--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package node-fresh
Hi all,
node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is
due to Node.js regexp parsing DDOS. I imported and adapted upstream
patch to workaround this issue and enabled upstream tests in both build
and autopkgtest. Full changes:
* Declare compliance with policy 4.3.0
* Change section to javascript
* Change priority to optional
* Add upstream/metadata
* Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119)
* Fix and enable upstream test using pkg-js-tools
* Fix VCS fields
* Fix copyright format URL
Reverse dependencies:
- node-serve-favicon
- node-send -------------+
+-> node-serve-static -+
- node-express <---------+
I enabled upstream test to verify that there is no regression and tested
build and tests of node-serve-static, node-send and node-express (using
additional needed modules). I plan to upload a new node-express in
experimental with tests enabled to see autopkgtest regression if any.
Cheers,
Xavier
unblock node-fresh/0.2.0-2
diff --git a/debian/changelog b/debian/changelog
index e827b8b..6a067b4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+node-fresh (0.2.0-2) unstable; urgency=medium
+
+ * Team upload
+ * Declare compliance with policy 4.3.0
+ * Change section to javascript
+ * Change priority to optional
+ * Add upstream/metadata
+ * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119)
+ * Fix and enable upstream test using pkg-js-tools
+ * Fix VCS fields
+ * Fix copyright format URL
+
+ -- Xavier Guimard <y...@debian.org> Thu, 25 Apr 2019 12:23:28 +0200
+
node-fresh (0.2.0-1) unstable; urgency=low
* Initial release (Closes: #727797)
diff --git a/debian/control b/debian/control
index ebd5a5e..efddc65 100644
--- a/debian/control
+++ b/debian/control
@@ -1,16 +1,19 @@
Source: node-fresh
-Section: web
-Priority: extra
+Section: javascript
+Priority: optional
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Uploaders: Jérémy Lal <kapo...@melix.org>
+Testsuite: autopkgtest-pkg-nodejs
Build-Depends:
debhelper (>= 8.0.0)
, dh-buildinfo
+ , mocha
, nodejs
-Standards-Version: 3.9.4
+ , pkg-js-tools
+Standards-Version: 4.3.0
+Vcs-Browser: https://salsa.debian.org/js-team/node-fresh
+Vcs-Git: https://salsa.debian.org/js-team/node-fresh.git
Homepage: https://github.com/visionmedia/node-fresh
-Vcs-Git: git://anonscm.debian.org/collab-maint/node-fresh.git
-Vcs-Browser: http://anonscm.debian.org/gitweb/?p=collab-maint/node-fresh.git
Package: node-fresh
Architecture: all
@@ -23,4 +26,3 @@ Description: Check client cache staleness using HTTP headers
- Node.js module
determine if the client requesting the resource has a stale or fresh cache.
.
Node.js is an event-based server-side javascript engine.
-
diff --git a/debian/copyright b/debian/copyright
index 0c7fd09..af7dcf0 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -1,4 +1,4 @@
-Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: fresh
Files: *
@@ -25,4 +25,3 @@ License: Expat
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
-
diff --git a/debian/patches/CVE-2017-16119.diff
b/debian/patches/CVE-2017-16119.diff
new file mode 100644
index 0000000..6461542
--- /dev/null
+++ b/debian/patches/CVE-2017-16119.diff
@@ -0,0 +1,85 @@
+Description: Fix for CVE-2017-16119
+Author: Xavier Guimard <y...@debian.org>
+Origin: upstream,
https://github.com/jshttp/fresh/commit/21a0f0c2a5f447e0d40bc16be0c23fa98a7b46ec
+Bug: https://www.npmjs.com/advisories/526
+Bug-Debian: https://bugs.debian.org/927715
+Forwarded: not-needed
+Last-Update: 2019-04-25
+
+--- a/index.js
++++ b/index.js
+@@ -36,11 +36,27 @@
+ // check for no-cache cache request directive
+ if (cc && cc.indexOf('no-cache') !== -1) return false;
+
+- // parse if-none-match
+- if (noneMatch) noneMatch = noneMatch.split(/ *, */);
++ // parse if-none-match and etag
++ if (noneMatch && noneMatch !== '*') {
+
+- // if-none-match
+- if (noneMatch) etagMatches = ~noneMatch.indexOf(etag) || '*' ==
noneMatch[0];
++ if (!etag) {
++ return false
++ }
++
++ var etagStale = true
++ var matches = parseTokenList(noneMatch)
++ for (var i = 0; i < matches.length; i++) {
++ var match = matches[i]
++ if (match === etag || match === 'W/' + etag || 'W/' + match === etag) {
++ etagStale = false
++ break
++ }
++ }
++
++ if (etagStale) {
++ return false
++ }
++ }
+
+ // if-modified-since
+ if (modifiedSince) {
+@@ -50,4 +66,40 @@
+ }
+
+ return !! (etagMatches && notModified);
+-}
+\ No newline at end of file
++}
++
++/**
++ * Parse a HTTP token list.
++ *
++ * @param {string} str
++ * @private
++ */
++
++function parseTokenList (str) {
++ var end = 0
++ var list = []
++ var start = 0
++
++ // gather tokens
++ for (var i = 0, len = str.length; i < len; i++) {
++ switch (str.charCodeAt(i)) {
++ case 0x20: /* */
++ if (start === end) {
++ start = end = i + 1
++ }
++ break
++ case 0x2c: /* , */
++ list.push(str.substring(start, end))
++ start = end = i + 1
++ break
++ default:
++ end = i + 1
++ break
++ }
++ }
++
++ // final token
++ list.push(str.substring(start, end))
++
++ return list
++}
diff --git a/debian/patches/fix-tests.diff b/debian/patches/fix-tests.diff
new file mode 100644
index 0000000..4a7bbb6
--- /dev/null
+++ b/debian/patches/fix-tests.diff
@@ -0,0 +1,147 @@
+Description: Fix tests
+Author: Xavier Guimard <y...@debian.org>
+Forwarded: not-needed
+Last-Update: 2019-04-25
+
+--- a/test/fresh.js
++++ b/test/fresh.js
+@@ -1,12 +1,13 @@
+
+ var fresh = require('..');
++var assert = require('assert');
+
+ describe('fresh(reqHeader, resHeader)', function(){
+ describe('when a non-conditional GET is performed', function(){
+ it('should be stale', function(){
+ var req = {};
+ var res = {};
+- fresh(req, res).should.be.false;
++ assert.equal(fresh(req, res),false);
+ })
+ })
+
+@@ -15,7 +16,7 @@
+ it('should be fresh', function(){
+ var req = { 'if-none-match': 'tobi' };
+ var res = { 'etag': 'tobi' };
+- fresh(req, res).should.be.true;
++ assert.equal(fresh(req, res),true);
+ })
+ })
+
+@@ -23,7 +24,7 @@
+ it('should be stale', function(){
+ var req = { 'if-none-match': 'tobi' };
+ var res = { 'etag': 'luna' };
+- fresh(req, res).should.be.false;
++ assert.equal(fresh(req, res),false);
+ })
+ })
+
+@@ -31,7 +32,7 @@
+ it('should be stale', function(){
+ var req = { 'if-none-match': 'tobi' };
+ var res = {};
+- fresh(req, res).should.be.false;
++ assert.equal(fresh(req, res),false);
+ })
+ })
+
+@@ -39,7 +40,7 @@
+ it('should be fresh', function(){
+ var req = { 'if-none-match': '*' };
+ var res = { 'etag': 'hey' };
+- fresh(req, res).should.be.true;
++ assert.equal(fresh(req, res),true);
+ })
+ })
+ })
+@@ -50,7 +51,7 @@
+ var now = new Date;
+ var req = { 'if-modified-since': new Date(now - 4000).toUTCString() };
+ var res = { 'last-modified': new Date(now - 2000).toUTCString() };
+- fresh(req, res).should.be.false;
++ assert.equal(fresh(req, res),false);
+ })
+ })
+
+@@ -59,7 +60,7 @@
+ var now = new Date;
+ var req = { 'if-modified-since': new Date(now - 2000).toUTCString() };
+ var res = { 'last-modified': new Date(now - 4000).toUTCString() };
+- fresh(req, res).should.be.true;
++ assert.equal(fresh(req, res),true);
+ })
+ })
+
+@@ -67,7 +68,7 @@
+ it('should be stale', function(){
+ var req = { 'if-none-match': new Date().toUTCString() };
+ var res = {};
+- fresh(req, res).should.be.false;
++ assert.equal(fresh(req, res),false);
+ })
+ })
+
+@@ -75,7 +76,7 @@
+ it('should be stale', function(){
+ var req = { 'if-none-match': 'foo' };
+ var res = {};
+- fresh(req, res).should.be.false;
++ assert.equal(fresh(req, res),false);
+ })
+ })
+
+@@ -83,7 +84,7 @@
+ it('should be stale', function(){
+ var req = { 'if-none-match': new Date().toUTCString() };
+ var res = { 'modified-since': 'foo' };
+- fresh(req, res).should.be.false;
++ assert.equal(fresh(req, res),false);
+ })
+ })
+ })
+@@ -94,7 +95,7 @@
+ var now = new Date;
+ var req = { 'if-none-match': 'tobi', 'if-modified-since': new
Date(now - 2000).toUTCString() };
+ var res = { 'etag': 'tobi', 'last-modified': new Date(now -
4000).toUTCString() };
+- fresh(req, res).should.be.true;
++ assert.equal(fresh(req, res),true);
+ })
+ })
+
+@@ -103,12 +104,12 @@
+ var now = new Date;
+ var req = { 'if-none-match': 'tobi', 'if-modified-since': new
Date(now - 4000).toUTCString() };
+ var res = { 'etag': 'tobi', 'last-modified': new Date(now -
2000).toUTCString() };
+- fresh(req, res).should.be.false;
++ assert.equal(fresh(req, res),false);
+
+ var now = new Date;
+ var req = { 'if-none-match': 'tobi', 'if-modified-since': new
Date(now - 2000).toUTCString() };
+ var res = { 'etag': 'luna', 'last-modified': new Date(now -
4000).toUTCString() };
+- fresh(req, res).should.be.false;
++ assert.equal(fresh(req, res),false);
+ })
+ })
+
+@@ -117,7 +118,7 @@
+ var now = new Date;
+ var req = { 'if-none-match': 'tobi', 'if-modified-since': new
Date(now - 4000).toUTCString() };
+ var res = { 'etag': 'luna', 'last-modified': new Date(now -
2000).toUTCString() };
+- fresh(req, res).should.be.false;
++ assert.equal(fresh(req, res),false);
+ })
+ })
+ })
+@@ -126,7 +127,7 @@
+ it('should be stale', function(){
+ var req = { 'cache-control' : ' no-cache' };
+ var res = {};
+- fresh(req, res).should.be.false;
++ assert.equal(fresh(req, res),false);
+ })
+ })
+-})
+\ No newline at end of file
++})
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..33b1987
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+CVE-2017-16119.diff
+fix-tests.diff
diff --git a/debian/rules b/debian/rules
index d1fde4f..8b30b10 100755
--- a/debian/rules
+++ b/debian/rules
@@ -5,8 +5,6 @@
#export DH_VERBOSE=1
%:
- dh $@
+ dh $@ --with nodejs
override_dh_auto_build:
-override_dh_auto_test:
-
diff --git a/debian/tests/pkg-js/test b/debian/tests/pkg-js/test
new file mode 100644
index 0000000..2b1fda9
--- /dev/null
+++ b/debian/tests/pkg-js/test
@@ -0,0 +1 @@
+mocha --timeout 10000 test
diff --git a/debian/upstream/metadata b/debian/upstream/metadata
new file mode 100644
index 0000000..0e09ab2
--- /dev/null
+++ b/debian/upstream/metadata
@@ -0,0 +1,7 @@
+---
+Archive: GitHub
+Bug-Database: https://github.com/visionmedia/node-fresh/issues
+Contact: https://github.com/visionmedia/node-fresh/issues
+Name: node-fresh
+Repository: https://github.com/visionmedia/node-fresh.git
+Repository-Browse: https://github.com/visionmedia/node-fresh
--- End Message ---