Your message dated Fri, 13 Oct 2023 18:19:33 +0000
with message-id <e1qrml3-00aanu...@fasolo.debian.org>
and subject line Bug#1053879: fixed in node-undici 5.26.3+dfsg1+~cs23.10.12-1
has caused the Debian Bug report #1053879,
regarding node-undici: CVE-2023-45143
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1053879: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1053879
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-undici
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-undici.
CVE-2023-45143[0]:
| Undici is an HTTP/1.1 client written from scratch for Node.js. Prior
| to version 5.26.2, Undici already cleared Authorization headers on
| cross-origin redirects, but did not clear `Cookie` headers. By
| design, `cookie` headers are forbidden request headers, disallowing
| them to be set in RequestInit.headers in browser environments. Since
| undici handles headers more liberally than the spec, there was a
| disconnect from the assumptions the spec made, and undici's
| implementation of fetch. As such this may lead to accidental leakage
| of cookie to a third-party site or a malicious attacker who can
| control the redirection target (ie. an open redirector) to leak the
| cookie to the third party site. This was patched in version 5.26.2.
| There are no known workarounds.
https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp
https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-45143
https://www.cve.org/CVERecord?id=CVE-2023-45143
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-undici
Source-Version: 5.26.3+dfsg1+~cs23.10.12-1
Done: Yadd <y...@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-undici, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1053...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <y...@debian.org> (supplier of updated node-undici package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 13 Oct 2023 22:03:31 +0400
Source: node-undici
Built-For-Profiles: nocheck
Architecture: source
Version: 5.26.3+dfsg1+~cs23.10.12-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Yadd <y...@debian.org>
Closes: 1052723 1053879
Changes:
node-undici (5.26.3+dfsg1+~cs23.10.12-1) unstable; urgency=medium
.
* Embed @fastify/busboy
* New upstream version (Closes: #1053879, CVE-2023-45143)
* Unfuzz patches
* Fix for clang 16 (Closes: #1052723)
* Update copyright
* Update lintian overrides
* Update test
Checksums-Sha1:
a515674b55b515cff139a48750be759192bdc1b0 4554
node-undici_5.26.3+dfsg1+~cs23.10.12-1.dsc
46b46af6495b75a900886a20879c5de0543c5e5c 2772
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-binary-search.tar.xz
0b33eb490c2e364847900e74b5c997853e7ee3b1 37344
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-fastify-busboy.tar.xz
4813680dc96a2bf6e1494da5a7c49e88d2b5f053 5893104
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-llhttp.tar.xz
45faa0054d37a1b6a6a463a428fb6d0cb6a8c23f 27872
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-llparse-builder.tar.xz
0f1a8a40daf6fb490f3c283448085ce013d09716 28840
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-llparse-frontend.tar.xz
61d3690843470b12531fbbc6ebf3587405d22151 34392
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-llparse.tar.xz
048f1b661c63b68c2a8a791ac5f6659fc6aacdac 1731748
node-undici_5.26.3+dfsg1+~cs23.10.12.orig.tar.xz
7516af2bc2016673ff3c9cac2a286fb852f098c9 212852
node-undici_5.26.3+dfsg1+~cs23.10.12-1.debian.tar.xz
Checksums-Sha256:
09cb3ab2112f112ea9318094f790752cdaa4b6fae2f633f6057b89695a8156d4 4554
node-undici_5.26.3+dfsg1+~cs23.10.12-1.dsc
4c722d476f84b280160bfc428aa36e2806f9837902a43cda7caaa401c2a52f54 2772
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-binary-search.tar.xz
4676313fcd592f99a8b6b901963f5d017c10d40ac5bd7672a8e13db3631afa89 37344
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-fastify-busboy.tar.xz
118843eb0cf1c5442ea03c0b46fd83486e49e7125412f483dad3af8063e8eb8b 5893104
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-llhttp.tar.xz
48fc4ad3744179216d30f36e22a4e72bd11b6f47165f1bd22144436ba535b8f3 27872
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-llparse-builder.tar.xz
30e1c7809fc5b31bf63e8f3b6eaa8ff0f08910fa131294d46a3f33c849fd7f0e 28840
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-llparse-frontend.tar.xz
ca5062636558b8171ef7309fa829179258d2fb04914ade2ba663ce42970fe32a 34392
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-llparse.tar.xz
20eebb73155ca8b35f4a6d4e028d7a1312c71948d71294434de260f61a734186 1731748
node-undici_5.26.3+dfsg1+~cs23.10.12.orig.tar.xz
ad1a9820d05d47e2c4865bea5fd2701fccc9340424aa424081924f70561efb12 212852
node-undici_5.26.3+dfsg1+~cs23.10.12-1.debian.tar.xz
Files:
7021952fb06a8a7fc4c6a0fdadfa2fd7 4554 javascript optional
node-undici_5.26.3+dfsg1+~cs23.10.12-1.dsc
00109915720120e4ee6ade7582b2b365 2772 javascript optional
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-binary-search.tar.xz
591c02b9c60fa0951aeee4a55aa241b8 37344 javascript optional
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-fastify-busboy.tar.xz
6a46e69b2a5fc3492fdd365519d61723 5893104 javascript optional
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-llhttp.tar.xz
af1818fe0c7e2939d19e35f3e7f80f91 27872 javascript optional
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-llparse-builder.tar.xz
ebf8b8761d2ec86b375e5f0c0be1b320 28840 javascript optional
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-llparse-frontend.tar.xz
825b830bb267ecbcb761428a7b4c80e1 34392 javascript optional
node-undici_5.26.3+dfsg1+~cs23.10.12.orig-llparse.tar.xz
b8f0b87e77c2732234d72ca8e538f68c 1731748 javascript optional
node-undici_5.26.3+dfsg1+~cs23.10.12.orig.tar.xz
5f154f2fd1f7f2af2bc30aeabbb05e86 212852 javascript optional
node-undici_5.26.3+dfsg1+~cs23.10.12-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmUphy4ACgkQ9tdMp8mZ
7unanw//SrxoXOV0148B7JC8Xoc37p4guQdJIqRCseGy1X3bWZADfUDUbz3MXzKm
gz8SiLuHGSBLoybOhoJAIHcLeUGrFqHgXbw+ZgM3Puyw6DCOEzGuPcN3tztew+lj
EIcn4Mszjet04ck8fSbQ2rpLjc//VYX1W6ARKE9j38vjZ0HGsghUlSfK/mabARih
KsP9AvAbI27Dscte7Xhzp+ROgD0R0MkduRxc8E+sIwNa2AwtqkMoO/rnTuxS9X3s
4uvK/nKMakBKn3NRiiZAkDR1mkMu3wNAGNtXM4Ledg0GZ1gOFv1f+wwazWuvyQOu
/G/vRhb0AJSR9/94EZxl7/LDd9tQD2GMIZYqfxNWkj1w09c0AA9X8ZEW7IUXqZ/h
8FqNfYTzU4EADIqD9i/oEi8cLKwjUawmplqrM1YP4JfFjHyaKh8W69xkiyPS05jJ
HgE4yooHF28+12QyIQ1TUSoah8BCtRZk+ptuFqeEYc8FlqDrWIYFOFv0tmKViKxP
zbFQrU6baArFJrgZP9kOtDvpleVCsnLx8vXqnGB9mkcDdxOE33S+vjwGBSD0Wx66
UzeTZzfv8KSHf0s1KYG7V7uogaWDvCxjZ6efNpM+iYy0BLT2V/3UERYcmBcMoYOD
ri+fPeFSA9n/YLJKJuMpBbsJDI0yw8iD1l4EG1/opjC/9gpZgnQ=
=czu4
-----END PGP SIGNATURE-----
--- End Message ---
