Bug#987546: unblock: node-redis/3.0.2+~cs5.18.1-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package node-redis
[ Reason ]
node-redis is vulnearable to a Regex Denial of Service
[ Impact ]
Medium security risk
[ Tests ]
No change in tests. Both build & autopkgtest passed
[ Risks ]
Change is trivial: just a regex fix. node-redis has no reverse
dependencies for now, so no risk for other packages
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
[ Other info ]
Patch also includes:
* uploaders list update: Leo is MIA
* GitHub regex fix in debian/watch
unblock node-redis/3.0.2+~cs5.18.1-3
diff --git a/debian/changelog b/debian/changelog
index 4f546a6..f25dee1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,14 @@
+node-redis (3.0.2+~cs5.18.1-3) UNRELEASED; urgency=medium
+
+ * Fix GitHub tags regex
+ * Uploaders: remove Leo Iannacone, thanks for your work!
+ * Fix potential ReDoS (Closes: CVE-2021-29469)
+
+ -- Yadd <yadd@debian.org> Sun, 25 Apr 2021 13:54:43 +0200
+
node-redis (3.0.2+~cs5.18.1-2) unstable; urgency=medium
+ [ Xavier Guimard ]
* Add node-lodash-packages in test dependencies
-- Xavier Guimard <yadd@debian.org> Mon, 21 Dec 2020 06:13:22 +0100
diff --git a/debian/control b/debian/control
index 8fecf53..de2c694 100644
--- a/debian/control
+++ b/debian/control
@@ -1,6 +1,6 @@
Source: node-redis
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
-Uploaders: Leo Iannacone <l3on@ubuntu.com>, Xavier Guimard <yadd@debian.org>
+Uploaders: Yadd <yadd@debian.org>
Section: javascript
Priority: optional
Build-Depends: debhelper-compat (= 13)
diff --git a/debian/copyright b/debian/copyright
index 24794c5..b0ec804 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -21,7 +21,7 @@ License: Expat
Files: debian/*
Copyright: 2014 Leo Iannacone <l3on@ubuntu.com>
- 2019-2020 Xavier Guimard <yadd@debian.org>
+ 2019-2020 Yadd <yadd@debian.org>
License: GPL-3
Files: debian/tests/test_modules/intercept-stdout/*
diff --git a/debian/patches/CVE-2021-29469.patch b/debian/patches/CVE-2021-29469.patch
new file mode 100644
index 0000000..d074802
--- /dev/null
+++ b/debian/patches/CVE-2021-29469.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: Leibale Eidelman <leibale1998@gmail.com>
+Origin: upstream, https://github.com/NodeRedis/node-redis/commit/2d11b6dc
+Bug: https://github.com/NodeRedis/node-redis/issues/1569
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-04-25
+
+--- a/lib/utils.js
++++ b/lib/utils.js
+@@ -127,7 +127,7 @@
+ reply_to_object: replyToObject,
+ print: print,
+ err_code: /^([A-Z]+)\s+(.+)$/,
+- monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\]( ".+?")+$/,
++ monitor_regex: /^[0-9]{10,11}\.[0-9]+ \[[0-9]+ .+\].*"$/,
+ clone: convenienceClone,
+ callback_or_emit: callbackOrEmit,
+ reply_in_order: replyInOrder
diff --git a/debian/patches/series b/debian/patches/series
index 73eead0..250556a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
avoid-failing-test.diff
disable-tests-failing-with-redis-5.6.diff
remove-cross-spawn.patch
+CVE-2021-29469.patch
diff --git a/debian/watch b/debian/watch
index ebfa712..34f812e 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,7 +1,7 @@
version=4
opts=filenamemangle=s/.*\/v?([\d\.-]+)\.tar\.gz/node-redis-$1.tar.gz/ \
- https://github.com/NodeRedis/node_redis/tags .*/archive/v?\.?([\d\.]+).tar.gz group
+ https://github.com/NodeRedis/node_redis/tags .*/archive/.*/v?\.?([\d\.]+).tar.gz group
opts="searchmode=plain,pgpmode=none,ctype=nodejs,component=redis-commands" \
https://registry.npmjs.org/redis-commands https://registry.npmjs.org/redis-commands/-/redis-commands-(\d[\d\.]*)@ARCHIVE_EXT@ checksum
Reply to: