Debian Bug report logs -
#928624
node-axios: CVE-2019-10742
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
:
Bug#928624
; Package src:node-axios
.
(Tue, 07 May 2019 20:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
.
(Tue, 07 May 2019 20:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: node-axios
Version: 0.17.1+dfsg-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/axios/axios/issues/1098
Hi,
The following vulnerability was published for node-axios.
CVE-2019-10742[0]:
| Axios up to and including 0.18.0 allows attackers to cause a denial of
| service (application crash) by continuing to accepting content after
| maxContentLength is exceeded.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-10742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10742
[1] https://github.com/axios/axios/issues/1098
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug#928624.
(Tue, 07 May 2019 21:09:03 GMT) (full text, mbox, link).
Message #8 received at 928624-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #928624 in node-axios reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-axios/commit/9d57cce23335862309d0341d9e0a2a1b204b7adc
------------------------------------------------------------------------
Add patch to destroy stream on exceeding maxContentLength (Closes: #928624, CVE-2019-10742)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/928624
Added tag(s) pending.
Request was from Xavier Guimard <noreply@salsa.debian.org>
to 928624-submitter@bugs.debian.org
.
(Tue, 07 May 2019 21:09:03 GMT) (full text, mbox, link).
Reply sent
to Xavier Guimard <yadd@debian.org>
:
You have taken responsibility.
(Tue, 07 May 2019 21:21:04 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Tue, 07 May 2019 21:21:04 GMT) (full text, mbox, link).
Message #15 received at 928624-close@bugs.debian.org (full text, mbox, reply):
Source: node-axios
Source-Version: 0.17.1+dfsg-2
We believe that the bug you reported is fixed in the latest version of
node-axios, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 928624@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <yadd@debian.org> (supplier of updated node-axios package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 07 May 2019 22:59:58 +0200
Source: node-axios
Architecture: source
Version: 0.17.1+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Xavier Guimard <yadd@debian.org>
Closes: 928624
Changes:
node-axios (0.17.1+dfsg-2) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.3.0
* Add upstream/metadata
* Add patch to destroy stream on exceeding maxContentLength
(Closes: #928624, CVE-2019-10742)
* Fix debian/copyright format URL
Checksums-Sha1:
c79bb062fa6faba6ded1ffbc9a478c6e2fbce699 2247 node-axios_0.17.1+dfsg-2.dsc
67018b26a2d9dd5a8340d07d7f19826644f3a52f 3912 node-axios_0.17.1+dfsg-2.debian.tar.xz
Checksums-Sha256:
ab1bbf8ef57ffd48bc1ae338825121ebb3f73157d41aa838ca516fd29b73bf25 2247 node-axios_0.17.1+dfsg-2.dsc
1a2d12755810749c29dbdd432702583424b7a4aa01142a3a105d2e7eb5c12f4d 3912 node-axios_0.17.1+dfsg-2.debian.tar.xz
Files:
48b7115fd2a999e639f12c4237c00308 2247 javascript optional node-axios_0.17.1+dfsg-2.dsc
8b4dedef3e4a03e5258af43127ebb1f0 3912 javascript optional node-axios_0.17.1+dfsg-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAlzR8vAACgkQ9tdMp8mZ
7ukjpxAAkRT+8O8oRihxqlY90Hsq/3x/Rb+q0zIYzdOyPc56QwKpkvwrVeXNkc0W
XVyamoXbFHGfWfdFKdxpvmhyvJ6+MddezANbG/akTGLBoQHm38JE/XZ8P+XxCuXK
/GBDUEnTSvrBOglAX3xBKTybleHijYLb2bQQ0ElA2sreeAuNXFchWYw2XjteXg/g
TpaWhBpXfpKL6iWH5X9VLCvRHkT4vQc7z0BIsXQDkaavnivHBmLQCmnNLk8yk/Od
+Z3n5GRAvyQwyqA0uJpftvLPKPvr0juRIbxcim3hec6U84DVZYO/lyz9Q79mr0v2
T/O6/39lglDsTyu2+aiPh4rGVALU0hnwSnmn7pzrTDRWnO3KXTusUlTpFBwk0fnh
M3vk/8vEhy0obj5abuijtdRM8RLqhRQN6aMXuEhmFxHX6KYPm6c9/4l8LW/yOn/H
ON87/bGfZTWET7gonoRTWA27W4LoalN8cvkaxYcLwfuO+RV/mxqxOTWbcXLfFU3w
ugTtkJgAPvMIVd4LD1OEoRsgClMxZorsfTxf+GtM8SOsWLRdcWHtIbH9LFiD3EEP
AnMelbDrvkIXS4hvXZcYZJuF2oC+SVtP7e8LZIPyz/anvGYQjhmd7ZPQpULYa3Lw
BNM6giwQW49BWAoGCWZEPnV3jKXJ5f/6DxY+dlDIjSwFUkQE4X8=
=tDlX
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 07 Jun 2019 07:27:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 14:26:39 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.