Bug#1003526: bullseye-pu: package node-follow-redirects/1.13.1-1+deb11u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1003526: bullseye-pu: package node-follow-redirects/1.13.1-1+deb11u1
From: Yadd <yadd@debian.org>
Date: Tue, 11 Jan 2022 12:14:25 +0100
Message-id: <[🔎] 164189966549.3016099.13624469530602109249.reportbug@deb007.xnr.fr>
Reply-to: Yadd <yadd@debian.org>, 1003526@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
follow-redirects is vulnerable to Exposure of Private Personal Information
to an Unauthorized Actor

[ Impact ]
Medium vulnerability

[ Tests ]
Test passed, no new test

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Drop Cookie header

Cheers,
Yadd

diff --git a/debian/changelog b/debian/changelog
index 5bfcaa7..63c3770 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-follow-redirects (1.13.1-1+deb11u1) bullseye; urgency=medium
+
+  * Team upload
+  * Drop Cookie header across domains (Closes: CVE-2022-0155)
+
+ -- Yadd <yadd@debian.org>  Tue, 11 Jan 2022 12:11:11 +0100
+
 node-follow-redirects (1.13.1-1) unstable; urgency=medium
 
   * Team upload
diff --git a/debian/patches/CVE-2022-0155.patch b/debian/patches/CVE-2022-0155.patch
new file mode 100644
index 0000000..0e8419f
--- /dev/null
+++ b/debian/patches/CVE-2022-0155.patch
@@ -0,0 +1,22 @@
+Description: Drop Cookie header across domains.
+Author: Ruben Verborgh <ruben@verborgh.org>
+Origin: upstream, https://github.com/follow-redirects/follow-redirects/commit/8b347cbc
+Bug: https://github.com/follow-redirects/follow-redirects/issues/183
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2022-01-11
+
+--- a/index.js
++++ b/index.js
+@@ -345,9 +345,9 @@
+     var redirectUrlParts = url.parse(redirectUrl);
+     Object.assign(this._options, redirectUrlParts);
+ 
+-    // Drop the Authorization header if redirecting to another host
++    // Drop the confidential headers when redirecting to another domain
+     if (redirectUrlParts.hostname !== previousHostName) {
+-      removeMatchingHeaders(/^authorization$/i, this._options.headers);
++      removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers);
+     }
+ 
+     // Evaluate the beforeRedirect callback
diff --git a/debian/patches/series b/debian/patches/series
index a22cf9d..b90eb05 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 fix-test.patch
+CVE-2022-0155.patch

Reply to:

Prev by Date: Re: chromium: Update to version 94.0.4606.61 (security-fixes)
Next by Date: Re: discover is marked for autoremoval from testing
Previous by thread: Bug#1003484: bullseye-pu: package openssl/1.1.1m-0+deb11u1
Next by thread: Re: discover is marked for autoremoval from testing
Index(es):
- Date
- Thread