Debian Bug report logs -
#989258
CVE-2021-33502
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Sun, 30 May 2021 16:06:01 UTC
Severity: important
Tags: security
Fixed in version node-got/11.8.1+~cs53.13.17-3
Done: Yadd <yadd@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>:
Bug#989258; Package node-got.
(Sun, 30 May 2021 16:06:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>.
(Sun, 30 May 2021 16:06:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: node-got
Severity: important
Tags: security
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
node-got bundles a copy of normalize-url, which is affected by CVE-2021-33502:
https://github.com/sindresorhus/normalize-url/releases/tag/v6.0.1
Patch:
https://github.com/sindresorhus/normalize-url/commit/b1fdb5120b6d27a88400d8800e67ff5a22bd2103
Cheers,
Moritz
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>:
Bug#989258.
(Mon, 31 May 2021 10:06:03 GMT) (full text, mbox, link).
Message #8 received at 989258-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #989258 in node-got reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/js-team/node-got/-/commit/ba29d01c7b5ede9400f1448621ba6cee3bf8b69a
------------------------------------------------------------------------
Fix ReDoS (Closes: #989258, CVE-2021-33502)
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/989258
Added tag(s) pending.
Request was from Yadd <noreply@salsa.debian.org>
to 989258-submitter@bugs.debian.org.
(Mon, 31 May 2021 10:06:03 GMT) (full text, mbox, link).
Reply sent
to Yadd <yadd@debian.org>:
You have taken responsibility.
(Mon, 31 May 2021 10:21:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>:
Bug acknowledged by developer.
(Mon, 31 May 2021 10:21:04 GMT) (full text, mbox, link).
Message #15 received at 989258-close@bugs.debian.org (full text, mbox, reply):
Source: node-got
Source-Version: 11.8.1+~cs53.13.17-3
Done: Yadd <yadd@debian.org>
We believe that the bug you reported is fixed in the latest version of
node-got, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 989258@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yadd <yadd@debian.org> (supplier of updated node-got package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 31 May 2021 11:57:23 +0200
Source: node-got
Architecture: source
Version: 11.8.1+~cs53.13.17-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Yadd <yadd@debian.org>
Closes: 989258
Changes:
node-got (11.8.1+~cs53.13.17-3) unstable; urgency=medium
.
* Team upload
* Fix ReDoS (Closes: #989258, CVE-2021-33502)
Checksums-Sha1:
d8da2fbb715075394b5c03025817122a3061e01a 7497 node-got_11.8.1+~cs53.13.17-3.dsc
96693a5b5807c8797af7f494d1447ed6844b98db 7044 node-got_11.8.1+~cs53.13.17-3.debian.tar.xz
Checksums-Sha256:
183d4fbff52dfe7c094699bdb9a9418a289312674849919a9e9b25b83a759d4b 7497 node-got_11.8.1+~cs53.13.17-3.dsc
2152441d02490e3ba104bbc6be047eccb68e3e15adf8c36a6791306191a9de31 7044 node-got_11.8.1+~cs53.13.17-3.debian.tar.xz
Files:
f27bf49534c36ddf8cdabe31132f543a 7497 javascript optional node-got_11.8.1+~cs53.13.17-3.dsc
8621280f41de446bfe30cb4c2745d2d7 7044 javascript optional node-got_11.8.1+~cs53.13.17-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmC0s/wACgkQ9tdMp8mZ
7ukiwQ//UbDskqzKyBaZMBDxpAKK87FHqPNiZEwDC0bjLimWK9P49hkETSqAdh+d
vulFRXnFx5cWjDI9AIc1Adail91e/bb++gzrX5PHgg7eIQ9TC9kPiCLy/pEX3npr
0Ji7ir7kc2+TXS2KKF6aIspKsDMHUcpL55DVpVZ+UW1zaqTYERs1kT1+Tm8yt50o
R5yGK/ojG7T1M9jjs4beUVrWqUtTHWnFNc0+vAr5YRZZxPcPf20aZ+H9gkh6m9XX
pu+5F40rJuPFDGWWLWuM/D6THOTceshTVkMqq7/2FMY3bYhn5d1sKLQ5L+F9a+8Z
MyaIr9cdQmEYeVBMqa9TMLc60hNwWVzJ0zFlIGLBPlRV8/IOYXucmIVjA/9PptWR
UCF/nYchlwgMRJ+p5WL2DeedKSonbw+clgCHVPyhcENHEINeBBBgjxtaaBLBJsvB
nz6GpZ3E0/oOi3qDo3zElJym5Onb40fyVWAvJ99rXb5vJlNQ0DnH2lmryfeL+QZY
l0GSvarbXlbTd6dXLsH9h4O+osVd2QvSI7NJH6nmVxXMUhS6trPnHoPlNwezNPOJ
2dt6LeBzWgUTHUCPvVL9fCLU43c+3g2YeFndPfJZXZ/65Lh/0DPMOjWOij9g8f29
nZMLAhIyXNqeauc0FZ07VTokp47OLcM6na1ZncvMQ9BRwtbGw2U=
=ejOB
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon May 31 12:44:56 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon