Your message dated Wed, 08 May 2019 05:17:00 +0000 with message-id <1c41e028-12a1-d09f-5a5e-aabb00d3b...@thykier.net> and subject line Re: Bug#928626: unblock: node-axios/0.17.1+dfsg-2 has caused the Debian Bug report #928626, regarding unblock: node-axios/0.17.1+dfsg-2 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 928626: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928626 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock Please unblock package node-axios Hi all, node-axios is vulnerable to CVE-2019-10742 (#928624). The fix is very simple: --- a/lib/adapters/http.js +++ b/lib/adapters/http.js @@ -172,6 +172,7 @@ // make sure the content length is not over the maxContentLength if specified if (config.maxContentLength > -1 && Buffer.concat(responseBuffer).length > config.maxContentLength) { + stream.destroy(); reject(createError('maxContentLength size of ' + config.maxContentLength + ' exceeded', config, null, lastRequest)); } Full changes: * Declare compliance with policy 4.3.0 * Add upstream/metadata * Add patch to destroy stream on exceeding maxContentLength (Closes: #928624, CVE-2019-10742) * Fix debian/copyright format URL node-axios has no reverse dependencies. I think it is low risky to upgrade node-axios in Buster. Cheers, Xavier unblock node-axios/0.17.1+dfsg-2 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-4-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enableddiff --git a/debian/changelog b/debian/changelog index b79d090..88ae229 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,14 @@ +node-axios (0.17.1+dfsg-2) unstable; urgency=medium + + * Team upload + * Declare compliance with policy 4.3.0 + * Add upstream/metadata + * Add patch to destroy stream on exceeding maxContentLength + (Closes: #928624, CVE-2019-10742) + * Fix debian/copyright format URL + + -- Xavier Guimard <y...@debian.org> Tue, 07 May 2019 22:59:58 +0200 + node-axios (0.17.1+dfsg-1) unstable; urgency=low * Initial release (Closes: #876067) diff --git a/debian/control b/debian/control index 808fda3..7090bf8 100644 --- a/debian/control +++ b/debian/control @@ -14,7 +14,7 @@ Build-Depends: , node-grunt-contrib-nodeunit <!nocheck> , node-follow-redirects (>= 1.2.3) <!nocheck> , node-is-buffer (>= 1.1.5) <!nocheck> -Standards-Version: 4.2.1 +Standards-Version: 4.3.0 Homepage: https://github.com/mzabriskie/axios Vcs-Git: https://salsa.debian.org/js-team/node-axios.git Vcs-Browser: https://salsa.debian.org/js-team/node-axios diff --git a/debian/copyright b/debian/copyright index 8f366c9..7098b5e 100644 --- a/debian/copyright +++ b/debian/copyright @@ -1,4 +1,4 @@ -Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-Name: axios Upstream-Contact: https://github.com/mzabriskie/axios/issues Source: https://github.com/mzabriskie/axios diff --git a/debian/patches/CVE-2019-10742.diff b/debian/patches/CVE-2019-10742.diff new file mode 100644 index 0000000..3cb1a36 --- /dev/null +++ b/debian/patches/CVE-2019-10742.diff @@ -0,0 +1,18 @@ +Description: Destroy stream on exceeding maxContentLength +Author: Xavier Guimard <y...@debian.org> +Origin: upstream, https://github.com/axios/axios/commit/0d4fca085b9b44e110f4c5a3dd7384c31abaf756 +Bug: https://github.com/axios/axios/issues/1098 +Bug-Debian: https://bugs.debian.org/928624 +Forwarded: not-needed +Last-Update: 2019-05-07 + +--- a/lib/adapters/http.js ++++ b/lib/adapters/http.js +@@ -172,6 +172,7 @@ + + // make sure the content length is not over the maxContentLength if specified + if (config.maxContentLength > -1 && Buffer.concat(responseBuffer).length > config.maxContentLength) { ++ stream.destroy(); + reject(createError('maxContentLength size of ' + config.maxContentLength + ' exceeded', + config, null, lastRequest)); + } diff --git a/debian/patches/series b/debian/patches/series index f9a8deb..877fd7a 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,2 +1,3 @@ skip-unneeded-modules.patch use-webpack3.patch +CVE-2019-10742.diff diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 0000000..a885fe3 --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,7 @@ +--- +Archive: GitHub +Bug-Database: https://github.com/mzabriskie/axios/issues +Contact: https://github.com/mzabriskie/axios/issues +Name: axios +Repository: https://github.com/mzabriskie/axios.git +Repository-Browse: https://github.com/mzabriskie/axios
--- End Message ---
--- Begin Message ---Xavier Guimard: > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock package node-axios > > Hi all, > > node-axios is vulnerable to CVE-2019-10742 (#928624). The fix is very > simple: > [...] > > node-axios has no reverse dependencies. > > I think it is low risky to upgrade node-axios in Buster. > > Cheers, > Xavier > > unblock node-axios/0.17.1+dfsg-2 > > [...] Unblocked, thanks. ~Niels
--- End Message ---
