[Pkg-javascript-devel] Bug#1134730: marked as done (node-proxy-agents: CVE-2026-39983)

Debian Bug Tracking System Fri, 24 Apr 2026 04:51:16 -0700

Your message dated Fri, 24 Apr 2026 11:49:39 +0000
with message-id <[email protected]>
and subject line Bug#1134730: fixed in node-proxy-agents 
0~2025070717+~cs15.3.7-1
has caused the Debian Bug report #1134730,
regarding node-proxy-agents: CVE-2026-39983
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1134730: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134730
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: node-proxy-agents
Version: 0~2025070717+~cs15.2.7-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for node-proxy-agents.

CVE-2026-39983[0]:
| basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp
| allows FTP command injection via CRLF sequences (\r\n) in file path
| parameters passed to high-level path APIs such as cd(), remove(),
| rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The
| library's protectWhitespace() helper only handles leading spaces and
| returns other paths unchanged, while FtpContext.send() writes the
| resulting command string directly to the control socket with \r\n
| appended. This lets attacker-controlled path strings split one
| intended FTP command into multiple commands. This vulnerability is
| fixed in 5.2.1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-39983
    https://www.cve.org/CVERecord?id=CVE-2026-39983
[1] 
https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-chqc-8p9q-pq6q
[2] 
https://github.com/patrickjuchli/basic-ftp/commit/2ecc8e2c500c5234115f06fd1dbde1aa03d70f4b

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: node-proxy-agents
Source-Version: 0~2025070717+~cs15.3.7-1
Done: Xavier Guimard <[email protected]>

We believe that the bug you reported is fixed in the latest version of
node-proxy-agents, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-proxy-agents package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 24 Apr 2026 13:33:58 +0200
Source: node-proxy-agents
Architecture: source
Version: 0~2025070717+~cs15.3.7-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1134730
Changes:
 node-proxy-agents (0~2025070717+~cs15.3.7-1) unstable; urgency=medium
 .
   * Declare compliance with policy 4.7.4
   * Drop "Priority: optional"
   * New upstream version (Closes: #1134730, CVE-2026-39983)
   * Refresh patches
Checksums-Sha1: 
 b1f33b5184ad07acf5ad4891b9a7f6e55c476c7c 4487 
node-proxy-agents_0~2025070717+~cs15.3.7-1.dsc
 7d35204244f0477cba2be82bc20b5373638473af 58360 
node-proxy-agents_0~2025070717+~cs15.3.7.orig-args.tar.xz
 654dc08e3a19998cb5098f5bb6276d270c6dd623 61272 
node-proxy-agents_0~2025070717+~cs15.3.7.orig-basic-ftp.tar.xz
 45f6d4e3467ceeadc2938cc272dd3a533d46dc2b 1948 
node-proxy-agents_0~2025070717+~cs15.3.7.orig-types-args.tar.xz
 2b361627ea55f5e78e13034fc6b171a01298ee27 208396 
node-proxy-agents_0~2025070717+~cs15.3.7.orig.tar.xz
 8674d1f8bd0526789c557a1804a54660e2a46f9c 48480 
node-proxy-agents_0~2025070717+~cs15.3.7-1.debian.tar.xz
Checksums-Sha256: 
 eca43c23bab34a1f84563c1c0d633e9b77da2f056fbf76fa98946532215fc70d 4487 
node-proxy-agents_0~2025070717+~cs15.3.7-1.dsc
 a6e8d2f8ae740b299b66071251575bd4e69af91ff5ddf32fe323b83e16a8fb77 58360 
node-proxy-agents_0~2025070717+~cs15.3.7.orig-args.tar.xz
 c1132cfbb0f6fe2c81720cdaefb0f04357ba144b96c9f9a93f0d2c8b7deb96b7 61272 
node-proxy-agents_0~2025070717+~cs15.3.7.orig-basic-ftp.tar.xz
 86b7beed4803048ff50732536dc4d6283b13120c617cbd3dd5831e004d8cce34 1948 
node-proxy-agents_0~2025070717+~cs15.3.7.orig-types-args.tar.xz
 ec93ca1ce8d64d056f05fefa76ca9a4d1fc12575cb28dc4ba2123d91b242ff92 208396 
node-proxy-agents_0~2025070717+~cs15.3.7.orig.tar.xz
 324f89ea84a2cfad7e6a7584d4bfc42b8d085fb082785a5eeb810f76d266fc35 48480 
node-proxy-agents_0~2025070717+~cs15.3.7-1.debian.tar.xz
Files: 
 42ff6f64603021b15a731f5c9f516a86 4487 javascript optional 
node-proxy-agents_0~2025070717+~cs15.3.7-1.dsc
 c93c1f90ee4d496ee08324f96f93ace8 58360 javascript optional 
node-proxy-agents_0~2025070717+~cs15.3.7.orig-args.tar.xz
 004c03f235a6298d5970c6f97a9d5750 61272 javascript optional 
node-proxy-agents_0~2025070717+~cs15.3.7.orig-basic-ftp.tar.xz
 8e0052d60d18d531dddb3eb1d0e2479c 1948 javascript optional 
node-proxy-agents_0~2025070717+~cs15.3.7.orig-types-args.tar.xz
 e8642b6014de7e6afc920112cc8aeabe 208396 javascript optional 
node-proxy-agents_0~2025070717+~cs15.3.7.orig.tar.xz
 97d17fdc0e448f03981c2375cc267d33 48480 javascript optional 
node-proxy-agents_0~2025070717+~cs15.3.7-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnrVX4ACgkQ9tdMp8mZ
7ulUOg/+MeOCWdFqISC6DAJxNQI1K+lD5eS+7HPRbvtB7gVuCkMErAYoU6YsOxPh
e5/yTZC7bYU3JcDO2fq0r/njsDoAhsE9bgPPpu+Ps7+bv5/TC1XpImOHy3YezrMi
VybWdObt9XxLrLzSsddC3ruLoYOR+zOjV7dtloqa4fSITsqiehFYchzai10laHVs
zC2+a1acvP5CIzWikqjc5O4i5CkNkayoFBYLRFdL2DJq5k4AcANGCRqoSPH7RQwY
AbtQB68mVSHxdGenkMGXKIs8NQzwBFz0tMLj0cOveGY7B3ii4CH0T+K65GlgEA7l
6+ZQI6gLb0/g/Yj6sEjntAEBSiKTmUA+leWqyyacfaTZoPCx/sa8kOIBfVvRZ3VL
DOUgtouLlPB1VACpKPbDmH0v+fUzrGEm8qNJFHjqIk3EYC1YUdpy339QCujI/1Qh
/EkpdOZ38FTMh9sg0Kgqo/iE0cKl48LdWnUHsK9oqDQ3A5xpzAW4EMp9kIVvpfpX
NeiF1TG/Qnq8ov3M3KDN9LADf3XySQZAwHj4gO7fL+JHrOCUxkAIhB7NRqGcSz+j
m4sMKrPdkZnkl62Gz0/6tjVbKddZc3i0Y4wOb3bJB87c0C7xJWotLYLIk42HWOfh
cB9PSoJsUbZSIL5otBOi4s02gTU5bYEuLqlszmC6K8WPln47sac=
=VTcp
-----END PGP SIGNATURE-----

pgpEHY_Soefoh.pgp
Description: PGP signature

--- End Message ---

-- 
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

[Pkg-javascript-devel] Bug#1134730: marked as done (node-proxy-agents: CVE-2026-39983)

Reply via email to