Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package node-axios Hi all, node-axios is vulnerable to CVE-2019-10742 (#928624). The fix is very simple: --- a/lib/adapters/http.js +++ b/lib/adapters/http.js @@ -172,6 +172,7 @@ // make sure the content length is not over the maxContentLength if specified if (config.maxContentLength > -1 && Buffer.concat(responseBuffer).length > config.maxContentLength) { + stream.destroy(); reject(createError('maxContentLength size of ' + config.maxContentLength + ' exceeded', config, null, lastRequest)); } Full changes: * Declare compliance with policy 4.3.0 * Add upstream/metadata * Add patch to destroy stream on exceeding maxContentLength (Closes: #928624, CVE-2019-10742) * Fix debian/copyright format URL node-axios has no reverse dependencies. I think it is low risky to upgrade node-axios in Buster. Cheers, Xavier unblock node-axios/0.17.1+dfsg-2 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog index b79d090..88ae229 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +node-axios (0.17.1+dfsg-2) unstable; urgency=medium + + * Team upload + * Declare compliance with policy 4.3.0 + * Add upstream/metadata + * Add patch to destroy stream on exceeding maxContentLength + (Closes: #928624, CVE-2019-10742) + * Fix debian/copyright format URL + + -- Xavier Guimard <y...@debian.org> Tue, 07 May 2019 22:59:58 +0200 + node-axios (0.17.1+dfsg-1) unstable; urgency=low * Initial release (Closes: #876067) diff --git a/debian/control b/debian/control index 808fda3..7090bf8 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,7 @@ Build-Depends: , node-grunt-contrib-nodeunit <!nocheck> , node-follow-redirects (>= 1.2.3) <!nocheck> , node-is-buffer (>= 1.1.5) <!nocheck> -Standards-Version: 4.2.1 +Standards-Version: 4.3.0 Homepage: https://github.com/mzabriskie/axios Vcs-Git: https://salsa.debian.org/js-team/node-axios.git Vcs-Browser: https://salsa.debian.org/js-team/node-axios diff --git a/debian/copyright b/debian/copyright index 8f366c9..7098b5e 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,4 +1,4 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: axios Upstream-Contact: https://github.com/mzabriskie/axios/issues Source: https://github.com/mzabriskie/axios diff --git a/debian/patches/CVE-2019-10742.diff b/debian/patches/CVE-2019-10742.diff new file mode 100644 index 0000000..3cb1a36 --- /dev/null +++ b/debian/patches/CVE-2019-10742.diff @@ -0,0 +1,18 @@ +Description: Destroy stream on exceeding maxContentLength +Author: Xavier Guimard <y...@debian.org> +Origin: upstream, https://github.com/axios/axios/commit/0d4fca085b9b44e110f4c5a3dd7384c31abaf756 +Bug: https://github.com/axios/axios/issues/1098 +Bug-Debian: https://bugs.debian.org/928624 +Forwarded: not-needed +Last-Update: 2019-05-07 + +--- a/lib/adapters/http.js ++++ b/lib/adapters/http.js +@@ -172,6 +172,7 @@ + + // make sure the content length is not over the maxContentLength if specified + if (config.maxContentLength > -1 && Buffer.concat(responseBuffer).length > config.maxContentLength) { ++ stream.destroy(); + reject(createError('maxContentLength size of ' + config.maxContentLength + ' exceeded', + config, null, lastRequest)); + } diff --git a/debian/patches/series b/debian/patches/series index f9a8deb..877fd7a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ skip-unneeded-modules.patch use-webpack3.patch +CVE-2019-10742.diff diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..a885fe3 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,7 @@ +--- +Archive: GitHub +Bug-Database: https://github.com/mzabriskie/axios/issues +Contact: https://github.com/mzabriskie/axios/issues +Name: axios +Repository: https://github.com/mzabriskie/axios.git +Repository-Browse: https://github.com/mzabriskie/axios