node-connect: methodOverride middleware reflected cross-site scripting (CVE-2013-7370 CVE-2013-7371)

Debian Bug report logs - #744374
node-connect: methodOverride middleware reflected cross-site scripting (CVE-2013-7370 CVE-2013-7371)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Paul Wise <pabs@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: node-connect: methodOverride middleware reflected cross-site scripting

Date: Sun, 13 Apr 2014 21:27:24 +0800

[Message part 1 (text/plain, inline)]

Package: node-connect
Severity: serious
Tags: security fixed-upstream

The Node Security Project discovered an XSS vulnerability in the node
connect module, please fix this bug by upgrading node-connect.

Vulnerable: <=2.8.0
Patched: >=2.8.1
Report: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
Upstream bug report: https://github.com/senchalabs/connect/issues/831
First fix: https://github.com/senchalabs/connect/commit/277e5aad6a95d00f55571a9a0e11f2fa190d8135
Second fix: https://github.com/senchalabs/connect/commit/126187c4e12162e231b87350740045e5bb06e93a

-- 
bye,
pabs

http://wiki.debian.org/PaulWise

[signature.asc (application/pgp-signature, inline)]

Message #12 received at 744374-close@bugs.debian.org (full text, mbox, reply):

From: Leo Iannacone <l3on@ubuntu.com>

To: 744374-close@bugs.debian.org

Subject: Bug#744374: fixed in node-connect 3.0.0-1

Date: Tue, 17 Jun 2014 21:54:27 +0000

Source: node-connect
Source-Version: 3.0.0-1

We believe that the bug you reported is fixed in the latest version of
node-connect, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 744374@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Leo Iannacone <l3on@ubuntu.com> (supplier of updated node-connect package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 17 Jun 2014 21:47:22 +0200
Source: node-connect
Binary: node-connect
Architecture: source all
Version: 3.0.0-1
Distribution: unstable
Urgency: low
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Leo Iannacone <l3on@ubuntu.com>
Description:
 node-connect - extensible HTTP server framework - Node.js module
Closes: 744374
Changes:
 node-connect (3.0.0-1) unstable; urgency=low
 .
   * New upstream release (closes: #744374)
   * debian/watch: update to check github repository
   * debian/copyright:
     + replace MIT license name with Expat
     + set copyright-format 1.0
     + add Upstream-Contact field
     + add Source field
   * debian/control:
     + update dependencies according with package.json
     + add nodejs as Build-Depends, avoids availability on platforms
       nodejs isn't built
     + add binary dependencies, mocha, node-should and node-supertest
       as Build-Depends - required for running tests
     + bump Standards-Version 3.9.5
     + update package description
     + update VCS-* urls to be under pkg-javascript in alioth
   * debian/install:
     + do not change module path tree - install whole lib/ directory
     + install index.js and package.json
   * debian/links: no longer needed - remove
   * debian/docs: install Readme.md as doc
   * debian/rules:
     + install History.md as upstream changelog
     + remove override_dh_autoinstall - no longer needed
     + enable tests
   * debian/patches: deleted, no longer needed
   * debian/NEWS: add NEWS file documenting why middlewares are no longer
     included in Connect.
Checksums-Sha1:
 99bae72e4a6f5a620ff4c21b9d4a5b86953c17f8 2114 node-connect_3.0.0-1.dsc
 0050ddc61016b093f85e9bdf37022abad963ece3 19790 node-connect_3.0.0.orig.tar.gz
 e520336de2ba57625aec2aac1fdbc3f004b63ca5 2760 node-connect_3.0.0-1.debian.tar.xz
 6d732046cd121b195d2f8d22dcfa7b168165f201 20610 node-connect_3.0.0-1_all.deb
Checksums-Sha256:
 6d2d836c2289c8feddf58762740ba4248eae02bf240bf1249c5b7dba15051cdf 2114 node-connect_3.0.0-1.dsc
 d15faa09eda7da629fd8b116bc4c12232850853191b50b6207700983b2539935 19790 node-connect_3.0.0.orig.tar.gz
 fb9019ad27cdfff4957945af39ddc3046aed4585e9d266079711697637814975 2760 node-connect_3.0.0-1.debian.tar.xz
 a91241d666a38be6a0e65ada55d16e809e2b3f8779e541a0474f565d07d8b42e 20610 node-connect_3.0.0-1_all.deb
Files:
 d36f3b869b00eb07380e9bc346afcdbd 20610 web extra node-connect_3.0.0-1_all.deb
 33259316965b24c2da6fb23d3e3b2482 2114 web extra node-connect_3.0.0-1.dsc
 3bde0ea55516dd2782c90e1dfc0b330c 19790 web extra node-connect_3.0.0.orig.tar.gz
 903c6b8b29b1133b31a1368c6687a00b 2760 web extra node-connect_3.0.0-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJToJvhAAoJEGYRwF7dOfN0C54P/As6X/e3B4LRf07lxHfQAPvX
M1fBM8Eli63TWt9+yUHDWZ0yZAZLfBuHrHdHo2Oxjx/gTnU0x954oSeZbb/8jEZs
bHVlL0UW/3tze6uiRxjxMIQtbGAuZqZyCBmEaRC4ohU0dk4ASZBu9yl+x1RxoMZ9
snHnUuHdob+mUizssLPUpjXd3JGyZl4CiADpFVzVL7cGd2i7N+ivO8w33kU0GCQ6
illBdUgDLX7QvNLelWpHKvihL6+6pizVs2syJ9V78iBREuEzY1DDj7Zag0hgdIQ3
3xyBG8s0pylExaVCWfywGRX46uWG+58G31MsFvwmn8V+mOtJI8N3fqWfeAf0613L
s/Cf9rCImOBZwf9txNndcc0KZVEioRmMyNsxjSl+QFcTc1g3C7JCx8oU8Y5xjPWx
nmvQm3bnpSNnzteqoyuO/Ou1mCrLe8RlB9hVvhusJs5MnBCzCGLOhwvpiWmUVSuK
qhk+jLQw4p8piNeKVhDY3Vtv9nH4wrNfm0wgMNyZPAs7MZ1TOYpnfY9eSbTNAM0u
qhjNiuQQL2fRxC30BPK/fZjj+GZiRZ4B8gVFcXb74nXCmRayFDQ9Kmzc+M8fttHm
1YU+Ng3U8Sb+YwoiDlO8GdrKqics6DFe/30gofsodO1uOkVil221zKe8fnn+gw5I
pz+RJPGKMExsuwMH4wjd
=or1f
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.