resolve, reject, res) {
++res.pipe(concat({ encoding: "string" }, resolve)).on("error",
reject);
++ }))
++ .then(function (str) {
++
Bug#1006215: bullseye-pu: package node-prismjs/1.23.0+dfsg-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-prismjs has 2 vulnerabilities:
* Regex DoS (CVE-2021-40438)
* cross-site scripting attack (CVE-2022-23647)
[ Impact ]
Medium vulnerabilities
[ Tests ]
No change in test, passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* Regexp change
* Encode commandline arguments
[ Other info ]
I patched source files and regenerated minified files using uglifyjs
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index f70003b..956abf2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-3801)
+ * Command Line: Escape markup in command line output
+(Closes: CVE-2022-23647)
+
+ -- Yadd Mon, 21 Feb 2022 11:57:44 +0100
+
node-prismjs (1.23.0+dfsg-1) unstable; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index 27bb7f6..7021e6c 100644
--- a/debian/control
+++ b/debian/control
@@ -8,6 +8,7 @@ Build-Depends: chai
, mocha
, node-yargs
, dh-sequence-nodejs
+ , uglifyjs
Standards-Version: 4.5.1
Vcs-Browser: https://salsa.debian.org/js-team/node-prismjs
Vcs-Git: https://salsa.debian.org/js-team/node-prismjs.git
diff --git a/debian/patches/CVE-2021-40438.patch
b/debian/patches/CVE-2021-40438.patch
new file mode 100644
index 000..a0830ac
--- /dev/null
+++ b/debian/patches/CVE-2021-40438.patch
@@ -0,0 +1,17 @@
+Description: Markup: fixed ReDoS
+Author: ready-research
+Origin: upstream, https://github.com/prismjs/prism/commit/0ff371bb
+Bug: https://security-tracker.debian.org/tracker/CVE-2021-40438
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2021-09-21
+
+--- a/components/prism-markup.js
b/components/prism-markup.js
+@@ -1,5 +1,5 @@
+ Prism.languages.markup = {
+- 'comment': //,
++ 'comment': //,
+ 'prolog': /<\?[\s\S]+?\?>/,
+ 'doctype': {
+ // https://www.w3.org/TR/xml/#NT-doctypedecl
diff --git a/debian/patches/CVE-2022-23647.patch
b/debian/patches/CVE-2022-23647.patch
new file mode 100644
index 000..4008ab5
--- /dev/null
+++ b/debian/patches/CVE-2022-23647.patch
@@ -0,0 +1,19 @@
+Description: Escape markup in command line output
+Author: at055612 <22818309+at055...@users.noreply.github.com>
+Origin: upstream, https://github.com/PrismJS/prism/commit/e002e78c
+Bug: https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-02-21
+
+--- a/plugins/command-line/prism-command-line.js
b/plugins/command-line/prism-command-line.js
+@@ -122,7 +122,7 @@
+ var outputLines = commandLine.outputLines || [];
+ for (var i = 0, l = outputLines.length; i < l; i++) {
+ if (outputLines.hasOwnProperty(i)) {
+- codeLines[i] = outputLines[i];
++ codeLines[i] =
Prism.util.encode(outputLines[i]);
+ }
+ }
+ env.highlightedCode = codeLines.join('\n');
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..88f88a9
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2021-40438.patch
+CVE-2022-23647.patch
diff --git a/debian/rules b/debian/rules
index 8240d18..411edb7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,6 +7,13 @@
%:
dh $@
+override_dh_auto_build:
+ dh_auto_build
+ uglifyjs -o components/prism-markup.min.js \
+ components/prism-markup.js
+ uglifyjs -o plugins/command-line/prism-command-line.min.js \
+ plugins/command-line/prism-command-line.js
+
override_dh_fixperms:
dh_fixperms
chmod -x debian/node-prismjs/usr/share/nodejs/prismjs/package.json
diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml
index 33c3a64..6fd902a 100644
--- a/debian/salsa-ci.yml
+++ b/debian/salsa-ci.yml
@@ -1,4 +1,7 @@
---
+variables:
+ RELEASE: 'bullseye'
+
include:
- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
Bug#1006215: bullseye-pu: package node-prismjs/1.23.0+dfsg-1+deb11u1
On 23/02/2022 22:44, Salvatore Bonaccorso wrote:
hi,
On Wed, Feb 23, 2022 at 10:27:33PM +0100, Moritz Mühlenhoff wrote:
Am Mon, Feb 21, 2022 at 01:57:54PM +0100 schrieb Yadd:
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-prismjs has 2 vulnerabilities:
* Regex DoS (CVE-2021-40438)
Where did you get that CVE reference from? CVE-2021-40438 is for a
mod_proxy vulnerability in Apache httpd?
The used changelog entry actually has:
+node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-3801)
+ * Command Line: Escape markup in command line output
+(Closes: CVE-2022-23647)
+
+ -- Yadd Mon, 21 Feb 2022 11:57:44 +0100
But this seems odd: CVE-2021-3801 was already fixed in the last
bullseye point rlease with 1.23.0+dfsg-1+deb11u1. So should this
update be only for CVE-2022-23647 and the version be
1.23.0+dfsg-1+deb11u2?
Regards,
Salvatore
Sorry, here is a new debdiffdiff --git a/debian/changelog b/debian/changelog
index 4e83591..299ef36 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-prismjs (1.23.0+dfsg-1+deb11u2) bullseye; urgency=medium
+
+ * Command Line: Escape markup in command line output
+(Closes: CVE-2022-23647)
+ * Fix also minified files (Really closes: CVE-2021-3801)
+
+ -- Yadd Thu, 24 Feb 2022 06:38:27 +0100
+
node-prismjs (1.23.0+dfsg-1+deb11u1) bullseye; urgency=medium
* Team upload
diff --git a/debian/control b/debian/control
index 27bb7f6..7021e6c 100644
--- a/debian/control
+++ b/debian/control
@@ -8,6 +8,7 @@ Build-Depends: chai
, mocha
, node-yargs
, dh-sequence-nodejs
+ , uglifyjs
Standards-Version: 4.5.1
Vcs-Browser: https://salsa.debian.org/js-team/node-prismjs
Vcs-Git: https://salsa.debian.org/js-team/node-prismjs.git
diff --git a/debian/patches/CVE-2022-23647.patch
b/debian/patches/CVE-2022-23647.patch
new file mode 100644
index 000..4008ab5
--- /dev/null
+++ b/debian/patches/CVE-2022-23647.patch
@@ -0,0 +1,19 @@
+Description: Escape markup in command line output
+Author: at055612 <22818309+at055...@users.noreply.github.com>
+Origin: upstream, https://github.com/PrismJS/prism/commit/e002e78c
+Bug: https://github.com/PrismJS/prism/security/advisories/GHSA-3949-f494-cm99
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-02-21
+
+--- a/plugins/command-line/prism-command-line.js
b/plugins/command-line/prism-command-line.js
+@@ -122,7 +122,7 @@
+ var outputLines = commandLine.outputLines || [];
+ for (var i = 0, l = outputLines.length; i < l; i++) {
+ if (outputLines.hasOwnProperty(i)) {
+- codeLines[i] = outputLines[i];
++ codeLines[i] =
Prism.util.encode(outputLines[i]);
+ }
+ }
+ env.highlightedCode = codeLines.join('\n');
diff --git a/debian/patches/series b/debian/patches/series
index 7c70d57..88f88a9 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
CVE-2021-40438.patch
+CVE-2022-23647.patch
diff --git a/debian/rules b/debian/rules
index 8240d18..411edb7 100755
--- a/debian/rules
+++ b/debian/rules
@@ -7,6 +7,13 @@
%:
dh $@
+override_dh_auto_build:
+ dh_auto_build
+ uglifyjs -o components/prism-markup.min.js \
+ components/prism-markup.js
+ uglifyjs -o plugins/command-line/prism-command-line.min.js \
+ plugins/command-line/prism-command-line.js
+
override_dh_fixperms:
dh_fixperms
chmod -x debian/node-prismjs/usr/share/nodejs/prismjs/package.json
Bug#1006371: bullseye-pu: package lemonldap-ng/2.0.11+ds-4+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
lemonldap-ng is vulnerable to password bypass (impact critical) in a very
unlikely setup (probability very low). CVE-2021-40874
[ Impact ]
In such configuration, a remote lemonldap-ng system that queries the
main lemonldap-ng system using internal lemonldap-ng protocol instead of
SAML/OpenID-Connect, accepts user with _wrong password; if and only if_
main lemonldap-ng system is configured to use both Kerberos and LDAP
authentication.
[ Tests ]
Tests passed and upstream patch adds a new test
[ Risks ]
Low risk, test coverage proves that package isn't broken with such
change (trivial for a lemonldap-ng dev ;-))
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Instead of setting login/password into result variables ($req->user),
RESTServer stores them in form and launch the whole authentication
process ($self->p->authProcess) instead of selected steps.
Same change is applied to CheckState plugin (no major risk here, this
plugin is reserved to LLNG administrators).
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index a56d54279..f6be653a8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+lemonldap-ng (2.0.11+ds-4+deb11u1) bullseye; urgency=medium
+
+ * Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
+
+ -- Yadd Thu, 24 Feb 2022 15:16:09 +0100
+
lemonldap-ng (2.0.11+ds-4) unstable; urgency=high
* Import security fixes from 2.0.12
diff --git a/debian/patches/CVE-2021-40874.patch
b/debian/patches/CVE-2021-40874.patch
new file mode 100644
index 0..a333d3260
--- /dev/null
+++ b/debian/patches/CVE-2021-40874.patch
@@ -0,0 +1,238 @@
+Description: Fix auth process in password-testing plugins (#2611)
+Author: Maxime Besson
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/66946e8
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-01-14
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
+@@ -73,7 +73,10 @@
+ my $res= PE_OK;
+
+ # 1. No user defined at all -> first access
+-unless ( $defUser and $req->method =~ /^POST$/i ) {
++# _pwdCheck is a workaround to make CheckUser work while using a GET
++unless ( $defUser
++and ( uc( $req->method ) eq "POST" or $req->data->{_pwdCheck} ) )
++{
+ $res = PE_FIRSTACCESS;
+ }
+
+@@ -170,6 +173,7 @@
+
+ sub setSecurity {
+ my ( $self, $req ) = @_;
++return if $req->data->{skipToken};
+
+ # If captcha is enable, prepare it
+ if ( $self->captcha ) {
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
+@@ -41,16 +41,22 @@
+
+ if ( my $user = $req->param('user') and my $pwd = $req->param('password')
)
+ {
+-$req->user($user);
+-$req->data->{password} = $pwd;
++$req->parameters->{user} = ($user);
++$req->parameters->{password} = $pwd;
++$req->data->{skipToken} = 1;
++
++# This makes Auth::Choice use authChoiceAuthBasic if defined
++$req->data->{_pwdCheck} = 1;
+
+ # Not launched methods:
+-# - "extractFormInfo" due to "token"
+ # - "buildCookie" useless here
+ $req->steps( [
+-'getUser', 'authenticate',
+-@{ $self->p->betweenAuthAndData }, $self->p->sessionData,
+-@{ $self->p->afterData }, 'storeHistory',
++@{ $self->p->beforeAuth },
++$self->p->authProcess,
++@{ $self->p->betweenAuthAndData },
++$self->p->sessionData,
++@{ $self->p->afterData },
++'storeHistory',
+ @{ $self->p->endAuth }
+ ]
+ );
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/RESTServer.pm
+@@ -681,11 +681,13 @@
+ 400 );
+ }
+
+-$req->user($user);
+-$req->data->{password} = $password;
++$req->parameters->{user} = $user;
++$req->parameters->{password} = $password;
++$req->data->{_pwdCheck} = 1;
++$req->data->{skipToken} = 1;
+
+ if ( $self
Bug#1006377: buster-pu: package lemonldap-ng/2.0.2+ds-7+deb10u7
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
lemonldap-ng is vulnerable to password bypass (impact critical) in a very
unlikely setup (probability very low). CVE-2021-40874
[ Impact ]
In such configuration, a remote lemonldap-ng system that queries the
main lemonldap-ng system using internal lemonldap-ng protocol instead of
SAML/OpenID-Connect, accepts user with _wrong password; if and only if_
main lemonldap-ng system is configured to use both Kerberos and LDAP
authentication.
[ Tests ]
Tests passed, upstream new tests are excluded from this patch because
they need a major test framework update
[ Risks ]
Moderate risk, test coverage proves that package isn't broken with such
change
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Instead of setting login/password into result variables ($req->user),
RESTServer stores them in form and launch the whole authentication
process ($self->p->authProcess) instead of selected steps.
Same change is applied to CheckState plugin (no major risk here, this
plugin is reserved to LLNG administrators).
diff --git a/debian/changelog b/debian/changelog
index 4b8979ff9..bd7a21c44 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,13 @@
+lemonldap-ng (2.0.2+ds-7+deb10u7) buster; urgency=medium
+
+ * Add gsfonts in recommended dependencies (Closes: #982534)
+ * Fix auth process in password-testing plugins (Closes: CVE-2021-20874)
+
+ -- Yadd Thu, 24 Feb 2022 16:31:07 +0100
+
lemonldap-ng (2.0.2+ds-7+deb10u6) buster-security; urgency=medium
- * Fix session cache corruption (Closes: CVE-2021-06-25)
+ * Fix session cache corruption (Closes: CVE-2021-35472)
* Fix trusted domain wildcard
* Fix trusted domain regexp
* Don't display TOTP secret to owner, neither in debug logs
diff --git a/debian/control b/debian/control
index be46d2783..48d4819b4 100644
--- a/debian/control
+++ b/debian/control
@@ -283,7 +283,8 @@ Depends: ${misc:Depends},
libjs-jquery-ui,
libjs-jquery-cookie,
libregexp-assemble-perl
-Recommends: libcrypt-openssl-bignum-perl,
+Recommends: gsfonts,
+libcrypt-openssl-bignum-perl,
libconvert-base32-perl,
libemail-sender-perl (>=1.300027) |
libemail-sender-transport-smtps-perl,
libipc-run-perl,
diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml
index ee13a665a..f1f5897e0 100644
--- a/debian/gitlab-ci.yml
+++ b/debian/gitlab-ci.yml
@@ -1,17 +1,7 @@
-include:
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
-
-build:
-extends: .build-unstable
-
-reprotest:
-extends: .test-reprotest
-
-lintian:
-extends: .test-lintian
-
-autopkgtest:
-extends: .test-autopkgtest
-
-piuparts:
-extends: .test-piuparts
+---
+variables:
+ RELEASE: 'buster'
+include:
+ - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml
+ -
https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml
diff --git a/debian/patches/CVE-2021-40874.patch
b/debian/patches/CVE-2021-40874.patch
new file mode 100644
index 0..2914135ed
--- /dev/null
+++ b/debian/patches/CVE-2021-40874.patch
@@ -0,0 +1,72 @@
+Description: Fix auth process in password-testing plugins (#2611)
+Author: Maxime Besson
+Origin: upstream,
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/commit/66946e8
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/issues/2612
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-02-24
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
+@@ -68,7 +68,10 @@
+ my $res= PE_OK;
+
+ # 1. No user defined at all -> first access
+-unless ( $defUser and $req->method =~ /^POST$/i ) {
++# _pwdCheck is a workaround to make CheckUser work while using a GET
++unless ( $defUser
++and ( uc( $req->method ) eq "POST" or $req->data->{_pwdCheck} ) )
++{
+ $res = PE_FIRSTACCESS;
+ }
+
+@@ -162,6 +165,7 @@
+
+ sub setSecurity {
+ my ( $self, $req ) = @_;
++return if $req->data->{skipToken};
+
+ # If captcha is enable, prepare it
+ if ( $self->captcha ) {
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Plugins/CheckState.pm
+@@ -41,15 +41,18 @@
+ }
+ if ( my $user = $req->param('user') and my $pwd = $req->param('password')
)
+ {
+-$req->user($user);
+-$req->data->{password} = $pwd;
++$req->parameters->{user} = ($user);
++$req->paramet
Bug#1008045: bullseye-pu: package node-mermaid/8.7.0+ds+~cs27.17.17-3+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-mermaid is vulnerable to XSS attack (CVE-2021-23648)
[ Impact ]
medium vulnerability
[ Tests ]
Test passed, new upstream test not applicable here
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Decode HTML entities before parsing URLs
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 3bfa0f2..32f71e8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-mermaid (8.7.0+ds+~cs27.17.17-3+deb11u1) bullseye; urgency=medium
+
+ * Decode html entities before sanitizing (Closes: CVE-2021-23648)
+
+ -- Yadd Mon, 21 Mar 2022 14:06:12 +0100
+
node-mermaid (8.7.0+ds+~cs27.17.17-3) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-23648.patch
b/debian/patches/CVE-2021-23648.patch
new file mode 100644
index 000..3571ee3
--- /dev/null
+++ b/debian/patches/CVE-2021-23648.patch
@@ -0,0 +1,46 @@
+Description: decode html entities before sanitizing (fixes XSS)
+Author: Blade Barringer
+Origin: upstream, https://github.com/braintree/sanitize-url/commit/8f7371ce
+Bug: https://github.com/braintree/sanitize-url/pull/40
+Forwarded: not-needed
+Reviewed-By: Yadd
+Last-Update: 2022-03-21
+
+--- a/sanitize-url/index.js
b/sanitize-url/index.js
+@@ -1,6 +1,7 @@
+ 'use strict';
+
+ var invalidPrototcolRegex = /^(%20|\s)*(javascript|data)/im;
++const htmlEntitiesRegex = /&#(\w+)(^\w|;)?/g;
+ var ctrlCharactersRegex = /[^\x20-\x7E]/gmi;
+ var urlSchemeRegex = /^([^:]+):/gm;
+ var relativeFirstCharacters = ['.', '/'];
+@@ -9,15 +10,24 @@
+ return relativeFirstCharacters.indexOf(url[0]) > -1;
+ }
+
++// adapted from https://stackoverflow.com/a/29824550/2601552
++function decodeHtmlCharacters(str) {
++ return str.replace(htmlEntitiesRegex, (match, dec) => {
++return String.fromCharCode(dec);
++ });
++}
++
+ function sanitizeUrl(url) {
+ var urlScheme, urlSchemeParseResults, sanitizedUrl;
+
+- if (!url) {
++ sanitizedUrl = decodeHtmlCharacters(url || "")
++.replace(ctrlCharactersRegex, "")
++.trim();
++
++ if (!sanitizedUrl) {
+ return 'about:blank';
+ }
+
+- sanitizedUrl = url.replace(ctrlCharactersRegex, '').trim();
+-
+ if (isRelativeUrlWithoutProtocol(sanitizedUrl)) {
+ return sanitizedUrl;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index f41df00..b3ba76f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
0002-Fix-unsupported-syntax.patch
0003-Replace-moment-mini-with-moment.patch
CVE-2021-35513.patch
+CVE-2021-23648.patch
Bug#1008153: bullseye-pu: package node-node-forge/0.10.0~dfsg-3+deb11u1
Package: release.debian.org Severity: normal Tags: bullseye User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-node-forge signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. [ Impact ] medium vulnerability [ Tests ] New test added [ Risks ] Low risk, test passed [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Better checks [ Other info ] Upstream patch applied without any change Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index b3d4bd9..2ee4aa6 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-node-forge (0.10.0~dfsg-3+deb11u1) bullseye; urgency=medium + + * Team upload + * Fix signature verification +(Closes: CVE-2022-24771, CVE-2022-24772, CVE-2022-24773) + + -- Yadd Wed, 23 Mar 2022 11:13:28 +0100 + node-node-forge (0.10.0~dfsg-3) unstable; urgency=medium [ Debian Janitor ] diff --git a/debian/patches/CVE-2022-24773.patch b/debian/patches/CVE-2022-24773.patch new file mode 100644 index 000..93b8805 --- /dev/null +++ b/debian/patches/CVE-2022-24773.patch @@ -0,0 +1,658 @@ +Description: fix signature verification issues (CVE-2022-24771, CVE-2022-24772, CVE-2022-24773) + **SECURITY**: Three RSA PKCS#1 v1.5 signature verification issues were + reported by Moosa Yahyazadeh (moosa-yahyaza...@uiowa.edu): + . + - Leniency in checking `digestAlgorithm` structure can lead to signature + forgery. + - The code is lenient in checking the digest algorithm structure. This can + allow a crafted structure that steals padding bytes and uses unchecked + portion of the PKCS#1 encoded message to forge a signature when a low + public exponent is being used. + - Failing to check tailing garbage bytes can lead to signature forgery. + - The code does not check for tailing garbage bytes after decoding a + `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed + and garbage data added to forge a signature when a low public exponent is + being used. + - Leniency in checking type octet. + - `DigestInfo` is not properly checked for proper ASN.1 structure. This can + lead to successful verification with signatures that contain invalid + structures but a valid digest. + . + For more information, please see "Bleichenbacher's RSA signature forgery based + on implementation error" by Hal Finney: + https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/ + . + Fixed with the following: + . + - [asn1] `fromDer` is now more strict and will default to ensuring all + input bytes are parsed or throw an error. A new option `parseAllBytes` + can disable this behavior. + - **NOTE**: The previous behavior is being changed since it can lead + to security issues with crafted inputs. It is possible that code + doing custom DER parsing may need to adapt to this new behavior and + optional flag. + - [rsa] Add and use a validator to check for proper structure of parsed + ASN.1 `RSASSA-PKCS-v1_5` `DigestInfo` data. Additionally check that + the hash algorithm identifier is a known value. An invalid + `DigestInfo` or algorithm identifier will now cause an error to be + thrown. + - [oid] Added `1.2.840.113549.2.2` / `md2` for hash algorithm checking. + - [tests] Tests were added for all of the reported issues. A private + verify option was added to assist in checking multiple possible + failures in the test data. +Author: David I. Lehn +Origin: upstream, https://github.com/digitalbazaar/forge/commit/3f0b49a0 +Bug: + https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765 + https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g + https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-03-23 + +--- a/lib/asn1.js b/lib/asn1.js +@@ -411,6 +411,8 @@ + * @param [options] object with options or boolean strict flag + * [strict] true to be strict when checking value lengths, false to + *allow truncated values (default: true). ++ * [parseAllBytes] true to ensure all bytes are parsed ++ *(default: true) + * [decodeBitStrings] true to attempt to decode the content of + *BIT STRINGs (not OCTET STRINGs) using strict mode. Note that + *without schema support to understand the data context this can +@@ -418,24 +420,31 @@ + *flag will be deprecated or removed as soon as sc
Bug#1008154: buster-pu: package node-node-forge/0.8.1~dfsg-1+deb10u1
Package: release.debian.org Severity: normal Tags: buster User: release.debian@packages.debian.org Usertags: pu [ Reason ] node-node-forge signature verification code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. The issue has been addressed in `node-forge` version 1.3.0. [ Impact ] medium vulnerability [ Tests ] New test added [ Risks ] Low risk, test passed [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Better checks [ Other info ] Upstream patch applied without any change except indentation Cheers, Yadd diff --git a/debian/changelog b/debian/changelog index bd1ee3d..a11ea65 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,11 @@ +node-node-forge (0.8.1~dfsg-1+deb10u1) buster; urgency=medium + + * Team upload + * Fix signature verification +(Closes: CVE-2022-24771, CVE-2022-24772, CVE-2022-24773) + + -- Yadd Wed, 23 Mar 2022 11:28:00 +0100 + node-node-forge (0.8.1~dfsg-1) unstable; urgency=medium [ upstream ] diff --git a/debian/patches/CVE-2022-24773.patch b/debian/patches/CVE-2022-24773.patch new file mode 100644 index 000..9f36228 --- /dev/null +++ b/debian/patches/CVE-2022-24773.patch @@ -0,0 +1,658 @@ +Description: fix signature verification issues (CVE-2022-24771, CVE-2022-24772, CVE-2022-24773) + **SECURITY**: Three RSA PKCS#1 v1.5 signature verification issues were + reported by Moosa Yahyazadeh (moosa-yahyaza...@uiowa.edu): + . + - Leniency in checking `digestAlgorithm` structure can lead to signature + forgery. + - The code is lenient in checking the digest algorithm structure. This can + allow a crafted structure that steals padding bytes and uses unchecked + portion of the PKCS#1 encoded message to forge a signature when a low + public exponent is being used. + - Failing to check tailing garbage bytes can lead to signature forgery. + - The code does not check for tailing garbage bytes after decoding a + `DigestInfo` ASN.1 structure. This can allow padding bytes to be removed + and garbage data added to forge a signature when a low public exponent is + being used. + - Leniency in checking type octet. + - `DigestInfo` is not properly checked for proper ASN.1 structure. This can + lead to successful verification with signatures that contain invalid + structures but a valid digest. + . + For more information, please see "Bleichenbacher's RSA signature forgery based + on implementation error" by Hal Finney: + https://mailarchive.ietf.org/arch/msg/openpgp/5rnE9ZRN1AokBVj3VqblGlP63QE/ + . + Fixed with the following: + . + - [asn1] `fromDer` is now more strict and will default to ensuring all + input bytes are parsed or throw an error. A new option `parseAllBytes` + can disable this behavior. + - **NOTE**: The previous behavior is being changed since it can lead + to security issues with crafted inputs. It is possible that code + doing custom DER parsing may need to adapt to this new behavior and + optional flag. + - [rsa] Add and use a validator to check for proper structure of parsed + ASN.1 `RSASSA-PKCS-v1_5` `DigestInfo` data. Additionally check that + the hash algorithm identifier is a known value. An invalid + `DigestInfo` or algorithm identifier will now cause an error to be + thrown. + - [oid] Added `1.2.840.113549.2.2` / `md2` for hash algorithm checking. + - [tests] Tests were added for all of the reported issues. A private + verify option was added to assist in checking multiple possible + failures in the test data. +Author: David I. Lehn +Origin: upstream, https://github.com/digitalbazaar/forge/commit/3f0b49a0 +Bug: + https://github.com/digitalbazaar/forge/security/advisories/GHSA-cfm4-qjh2-4765 + https://github.com/digitalbazaar/forge/security/advisories/GHSA-x4jg-mjrx-434g + https://github.com/digitalbazaar/forge/security/advisories/GHSA-2r2c-g63r-vccr +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-03-23 + +--- a/lib/asn1.js b/lib/asn1.js +@@ -411,6 +411,8 @@ + * @param [options] object with options or boolean strict flag + * [strict] true to be strict when checking value lengths, false to + *allow truncated values (default: true). ++ * [parseAllBytes] true to ensure all bytes are parsed ++ *(default: true) + * [decodeBitStrings] true to attempt to decode the content of + *BIT STRINGs (not OCTET STRINGs) using strict mode. Note that + *without schema support to understand the data context this can +@@ -418,24 +420,31 @@ + *flag will be deprecated or removed as soon as sc
Bug#1008162: bullseye-pu: package node-minimist/1.2.5+~cs5.3.1-2+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
[ Reason ]
node-minimist is vulnerable to a prototype pollution not totally fixed
by CVE-2020-7598 patch (pushed in 1.2.5-1 and 1.2.0-1+deb10u1)
[ Impact ]
Medium vulnerability
[ Tests ]
Test updated by upstream, passed
[ Risks ]
Low risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Better object check
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index c2fbfe1..a2262fa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-minimist (1.2.5+~cs5.3.1-2+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix prototype pollution (Closes: CVE-2021-44906)
+
+ -- Yadd Wed, 23 Mar 2022 12:33:02 +0100
+
node-minimist (1.2.5+~cs5.3.1-2) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-44906.patch
b/debian/patches/CVE-2021-44906.patch
new file mode 100644
index 000..36bee5f
--- /dev/null
+++ b/debian/patches/CVE-2021-44906.patch
@@ -0,0 +1,59 @@
+Description: Fix for prototype pollution
+ The initial fix for prototype pollution (cf. SNYK-JS-MINIMIST-559764) in
+ setKey() was insufficient.
+Author: Yadd
+Origin: upstream, https://github.com/substack/minimist/pull/165
+Bug: https://github.com/substack/minimist/issues/164
+Forwarded: not-needed
+Last-Update: 2022-03-23
+
+--- a/index.js
b/index.js
+@@ -70,7 +70,7 @@
+ var o = obj;
+ for (var i = 0; i < keys.length-1; i++) {
+ var key = keys[i];
+-if (key === '__proto__') return;
++if (isConstructorOrProto(o, key)) return;
+ if (o[key] === undefined) o[key] = {};
+ if (o[key] === Object.prototype || o[key] === Number.prototype
+ || o[key] === String.prototype) o[key] = {};
+@@ -79,7 +79,7 @@
+ }
+
+ var key = keys[keys.length - 1];
+-if (key === '__proto__') return;
++if (isConstructorOrProto(o, key)) return;
+ if (o === Object.prototype || o === Number.prototype
+ || o === String.prototype) o = {};
+ if (o === Array.prototype) o = [];
+@@ -243,3 +243,7 @@
+ return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x);
+ }
+
++
++function isConstructorOrProto (obj, key) {
++return key === 'constructor' && typeof obj[key] === 'function' || key ===
'__proto__';
++}
+--- a/test/proto.js
b/test/proto.js
+@@ -42,3 +42,19 @@
+ t.equal(argv.y, undefined);
+ t.end();
+ });
++
++test('proto pollution (constructor function)', function (t) {
++var argv = parse(['--_.concat.constructor.prototype.y', '123']);
++function fnToBeTested() {}
++t.equal(fnToBeTested.y, undefined);
++t.equal(argv.y, undefined);
++t.end();
++});
++
++// powered by snyk - https://github.com/backstage/backstage/issues/10343
++test('proto pollution (constructor function) snyk', function (t) {
++var argv = parse('--_.constructor.constructor.prototype.foo bar'.split('
'));
++t.equal((function(){}).foo, undefined);
++t.equal(argv.y, undefined);
++t.end();
++})
diff --git a/debian/patches/series b/debian/patches/series
index 81a5e8e..eee91a0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
nodejs.patch
+CVE-2021-44906.patch
