--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package node-axios
Hi all,
node-axios is vulnerable to CVE-2019-10742 (#928624). The fix is very
simple:
--- a/lib/adapters/http.js
+++ b/lib/adapters/http.js
@@ -172,6 +172,7 @@
// make sure the content length is not over the maxContentLength if specified
if (config.maxContentLength > -1 && Buffer.concat(responseBuffer).length > config.maxContentLength) {
+ stream.destroy();
reject(createError('maxContentLength size of ' + config.maxContentLength + ' exceeded',
config, null, lastRequest));
}
Full changes:
* Declare compliance with policy 4.3.0
* Add upstream/metadata
* Add patch to destroy stream on exceeding maxContentLength
(Closes: #928624, CVE-2019-10742)
* Fix debian/copyright format URL
node-axios has no reverse dependencies.
I think it is low risky to upgrade node-axios in Buster.
Cheers,
Xavier
unblock node-axios/0.17.1+dfsg-2
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (900, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index b79d090..88ae229 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+node-axios (0.17.1+dfsg-2) unstable; urgency=medium
+
+ * Team upload
+ * Declare compliance with policy 4.3.0
+ * Add upstream/metadata
+ * Add patch to destroy stream on exceeding maxContentLength
+ (Closes: #928624, CVE-2019-10742)
+ * Fix debian/copyright format URL
+
+ -- Xavier Guimard <yadd@debian.org> Tue, 07 May 2019 22:59:58 +0200
+
node-axios (0.17.1+dfsg-1) unstable; urgency=low
* Initial release (Closes: #876067)
diff --git a/debian/control b/debian/control
index 808fda3..7090bf8 100644
--- a/debian/control
+++ b/debian/control
@@ -14,7 +14,7 @@ Build-Depends:
, node-grunt-contrib-nodeunit <!nocheck>
, node-follow-redirects (>= 1.2.3) <!nocheck>
, node-is-buffer (>= 1.1.5) <!nocheck>
-Standards-Version: 4.2.1
+Standards-Version: 4.3.0
Homepage: https://github.com/mzabriskie/axios
Vcs-Git: https://salsa.debian.org/js-team/node-axios.git
Vcs-Browser: https://salsa.debian.org/js-team/node-axios
diff --git a/debian/copyright b/debian/copyright
index 8f366c9..7098b5e 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: axios
Upstream-Contact: https://github.com/mzabriskie/axios/issues
Source: https://github.com/mzabriskie/axios
diff --git a/debian/patches/CVE-2019-10742.diff b/debian/patches/CVE-2019-10742.diff
new file mode 100644
index 0000000..3cb1a36
--- /dev/null
+++ b/debian/patches/CVE-2019-10742.diff
@@ -0,0 +1,18 @@
+Description: Destroy stream on exceeding maxContentLength
+Author: Xavier Guimard <yadd@debian.org>
+Origin: upstream, https://github.com/axios/axios/commit/0d4fca085b9b44e110f4c5a3dd7384c31abaf756
+Bug: https://github.com/axios/axios/issues/1098
+Bug-Debian: https://bugs.debian.org/928624
+Forwarded: not-needed
+Last-Update: 2019-05-07
+
+--- a/lib/adapters/http.js
++++ b/lib/adapters/http.js
+@@ -172,6 +172,7 @@
+
+ // make sure the content length is not over the maxContentLength if specified
+ if (config.maxContentLength > -1 && Buffer.concat(responseBuffer).length > config.maxContentLength) {
++ stream.destroy();
+ reject(createError('maxContentLength size of ' + config.maxContentLength + ' exceeded',
+ config, null, lastRequest));
+ }
diff --git a/debian/patches/series b/debian/patches/series
index f9a8deb..877fd7a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
skip-unneeded-modules.patch
use-webpack3.patch
+CVE-2019-10742.diff
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..a885fe3
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/mzabriskie/axios/issues
+Contact: https://github.com/mzabriskie/axios/issues
+Name: axios
+Repository: https://github.com/mzabriskie/axios.git
+Repository-Browse: https://github.com/mzabriskie/axios
--- End Message ---