Bug#1102310: marked as done (bookworm-pu: package node-send/0.18.0+~cs1.19.1-3+deb12u1)

To: jmw@debian.org
Subject: Bug#1102310: marked as done (bookworm-pu: package node-send/0.18.0+~cs1.19.1-3+deb12u1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 17 May 2025 09:39:13 +0000
Message-id: <[🔎] handler.1102310.D1102310.17474746811605481.ackdone@bugs.debian.org>
Reply-to: 1102310@bugs.debian.org
References: <E1uGDzS-005KIB-4Z@coccia.debian.org> <174403251014.1123900.9153272203968704403.reportbug@yadd-217.xnr.fr>

Your message dated Sat, 17 May 2025 09:37:58 +0000
with message-id <E1uGDzS-005KIB-4Z@coccia.debian.org>
and subject line Close 1102310
has caused the Debian Bug report #1102310,
regarding bookworm-pu: package node-send/0.18.0+~cs1.19.1-3+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1102310: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1102310
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: bookworm-pu: package node-send/0.18.0+~cs1.19.1-3+deb12u1
From: Yadd <yadd@debian.org>
Date: Mon, 07 Apr 2025 15:28:30 +0200
Message-id: <174403251014.1123900.9153272203968704403.reportbug@yadd-217.xnr.fr>

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-send@packages.debian.org, yadd@debian.org
Control: affects -1 + src:node-send
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-send is vulnerable to XSS issue (#1081483, CVE-2024-43799)0

[ Impact ]
Medium security issue

[ Tests ]
Test updated in patch

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Don't insert data from user into HTML code

Cheers,
Xavier

diff --git a/debian/changelog b/debian/changelog
index 09bf7b8..0e87b9c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-send (0.18.0+~cs1.19.1-3+deb12u1) bookworm; urgency=medium
+
+  * Fix XSS issue (Closes: #1081483, CVE-2024-43799)
+
+ -- Yadd <yadd@debian.org>  Mon, 07 Apr 2025 15:25:46 +0200
+
 node-send (0.18.0+~cs1.19.1-3) unstable; urgency=medium
 
   * Add Breaks: node-express < 4.18.1~
diff --git a/debian/patches/CVE-2024-43799.patch b/debian/patches/CVE-2024-43799.patch
new file mode 100644
index 0000000..b0e8cd7
--- /dev/null
+++ b/debian/patches/CVE-2024-43799.patch
@@ -0,0 +1,43 @@
+Description: fix XSS issue CVE-2024-43799
+Author: Ulises Gascón <https://github.com/UlisesGascon>,
+ Chris de Almeida <https://github.com/ctcpip>
+Origin: upstream, https://github.com/pillarjs/send/commit/ae4f2989
+Bug: https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg
+Bug-Debian: https://bugs.debian.org/1081483
+Forwarded: not-needed
+Applied-Upstream: 0.19.0, commit:ae4f2989
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2025-04-07
+
+--- a/index.js
++++ b/index.js
+@@ -482,8 +482,7 @@
+   }
+ 
+   var loc = encodeUrl(collapseLeadingSlashes(this.path + '/'))
+-  var doc = createHtmlDocument('Redirecting', 'Redirecting to <a href="' + escapeHtml(loc) + '">' +
+-    escapeHtml(loc) + '</a>')
++  var doc = createHtmlDocument('Redirecting', 'Redirecting to ' + escapeHtml(loc))
+ 
+   // redirect
+   res.statusCode = 301
+--- a/test/send.js
++++ b/test/send.js
+@@ -358,7 +358,7 @@
+         .get('/pets')
+         .expect('Location', '/pets/')
+         .expect('Content-Type', /html/)
+-        .expect(301, />Redirecting to <a href="\/pets\/">\/pets\/<\/a></, done)
++        .expect(301, />Redirecting to \/pets\/</, done)
+     })
+ 
+     it('should respond with default Content-Security-Policy', function (done) {
+@@ -386,7 +386,7 @@
+         .get('/snow')
+         .expect('Location', '/snow%20%E2%98%83/')
+         .expect('Content-Type', /html/)
+-        .expect(301, />Redirecting to <a href="\/snow%20%E2%98%83\/">\/snow%20%E2%98%83\/<\/a></, done)
++        .expect(301, />Redirecting to \/snow%20%E2%98%83\/</, done)
+     })
+   })
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 5fe0e4c..e454667 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 disable-failing-test.patch
 fix-for-mime-2.patch
+CVE-2024-43799.patch

--- End Message ---

--- Begin Message ---

To: 1102310-done@bugs.debian.org

Subject: Close 1102310

From: jmw@debian.org

Date: Sat, 17 May 2025 09:37:58 +0000

Message-id: <E1uGDzS-005KIB-4Z@coccia.debian.org>
Version: 12.11
This update has been released as part of 12.10. Thank you for your contribution.
--- End Message ---

Reply to:

Prev by Date: Bug#1102135: marked as done (bookworm-pu: package abseil/20220623.1-1+deb12u1)
Next by Date: Bug#1102478: marked as done (bookworm-pu: package node-serialize-javascript/6.0.0-2+deb12u1)
Previous by thread: Bug#1102135: marked as done (bookworm-pu: package abseil/20220623.1-1+deb12u1)
Next by thread: Bug#1102478: marked as done (bookworm-pu: package node-serialize-javascript/6.0.0-2+deb12u1)
Index(es):
- Date
- Thread