Debian Bug report logs -
#775843
node-serve-static: CVE-2015-1164
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Tue, 20 Jan 2015 16:30:01 UTC
Severity: grave
Tags: security
Found in version node-serve-static/1.6.4-1
Fixed in version node-serve-static/1.6.4-2
Done: Jérémy Lal <kapouer@melix.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#775843; Package node-serve-static.
(Tue, 20 Jan 2015 16:30:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Tue, 20 Jan 2015 16:30:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: node-serve-static
Severity: grave
Tags: security
Justification: user security hole
Hi,
please see https://nodesecurity.io/advisories/serve-static-open-redirect
Cheers,
Moritz
Marked as found in versions node-serve-static/1.6.4-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 20 Jan 2015 17:15:10 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Jérémy Lal <kapouer@melix.org>
to control@bugs.debian.org.
(Sat, 31 Jan 2015 11:15:04 GMT) (full text, mbox, link).
Reply sent
to Jérémy Lal <kapouer@melix.org>:
You have taken responsibility.
(Thu, 19 Feb 2015 12:21:18 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Thu, 19 Feb 2015 12:21:18 GMT) (full text, mbox, link).
Message #14 received at 775843-close@bugs.debian.org (full text, mbox, reply):
Source: node-serve-static
Source-Version: 1.6.4-2
We believe that the bug you reported is fixed in the latest version of
node-serve-static, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 775843@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérémy Lal <kapouer@melix.org> (supplier of updated node-serve-static package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 17 Feb 2015 00:00:03 +0100
Source: node-serve-static
Binary: node-serve-static
Architecture: source all
Version: 1.6.4-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Jérémy Lal <kapouer@melix.org>
Description:
node-serve-static - static files server module for Node.js
Closes: 775843
Changes:
node-serve-static (1.6.4-2) unstable; urgency=medium
.
* Team upload.
* Upstream patch fixing CVE-2015-1164 (Closes: #775843).
Checksums-Sha1:
fee9571f01f192d152216dacb4ae95548456f4ba 2161 node-serve-static_1.6.4-2.dsc
ab897a592d71906aea250827e417caea851b71e2 3392 node-serve-static_1.6.4-2.debian.tar.xz
42a79632cc4cd1f5b1c73451c8e110316e2f46d0 7416 node-serve-static_1.6.4-2_all.deb
Checksums-Sha256:
a7e0bcb79b318cc103bb70767cbb9d057cd50f48a048ff2c2f9c2d6f2a9cd888 2161 node-serve-static_1.6.4-2.dsc
3ff3dcceae2e59b7da3360f5342aca0289fd3512e85d5f06c45935c670372408 3392 node-serve-static_1.6.4-2.debian.tar.xz
e07a3859b6dbd0d063709408b753389c67ac64136d3b2da77f78124ae3c3517c 7416 node-serve-static_1.6.4-2_all.deb
Files:
1412d2c57359a10d0a9dbfb190306fc2 2161 web extra node-serve-static_1.6.4-2.dsc
25742963b846d63ddacf6ab018d515e5 3392 web extra node-serve-static_1.6.4-2.debian.tar.xz
f54b883862c22d679b757eba4d96e077 7416 web extra node-serve-static_1.6.4-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJU5dGRAAoJEKO6uuJAjdbPfBoP/2u6xFiOZpatbPhu1yCprB1i
/3yP6ywbr/jraamnl+qf39Ye7Exuknkiho1JHWaPOS3jQqePN8FrhyE2Wpo2nv1Y
fZ2Kb7WE/c2ti6BSVKIvs2fMR7/6qS/FHxnPAZFyON6Zy6pv2ZM7nRKJMgfs16ep
Y4UzXFFfyRBrl/opSM6w+ecJWxyFGQkV4YgZ3V4QlMGspmqgMLYOa6EZQmZCf670
9290uNY/HdAAooCSXMTtSZQl+TXQh4AN1KqVf+sL4JGNWcrZaCKCzllXTey7GhA7
IONbquOcXL61YlhrrFEUyOCXgkXvMTTI2xsnRS7zKOiG+OzYDgG4n9oWGGAOpp8D
nsd5Fah4Z9PIFQDztlWCZkKh7W1GLzO4dScL62I4LXJRFLhTxK7B4Ys5ceI0P8L1
NprA8ThetCvTPj0urNuxlRhYfgH75YnAEdCjaZ9RAz/Zwff/WRbdLaAdwtHAm7FE
MshHShxbtIP3f1TMVasPHlkwdleQX4rhyMwyneYp+cC8M2FIjT1i7QZ/zItmpWpd
fS+AWo7YU+XCoKt5lPQxTgIhxCYve7FW64MOCzCMHJ2GeciCoYJFSZA0A3VmjQSU
1bwcgxWJTO/sqj9OXPq2qi4yu2JHh4xyYIFSxP1DdX/t7zLBeRyG8nbmc56qUwCI
iMSctaqzA1jnC/UfY+vY
=6O9x
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 25 Mar 2015 07:28:18 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:07:19 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon