Debian Bug report logs -
#1031418
node-undici: CVE-2023-23936 CVE-2023-24807
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 16 Feb 2023 21:45:02 UTC
Severity: important
Tags: security, upstream
Found in version node-undici/5.15.0+dfsg1+~cs20.10.9.3-1
Fixed in version node-undici/5.19.1+dfsg1+~cs20.10.9.5-1
Done: Yadd <yadd@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#1031418; Package src:node-undici.
(Thu, 16 Feb 2023 21:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Thu, 16 Feb 2023 21:45:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-undici
Version: 5.15.0+dfsg1+~cs20.10.9.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for node-undici.
CVE-2023-23936[0]:
| Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0
| and prior to version 5.19.1, the undici library does not protect
| `host` HTTP header from CRLF injection vulnerabilities. This issue is
| patched in Undici v5.19.1. As a workaround, sanitize the
| `headers.host` string before passing to undici.
CVE-2023-24807[1]:
| Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the
| `Headers.set()` and `Headers.append()` methods are vulnerable to
| Regular Expression Denial of Service (ReDoS) attacks when untrusted
| values are passed into the functions. This is due to the inefficient
| regular expression used to normalize the values in the
| `headerValueNormalize()` utility function. This vulnerability was
| patched in v5.19.1. No known workarounds are available.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-23936
https://www.cve.org/CVERecord?id=CVE-2023-23936
[1] https://security-tracker.debian.org/tracker/CVE-2023-24807
https://www.cve.org/CVERecord?id=CVE-2023-24807
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#1031418.
(Fri, 17 Feb 2023 04:27:02 GMT) (full text, mbox, link).
Message #8 received at 1031418-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1031418 in node-undici reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-undici/-/commit/9d0716126e7000d51a1c787085da0cf3274539a2
------------------------------------------------------------------------
New upstream version (Closes: #1031418, CVE-2023-23936, CVE-2023-24807)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1031418
Added tag(s) pending.
Request was from Yadd <noreply@salsa.debian.org>
to 1031418-submitter@bugs.debian.org.
(Fri, 17 Feb 2023 04:27:02 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#1031418.
(Fri, 17 Feb 2023 04:27:04 GMT) (full text, mbox, link).
Message #13 received at 1031418-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1031418 in node-undici reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-undici/-/commit/9d0716126e7000d51a1c787085da0cf3274539a2
------------------------------------------------------------------------
New upstream version (Closes: #1031418, CVE-2023-23936, CVE-2023-24807)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1031418
Reply sent
to Yadd <yadd@debian.org>:
You have taken responsibility.
(Fri, 17 Feb 2023 04:39:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 17 Feb 2023 04:39:03 GMT) (full text, mbox, link).
Message #18 received at 1031418-close@bugs.debian.org (full text, mbox, reply):
Source: node-undici
Source-Version: 5.19.1+dfsg1+~cs20.10.9.5-1
Done: Yadd <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-undici, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1031418@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-undici package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 17 Feb 2023 07:23:05 +0400
Source: node-undici
Built-For-Profiles: nocheck
Architecture: source
Version: 5.19.1+dfsg1+~cs20.10.9.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 1031418
Changes:
node-undici (5.19.1+dfsg1+~cs20.10.9.5-1) unstable; urgency=medium
.
* New upstream version (Closes: #1031418, CVE-2023-23936, CVE-2023-24807)
* Refresh patches
Checksums-Sha1:
0b4049595414c14f02724d04e8026e07de6dfde5 4216 node-undici_5.19.1+dfsg1+~cs20.10.9.5-1.dsc
19a98a06d6e41dbcd590d3bff223e90bbaec971c 2764 node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-binary-search.tar.xz
8d4f831317c15a49b458ec5a603ea4369b23abfe 5890200 node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llhttp.tar.xz
6a4a2af3de8e7e878549c5a5708673c7edcda26c 27864 node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse-builder.tar.xz
8a87e42f332f499e1ef9f38ca0c349a6d3a02e9b 28832 node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse-frontend.tar.xz
cbd8d6727b164bbb46f9900e4a1f91862985732d 34384 node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse.tar.xz
bb452444cd77ceda47b31a3c2b683ba7b434522f 438964 node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig.tar.xz
e334afc7f05a1cebf27858be0581a5a1d6e20edd 30300 node-undici_5.19.1+dfsg1+~cs20.10.9.5-1.debian.tar.xz
Checksums-Sha256:
181f20fe6a22debe1e0b86e2abea957f2dee7927fadf485a3ae1f03e742cef1c 4216 node-undici_5.19.1+dfsg1+~cs20.10.9.5-1.dsc
3bafc4492373fb09cb28599af5287e25be78d9b4375415eac33f3578ae4c60b1 2764 node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-binary-search.tar.xz
ab8f0fd169a7a61aa93a80ce94dbd19c60911140812090f8cc8cac70d4a068e2 5890200 node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llhttp.tar.xz
b2d842e5510304456738b84f3886876f756c11db447505e02f5e3ea72b9e90c8 27864 node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse-builder.tar.xz
b961b2f30ecab5a1a6fc8ca152020ad852fd784773e72833736f2ff90ea4a71f 28832 node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse-frontend.tar.xz
d7a8e8873a7f5d8e818cdf8d25fcab4384e9784b19672cc3f13298cc3bfa76f7 34384 node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse.tar.xz
4432b34e592ec856d7de1be911ac0a12e71ee7ce0eaee67a6eb9a69e54da0475 438964 node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig.tar.xz
e26e1e0ef8d4cb2b6240cf54258cbd1f28c8e2b3a177be7e7ac37aaf926ea895 30300 node-undici_5.19.1+dfsg1+~cs20.10.9.5-1.debian.tar.xz
Files:
467311ec2eb188c3147e2741979850d2 4216 javascript optional node-undici_5.19.1+dfsg1+~cs20.10.9.5-1.dsc
0113ec9cb8f5ff3aba87685a5b081c80 2764 javascript optional node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-binary-search.tar.xz
eba4ec010b70b07dc83e12e96a73c89a 5890200 javascript optional node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llhttp.tar.xz
da8e7db117b6d4e4d47974907b68df88 27864 javascript optional node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse-builder.tar.xz
338d962e9803e5c192128ef09682f25a 28832 javascript optional node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse-frontend.tar.xz
144589e216ed03f5e272b32354f713ce 34384 javascript optional node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig-llparse.tar.xz
3df133df0baa37c2c494bf6be4d38b77 438964 javascript optional node-undici_5.19.1+dfsg1+~cs20.10.9.5.orig.tar.xz
3f3ea57217cb4ee14916f6e6b6243f23 30300 javascript optional node-undici_5.19.1+dfsg1+~cs20.10.9.5-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmPvAKcACgkQ9tdMp8mZ
7umF8Q/+PJKgDU763OlWSKwKCHhdItBCVSL2607zN3QMmxetfsQv5Luqx+U6HVIi
y3SoWVespIn7nkjjYpyuW818VOQS+ItoqIq2+7GKIXqyCpS5X7EAv5GgO/Si1LBn
LMKYNDS4D6gDjG5uyRguYEYz5x36DxYbDeR974HgVwOyNDmy/JuLB/cXmoWc0cU3
pZFi53JBrOQKrHzqmqrrd1y1ratrFhWVuZrX++pgeRHIG97mqy5FEv7IOdTbDMqw
Hsw9B4pGzLDfD5ldK1kltQGCQgPEi+9lvVgh+6QVJAjQ/TTTzoUb5sOrjgJjWu61
nnk/Pv6K+k2fmojXg0FkW50YJ2BlU3VJx0SbVm3PzHjpK9BRK8dD35WRGEO4xLIO
jbTfm6vlg51V0AMcuxHJkSS+HqHXCW9Hu/avYmk+w4USTtEq0NMrTcniQ2KN4mIi
ZTIv6rTVH/2eApBpSslb3bZeqm6rqizBgXEE78I13++TdiB0wCk6wwP/IMcyRvTf
tr4xnTDzTP11bgR2kdat90WmBEfSEAPgTsYRu3XjNBV1h+uvjqUv+/Nowu1Y9DKA
JE3ZzklVxrlh9vAzol/S6QWXvMiTWLuETYPM1LagG/nX23IU1nGkKjii3xYEqW/d
a2S8Oq3cytbLokhwchBRFNrPPx9XSFSu6q5lanO2WP5rqa0kZb0=
=vJNn
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Fri Feb 17 13:06:23 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon