Control: tags -1 + confirmed On Tue, 2019-06-11 at 18:32 +0200, Xavier Guimard wrote: > node-url-parse does not parse correctly hostname which leads to > multiple vulnerabilities such as SSRF, Open Redirect, Bypass > Authentication Protocol,... (#906058, CVE-2018-3774) > > I imported upstream patch in debian/patches/CVE-2018-3774.patch. This > is the only changes enabled on installed files. Since this package > didn't launch upstream test, I added also some build dependencies and > installed some little required test dependencies in > debian/tests/test_modules, and of course modify debian/rules. > > If you prefer to have only the security change without test, I just > can just this commit with a debian/changelog entry: > https://salsa.debian.org/js-team/node-url-parse/commit/e4204c37 >
Apologies for the long delay. Please go ahead. Regards, Adam
