Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: node-s...@packages.debian.org, y...@debian.org Control: affects -1 + src:node-send User: release.debian....@packages.debian.org Usertags: pu
[ Reason ] node-send is vulnerable to XSS issue (#1081483, CVE-2024-43799)0 [ Impact ] Medium security issue [ Tests ] Test updated in patch [ Risks ] Low risk, patch is trivial [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] Don't insert data from user into HTML code Cheers, Xavier
diff --git a/debian/changelog b/debian/changelog index 09bf7b8..0e87b9c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +node-send (0.18.0+~cs1.19.1-3+deb12u1) bookworm; urgency=medium + + * Fix XSS issue (Closes: #1081483, CVE-2024-43799) + + -- Yadd <y...@debian.org> Mon, 07 Apr 2025 15:25:46 +0200 + node-send (0.18.0+~cs1.19.1-3) unstable; urgency=medium * Add Breaks: node-express < 4.18.1~ diff --git a/debian/patches/CVE-2024-43799.patch b/debian/patches/CVE-2024-43799.patch new file mode 100644 index 0000000..b0e8cd7 --- /dev/null +++ b/debian/patches/CVE-2024-43799.patch @@ -0,0 +1,43 @@ +Description: fix XSS issue CVE-2024-43799 +Author: Ulises Gascón <https://github.com/UlisesGascon>, + Chris de Almeida <https://github.com/ctcpip> +Origin: upstream, https://github.com/pillarjs/send/commit/ae4f2989 +Bug: https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg +Bug-Debian: https://bugs.debian.org/1081483 +Forwarded: not-needed +Applied-Upstream: 0.19.0, commit:ae4f2989 +Reviewed-By: Yadd <y...@debian.org> +Last-Update: 2025-04-07 + +--- a/index.js ++++ b/index.js +@@ -482,8 +482,7 @@ + } + + var loc = encodeUrl(collapseLeadingSlashes(this.path + '/')) +- var doc = createHtmlDocument('Redirecting', 'Redirecting to <a href="' + escapeHtml(loc) + '">' + +- escapeHtml(loc) + '</a>') ++ var doc = createHtmlDocument('Redirecting', 'Redirecting to ' + escapeHtml(loc)) + + // redirect + res.statusCode = 301 +--- a/test/send.js ++++ b/test/send.js +@@ -358,7 +358,7 @@ + .get('/pets') + .expect('Location', '/pets/') + .expect('Content-Type', /html/) +- .expect(301, />Redirecting to <a href="\/pets\/">\/pets\/<\/a></, done) ++ .expect(301, />Redirecting to \/pets\/</, done) + }) + + it('should respond with default Content-Security-Policy', function (done) { +@@ -386,7 +386,7 @@ + .get('/snow') + .expect('Location', '/snow%20%E2%98%83/') + .expect('Content-Type', /html/) +- .expect(301, />Redirecting to <a href="\/snow%20%E2%98%83\/">\/snow%20%E2%98%83\/<\/a></, done) ++ .expect(301, />Redirecting to \/snow%20%E2%98%83\/</, done) + }) + }) + diff --git a/debian/patches/series b/debian/patches/series index 5fe0e4c..e454667 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ disable-failing-test.patch fix-for-mime-2.patch +CVE-2024-43799.patch
