Debian Bug report logs -
#985110
node-url-parse: CVE-2021-27515
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 12 Mar 2021 21:33:01 UTC
Severity: important
Tags: security, upstream
Found in version node-url-parse/1.4.7+repack-2
Fixed in version node-url-parse/1.5.1-1
Done: Yadd <yadd@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#985110; Package src:node-url-parse.
(Fri, 12 Mar 2021 21:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Fri, 12 Mar 2021 21:33:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-url-parse
Version: 1.4.7+repack-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for node-url-parse.
CVE-2021-27515[0]:
| url-parse before 1.5.0 mishandles certain uses of backslash such as
| http:\/ and interprets the URI as a relative path.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2021-27515
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27515
[1] https://github.com/unshiftio/url-parse/commit/d1e7e8822f26e8a49794b757123b51386325b2b0
Regards,
Salvatore
Reply sent
to Yadd <yadd@debian.org>:
You have taken responsibility.
(Sat, 13 Mar 2021 08:21:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 13 Mar 2021 08:21:07 GMT) (full text, mbox, link).
Message #10 received at 985110-close@bugs.debian.org (full text, mbox, reply):
Source: node-url-parse
Source-Version: 1.5.1-1
Done: Yadd <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-url-parse, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 985110@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-url-parse package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 13 Mar 2021 08:55:57 +0100
Source: node-url-parse
Architecture: source
Version: 1.5.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 985110
Changes:
node-url-parse (1.5.1-1) unstable; urgency=medium
.
* Team upload
* New upstream version 1.5.1 (Closes: #985110, CVE-2021-27515)
Checksums-Sha1:
41ecc286f6d90b1dd1cf1612b43a55133e54b233 2551 node-url-parse_1.5.1-1.dsc
fba49d90f834951cb000a674efee3d6f20968329 2028 node-url-parse_1.5.1.orig-types-url-parse.tar.gz
b8328c86ecc8d86cf2f40806a2f9285dbbaa1094 15752 node-url-parse_1.5.1.orig.tar.gz
e9729616413c186f1132c05e9819e8e0d223daf2 4120 node-url-parse_1.5.1-1.debian.tar.xz
Checksums-Sha256:
7fbb638e124745465fa3f7b9d89a879697e16f54a4bfceab0bf91659bf84b6c7 2551 node-url-parse_1.5.1-1.dsc
aacd8bb80991adce84b6305b2f64d1644f16ac47376a0958954555517647b03e 2028 node-url-parse_1.5.1.orig-types-url-parse.tar.gz
a06e817a6da716b87be010e04c20b03ce184749da94124377706c5acf637e75b 15752 node-url-parse_1.5.1.orig.tar.gz
06a4602e903e90f456f17bf3950905af6cd80e608d9e82cd4db391753d3ced26 4120 node-url-parse_1.5.1-1.debian.tar.xz
Files:
6d221fbe04a72c81597aac560562a7dc 2551 javascript optional node-url-parse_1.5.1-1.dsc
782204fc24278d978e12ef488becc87e 2028 javascript optional node-url-parse_1.5.1.orig-types-url-parse.tar.gz
9ac71a05eb039ce09af472d1748e05ac 15752 javascript optional node-url-parse_1.5.1.orig.tar.gz
9eb7b501f9679fbacfe4cdb17b628d15 4120 javascript optional node-url-parse_1.5.1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmBMcHcACgkQ9tdMp8mZ
7uloKg//W2SiSFbfj7XjA+oRpDgteFUf58/JUPkuyIM4YWLSmNWJ0DYEtDAR59cw
blv86dUx9pVmJnyEiC+DcUrYMFmZOFRG32tonbFdrNPuWOiKbIUBzXIaIYBEw36b
VEdEABzt34Vl6+wy6/1LplQAtiTEyAridOHmvdiUtYaOIvWfGOH+nUjfBekIn/Kw
J/De96OzfZ5j1rnalkIOlpVExKCiHe+DgUaIdhD+JYoOcIN3E+RZhVFvpDcCdUaB
6xoSQedLdVAb4BuI5+0kPmaAmhKZDhUUYAX460FquAGFRYNBfjGB8iEG132i3igD
M6pMZk1AtDvW2dNYpAvdOC0DC/nG+xTYq+s1ijU4msg+jlINRTWlPmQhLTysSUDu
jTxfPsZ3XNZumCsYhaMlPA0mqZMx0F0xVhxfBh/JHtoKoIrkPBYOe/4+xQN9u0Pt
DbrpNw9O7+fgQLkfbadEoAfqcTLL6rlF9h//cpmbKIPTUMOGqHDdJ2wRJLApHy5C
LDTHPJKdIcoXXnZPzaaUBBB+uu+jVz/bPLmLISD1jbAx3vivczJ2iqzXtSStKUP0
rQ3dbIBvdXzJN+Utet8kCIVe1aCaDJDHPVYLmJCSH0HemNjVEAOnoFdYbkFECNFZ
mZWQYvDLR1qHeUI11NQX5x+IhifuhL/dqLcfHnsH9oz6ZrgnUnI=
=c9hT
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Mar 13 09:55:22 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon