Bug#930374: stretch-pu: package node-url-parse/1.0.5-2+deb9u1
On Sat, 2020-04-25 at 20:28 +0100, Adam D. Barratt wrote:
> Control: tags -1 + confirmed
>
> On Tue, 2019-06-11 at 18:32 +0200, Xavier Guimard wrote:
> > node-url-parse does not parse correctly hostname which leads to
> > multiple vulnerabilities such as SSRF, Open Redirect, Bypass
> > Authentication Protocol,... (#906058, CVE-2018-3774)
> >
> > I imported upstream patch in debian/patches/CVE-2018-3774.patch.
> > This
> > is the only changes enabled on installed files. Since this package
> > didn't launch upstream test, I added also some build dependencies
> > and
> > installed some little required test dependencies in
> > debian/tests/test_modules, and of course modify debian/rules.
> >
> > If you prefer to have only the security change without test, I just
> > can just this commit with a debian/changelog entry:
> > https://salsa.debian.org/js-team/node-url-parse/commit/e4204c37
> >
>
> Apologies for the long delay. Please go ahead.
As a note, we're now planning for the final point release for stretch
before it moves to LTS.
Regards,
Adam
Reply to: