Bug#991737: unblock: node-url-parse/1.5.3-1
Le 31/07/2021 à 13:25, Yadd a écrit :
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Please unblock package node-url-parse
>
> [ Reason ]
> node-url-parse 1.5.1 is vulnerable to URL redirection to untrusted
> sites.
>
> [ Impact ]
> Medium security issue
>
> [ Tests ]
> Test passed (both build & autopkgtest)
>
> [ Risks ]
> Low risk: node-url-parse is a reverse dependency of:
> * node-miragejs (Build only)
> * node-original
> * node-eventsource
>
> I tested rebuild & autopkgtest with success:
> rebuild node-miragejs ... PASS
> autopkgtest node-original ... PASS
> rebuild node-original ... PASS
>
> [ Checklist ]
> [X] all changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in testing
>
> [ Other info ]
> I prefered to update node-url-parse instead of backporting changes since
> all changes are related to this vulnerabilities (including test updates)
References:
* commits list: https://github.com/unshiftio/url-parse/commits/master
* 1.5.2 changes:
- Sanitize only special URLs (#209)
https://github.com/unshiftio/url-parse/pull/209
* 1.5.3 changes:
- Fix host parsing for file URLs (#210)
https://github.com/unshiftio/url-parse/commit/c7984617
1.5.3 changes are based on 1.5.2 changes, that's why I can't backport
only security fix.
Cheers,
Yadd
Reply to: