Bug#930374: stretch-pu: package node-url-parse/1.0.5-2+deb9u1

To: Xavier Guimard <yadd@debian.org>, 930374@bugs.debian.org
Subject: Bug#930374: stretch-pu: package node-url-parse/1.0.5-2+deb9u1
From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Date: Sat, 25 Apr 2020 20:28:13 +0100
Message-id: <[🔎] bedb1d1bb63192297573e6ef8caaf4042bed12bc.camel@adam-barratt.org.uk>
Reply-to: "Adam D. Barratt" <adam@adam-barratt.org.uk>, 930374@bugs.debian.org
In-reply-to: <156027073636.16845.2747596838213752496.reportbug@mac-debian.lemonldap-ng.org>
References: <156027073636.16845.2747596838213752496.reportbug@mac-debian.lemonldap-ng.org> <156027073636.16845.2747596838213752496.reportbug@mac-debian.lemonldap-ng.org>

Control: tags -1 + confirmed

On Tue, 2019-06-11 at 18:32 +0200, Xavier Guimard wrote:
> node-url-parse does not parse correctly hostname which leads to
> multiple vulnerabilities such as SSRF, Open Redirect, Bypass
> Authentication Protocol,... (#906058, CVE-2018-3774)
> 
> I imported upstream patch in debian/patches/CVE-2018-3774.patch. This
> is the only changes enabled on installed files. Since this package
> didn't launch upstream test, I added also some build dependencies and
> installed some little required test dependencies in
> debian/tests/test_modules, and of course modify debian/rules.
> 
> If you prefer to have only the security change without test, I just
> can just this commit with a debian/changelog entry:
> https://salsa.debian.org/js-team/node-url-parse/commit/e4204c37
> 

Apologies for the long delay. Please go ahead.

Regards,

Adam

Reply to:

Prev by Date: Processed: Re: Bug#930374: stretch-pu: package node-url-parse/1.0.5-2+deb9u1
Next by Date: Processed: Re: Bug#931678: buster-pu: package qdirstat/1.5-1+deb10u1
Previous by thread: Bug#927433: stretch-pu: package gosa/2.7.4+reloaded2-13+deb9u2
Next by thread: Processed: Re: Bug#930374: stretch-pu: package node-url-parse/1.0.5-2+deb9u1
Index(es):
- Date
- Thread