[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#991737: unblock: node-url-parse/1.5.3-1

Le 31/07/2021 à 13:25, Yadd a écrit :
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package node-url-parse
> 
> [ Reason ]
> node-url-parse 1.5.1 is vulnerable to URL redirection to untrusted
> sites.
> 
> [ Impact ]
> Medium security issue
> 
> [ Tests ]
> Test passed (both build & autopkgtest)
> 
> [ Risks ]
> Low risk: node-url-parse is a reverse dependency of:
>  * node-miragejs (Build only)
>  * node-original
>    * node-eventsource
> 
> I tested rebuild & autopkgtest with success:
>   rebuild      node-miragejs ... PASS
>   autopkgtest  node-original ... PASS
>   rebuild      node-original ... PASS
> 
> [ Checklist ]
>   [X] all changes are documented in the d/changelog
>   [X] I reviewed all changes and I approve them
>   [X] attach debdiff against the package in testing
> 
> [ Other info ]
> I prefered to update node-url-parse instead of backporting changes since
> all changes are related to this vulnerabilities (including test updates)

References:
 * commits list: https://github.com/unshiftio/url-parse/commits/master
 * 1.5.2 changes:
   - Sanitize only special URLs (#209)
     https://github.com/unshiftio/url-parse/pull/209
 * 1.5.3 changes:
   - Fix host parsing for file URLs (#210)
     https://github.com/unshiftio/url-parse/commit/c7984617

1.5.3 changes are based on 1.5.2 changes, that's why I can't backport
only security fix.

Cheers,
Yadd
Reply to: