Your message dated Sat, 11 Apr 2026 21:48:55 +0000
with message-id <[email protected]>
and subject line Bug#1104246: fixed in node-formidable 3.5.3+~cs11.10.5-1
has caused the Debian Bug report #1104246,
regarding node-formidable: CVE-2025-46653
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1104246: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104246
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-formidable
Version: 3.2.5+20221017git493ec88+~cs4.0.9-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for node-formidable.
CVE-2025-46653[0]:
| Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3
| relies on hexoid to prevent guessing of filenames for untrusted
| executable content; however, hexoid is documented as not
| "cryptographically secure." (Also, there is a scenario in which only
| the last two characters of a hexoid string need to be guessed, but
| this is not often relevant.) NOTE: this does not imply that, in a
| typical use case, attackers will be able to exploit any hexoid
| behavior to upload and execute their own content.
Since the upstream fix is to switch from hexoid to cuid2, I guess the
fix to backport this to older versions is too intrusive and we might
ignore it. Please comment how you see the problem.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-46653
https://www.cve.org/CVERecord?id=CVE-2025-46653
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: node-formidable
Source-Version: 3.5.3+~cs11.10.5-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-formidable, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-formidable package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 11 Apr 2026 23:22:23 +0200
Source: node-formidable
Architecture: source
Version: 3.5.3+~cs11.10.5-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1104246
Changes:
node-formidable (3.5.3+~cs11.10.5-1) experimental; urgency=medium
.
* Team upload
.
[ lintian-brush ]
* Add missing build dependency on dh-nodejs for command dh_nodejs_autodocs.
* Set upstream metadata fields: Bug-Database, Bug-Submit, Repository-Browse.
.
[ Xavier Guimard ]
* Install docs using dh_nodejs_autodocs
* Declare compliance with policy 4.7.4
* Drop "Rules-Requires-Root: no"
* Drop "Priority: optional"
* debian/watch:
- version 5
- use tags, no more git HEAD
* Embed @paralleldrive/cuid2 @noble/hashes
* New upstream version (Closes: #1104246, CVE-2025-46653)
* Drop patch
* Update copyright
* Update build
* Update autopkgtest
Checksums-Sha1:
c278e728695c837cfa5d9f6dadeb17b231b11ab1 4105
node-formidable_3.5.3+~cs11.10.5-1.dsc
d9682893b3aeccf622135516713b36ec91a78f79 45968
node-formidable_3.5.3+~cs11.10.5.orig-dezalgo.tar.gz
61dd4ca4075fc377fe50bb54838d0a872a84de13 6193
node-formidable_3.5.3+~cs11.10.5.orig-hexoid.tar.gz
2f2e2f99f36332366dc928160a95b9971c572e26 15931521
node-formidable_3.5.3+~cs11.10.5.orig-noble-hashes.tar.gz
6c48544e4277d963725600f11fbde3ce5f82aa50 747398
node-formidable_3.5.3+~cs11.10.5.orig-paralleldrive-cuid2.tar.gz
12591d099c635c5bff7deaef48ca79d16a14ce7a 6322
node-formidable_3.5.3+~cs11.10.5.orig-types-formidable.tar.gz
a0b70b669e4217db3f79b77e06aeb9fa25b642bc 2053280
node-formidable_3.5.3+~cs11.10.5.orig.tar.gz
b51555c6ad4838b0d3cbadd5f88666d6bc9dc718 12408
node-formidable_3.5.3+~cs11.10.5-1.debian.tar.xz
Checksums-Sha256:
b0263f01ae11bb98579feb895fcdd3c4247bedbf90b40c4eb00794625963964c 4105
node-formidable_3.5.3+~cs11.10.5-1.dsc
129d811d943e3a45d684c9fa4fbd760a5429e166e9217ffa302ac68e0029500a 45968
node-formidable_3.5.3+~cs11.10.5.orig-dezalgo.tar.gz
4003e4bbf0edacb6a08008fd345a0d2a5871466c1085f5cf013164f4cc8ccda9 6193
node-formidable_3.5.3+~cs11.10.5.orig-hexoid.tar.gz
39df11e879dfc5567e4a8916626309c86141d8adfb90b926de6fbc61f2b3a2a1 15931521
node-formidable_3.5.3+~cs11.10.5.orig-noble-hashes.tar.gz
7a110156ed0a104f4dbf709154e5ef3c0036785c4767c9398aece24658db3ff7 747398
node-formidable_3.5.3+~cs11.10.5.orig-paralleldrive-cuid2.tar.gz
eae737c68bccec1bb8ae06ce9c13de70ccce4b23f00071856121c872eecdfa73 6322
node-formidable_3.5.3+~cs11.10.5.orig-types-formidable.tar.gz
d8ec6b78aa4ceef773bb4215ed3bacc685297835b1fb202a45496e22b479dba2 2053280
node-formidable_3.5.3+~cs11.10.5.orig.tar.gz
1a38db8e0cef7a7ad1ea12d33df16aac4e79680782b1bad81f2a4e99ce9f7875 12408
node-formidable_3.5.3+~cs11.10.5-1.debian.tar.xz
Files:
aeefad851a9463e148a99a04a4dafe17 4105 javascript optional
node-formidable_3.5.3+~cs11.10.5-1.dsc
23164e70c2e7a47f9ecce32aa1052797 45968 javascript optional
node-formidable_3.5.3+~cs11.10.5.orig-dezalgo.tar.gz
39de1260557139dee935df7ecc02b226 6193 javascript optional
node-formidable_3.5.3+~cs11.10.5.orig-hexoid.tar.gz
ffedf147aee8d533925c0ccf289e52a2 15931521 javascript optional
node-formidable_3.5.3+~cs11.10.5.orig-noble-hashes.tar.gz
09aedc947ceaebecb6cc6330cbfab33d 747398 javascript optional
node-formidable_3.5.3+~cs11.10.5.orig-paralleldrive-cuid2.tar.gz
7b9b9ee91aeded07d3e9e9cec2d3b503 6322 javascript optional
node-formidable_3.5.3+~cs11.10.5.orig-types-formidable.tar.gz
48b57e739f1c2d54f9298b0e53bd586a 2053280 javascript optional
node-formidable_3.5.3+~cs11.10.5.orig.tar.gz
4b6f54602b0d9037a39ab97a1cba3441 12408 javascript optional
node-formidable_3.5.3+~cs11.10.5-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnavKMACgkQ9tdMp8mZ
7umOnQ/+M/dy7YpY2qtdKgcdCh6rW2kkUV2NRsbVTGq1hmVbkEYw6k7drwaR0JQZ
SNxjRnkhAjB1SCuow134ZeVJrbQs0vxEFunOcm0GkeC4haBlfEgh/EuYHOnc2vok
iP2zJmHHDKrWMx8eV7dDG8awQYZK3/mPWUYSko4tmc1mJ0CmLnoyg0UGABP44z8k
yfUibTv07edr9VcXsDk4DmWF8kic1XSW+q3j93+ryJE0qbj/0w3BRvpWPqJq3KMd
dpKQ1LgUk4leJr/6gsHh9GbnY0fE0iVKCssHnlgZMz4oMJ4dnblBhTYisbe4RkfD
tE4c+sFXlrmRT/zgnK6jSLTew7j8lUiGOoT4+3r3A/TINxBTeS89lErSZvKqQfao
3j6DUCHqRKswZQkowkzrnf7m+tFYYNuTWTTpuyAqs4Tu2ZuPxwMfcuX119fQB002
xyhi23MTRiknlONEwFbYEJp58F0ht18rt0Ds5Oinf9Dxtq+kGv0fsqNFTjd1gceW
ahpJ1fMUiTAeP94HFoz6yGNbXSfoLVrOZ3gnmKUPmksvUPcGOEXVjD5XTBSifMd2
2rLfBBjmY2pS9viF2vR+giy2A298FQ7d7Qe/gTAopDbqoXAOO8zK+5VQ2yv/6jAh
K1LCWGWT7KEhVVtVONehH78WOD5LoRDsL1qXA5O2iZtpkfPJyUg=
=vcny
-----END PGP SIGNATURE-----
pgpm2oCgHoIpn.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
