Bug#1129093: marked as done (node-proxy-agents: CVE-2026-27699)

Debian Bug Tracking System Thu, 26 Feb 2026 23:07:16 -0800

Your message dated Fri, 27 Feb 2026 07:04:07 +0000
with message-id <[email protected]>
and subject line Bug#1129093: fixed in node-proxy-agents 
0~2025070717+~cs15.2.7-1
has caused the Debian Bug report #1129093,
regarding node-proxy-agents: CVE-2026-27699
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1129093: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1129093
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: node-proxy-agents
Version: 0~2025070717-6
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for node-proxy-agents.

CVE-2026-27699[0]:
| The `basic-ftp` FTP client library for Node.js contains a path
| traversal vulnerability (CWE-22) in versions prior to 5.2.0 in the
| `downloadToDir()` method. A malicious FTP server can send directory
| listings with filenames containing path traversal sequences (`../`)
| that cause files to be written outside the intended download
| directory. Version 5.2.0 patches the issue.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-27699
    https://www.cve.org/CVERecord?id=CVE-2026-27699
[1] 
https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c
[2] 
https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e6514357b9eda07c2f8afbd3f04727a7cd9

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: node-proxy-agents
Source-Version: 0~2025070717+~cs15.2.7-1
Done: Yadd <[email protected]>

We believe that the bug you reported is fixed in the latest version of
node-proxy-agents, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Yadd <[email protected]> (supplier of updated node-proxy-agents package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 27 Feb 2026 07:34:44 +0100
Source: node-proxy-agents
Architecture: source
Version: 0~2025070717+~cs15.2.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<[email protected]>
Changed-By: Yadd <[email protected]>
Closes: 1129093
Changes:
 node-proxy-agents (0~2025070717+~cs15.2.7-1) unstable; urgency=medium
 .
   * Declare compliance with policy 4.7.3
   * debian/watch: checksum
   * New upstream version 0~2025070717+~cs15.2.7
     (Closes: #1129093, CVE-2026-27699)
Checksums-Sha1: 
 d8d1f724120da0c94b9e44b964a6a951abd1255d 4487 
node-proxy-agents_0~2025070717+~cs15.2.7-1.dsc
 7d35204244f0477cba2be82bc20b5373638473af 58360 
node-proxy-agents_0~2025070717+~cs15.2.7.orig-args.tar.xz
 9245f8876e9b8d634a8151cb7a5f213a61b135f0 60332 
node-proxy-agents_0~2025070717+~cs15.2.7.orig-basic-ftp.tar.xz
 45f6d4e3467ceeadc2938cc272dd3a533d46dc2b 1948 
node-proxy-agents_0~2025070717+~cs15.2.7.orig-types-args.tar.xz
 2b361627ea55f5e78e13034fc6b171a01298ee27 208396 
node-proxy-agents_0~2025070717+~cs15.2.7.orig.tar.xz
 baab57f04714b40344c2202ff07dd400bc91b6fe 48388 
node-proxy-agents_0~2025070717+~cs15.2.7-1.debian.tar.xz
Checksums-Sha256: 
 95c4198023df146a9d548ede0f734fec70c91e30d8949466eebd54d07d857032 4487 
node-proxy-agents_0~2025070717+~cs15.2.7-1.dsc
 a6e8d2f8ae740b299b66071251575bd4e69af91ff5ddf32fe323b83e16a8fb77 58360 
node-proxy-agents_0~2025070717+~cs15.2.7.orig-args.tar.xz
 fac4126512bc4446ea15622413d2b9878b74de941bec6d8b7fd06f94f852734f 60332 
node-proxy-agents_0~2025070717+~cs15.2.7.orig-basic-ftp.tar.xz
 86b7beed4803048ff50732536dc4d6283b13120c617cbd3dd5831e004d8cce34 1948 
node-proxy-agents_0~2025070717+~cs15.2.7.orig-types-args.tar.xz
 ec93ca1ce8d64d056f05fefa76ca9a4d1fc12575cb28dc4ba2123d91b242ff92 208396 
node-proxy-agents_0~2025070717+~cs15.2.7.orig.tar.xz
 596518f23d4f4c9bb0b8551b9810b8f025ec169cd3884e22d938f49d199e34e0 48388 
node-proxy-agents_0~2025070717+~cs15.2.7-1.debian.tar.xz
Files: 
 7cff3b5d654748c0010ef813a051bce8 4487 javascript optional 
node-proxy-agents_0~2025070717+~cs15.2.7-1.dsc
 c93c1f90ee4d496ee08324f96f93ace8 58360 javascript optional 
node-proxy-agents_0~2025070717+~cs15.2.7.orig-args.tar.xz
 c4ecd3142f7885a7f66f958a21398488 60332 javascript optional 
node-proxy-agents_0~2025070717+~cs15.2.7.orig-basic-ftp.tar.xz
 8e0052d60d18d531dddb3eb1d0e2479c 1948 javascript optional 
node-proxy-agents_0~2025070717+~cs15.2.7.orig-types-args.tar.xz
 e8642b6014de7e6afc920112cc8aeabe 208396 javascript optional 
node-proxy-agents_0~2025070717+~cs15.2.7.orig.tar.xz
 a4f949257af699d807526be4c16adfd1 48388 javascript optional 
node-proxy-agents_0~2025070717+~cs15.2.7-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmmhPNoACgkQ9tdMp8mZ
7ukRIQ//a2F+KJ8U1AdrBHRJfCc5gWNytWJ3nwGHQiLMLmOU4xVf1jRZx+R0xeRj
BW0hrygMYy50KtsobECH3VjsHR0N614y5FL9MUn484YfTPp8lH3Sv8niZirEfMdg
+51CJY7SK3OpTBlO0sIG8kzq68pfyyDp/ROLvylPJGAX90DKz4VSx/EUr5N2msJs
IzCqP1pWmYbZnSwsyj/7/joNjOQrSvNd1hSEBLVsnrTd1eMJ0eSIDlycCqzfBuHG
1mUateXjO7sf0V79IcYGr2kgeq7JqDuqVuQLN+BTw/3NB/gZZre2l+X1sTVD2nnp
W8j8rKwvFMMjfZOm09GnvuRH/j09SgOchlmrJzIrCGgs706AyiS4zv59uCoQlWkw
P5f08jIXJHtj186HWrGrXpcoY1xKmXn5jcMNbEPwQfPCVjMvPteFEKmfXLAVvAY+
V5TiepzW1egTJ379vWjAqERmezHkbZtyuzhcz8UCRFtU7u3YRNrxK9ksX8wJj+BS
EbkhZpjxDaS9j8gM/jtmE45luHNPU6Tu267RbxQh+2wEMTJuuNDp30tCL3dF0ums
+VHNY8VaSHnawIEa2gwbbWIzCZy2ZIS13GPDmlQ+KqHiXumk3pzcDhjEl3od0kNk
N44i3z6nfNe6UDSOEsdpmvMXD8PzhvZdipw1+3ivkeqt4Tu33/g=
=XcEC
-----END PGP SIGNATURE-----

pgpRmyEv0eewU.pgp
Description: PGP signature

--- End Message ---

Bug#1129093: marked as done (node-proxy-agents: CVE-2026-27699)

Reply via email to