Your message dated Fri, 24 Apr 2026 12:04:33 +0000
with message-id <[email protected]>
and subject line Bug#1134646: fixed in node-follow-redirects 1.16.0+~1.14.4-1
has caused the Debian Bug report #1134646,
regarding node-follow-redirects: CVE-2026-40895
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1134646: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134646
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: node-follow-redirects
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-follow-redirects.
CVE-2026-40895[0]:
| follow-redirects is an open source, drop-in replacement for Node's
| `http` and `https` modules that automatically follows redirects.
| Prior to 1.16.0, when an HTTP request follows a cross-domain
| redirect (301/302/307/308), follow-redirects only strips
| authorization, proxy-authorization, and cookie headers (matched by
| regex at index.js). Any custom authentication header (e.g., X-API-
| Key, X-Auth-Token, Api-Key, Token) is forwarded verbatim to the
| redirect target. This vulnerability is fixed in 1.16.0.
https://github.com/follow-redirects/follow-redirects/security/advisories/GHSA-r4q5-vmmm-2653
https://github.com/follow-redirects/follow-redirects/pull/284
https://github.com/follow-redirects/follow-redirects/commit/844c4d302ac963d29bdb5dc1754ec7df3d70d7f9
(v1.16.0)
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-40895
https://www.cve.org/CVERecord?id=CVE-2026-40895
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-follow-redirects
Source-Version: 1.16.0+~1.14.4-1
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
node-follow-redirects, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-follow-redirects
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 24 Apr 2026 13:42:50 +0200
Source: node-follow-redirects
Architecture: source
Version: 1.16.0+~1.14.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1134646
Changes:
node-follow-redirects (1.16.0+~1.14.4-1) unstable; urgency=medium
.
* Team upload
* Declare compliance with policy 4.7.4
* New upstream release (Closes: #1134646, CVE-2026-40895)
* Unfuzz patches
Checksums-Sha1:
b605960035ad78120a32bda245c29c5592777228 2656
node-follow-redirects_1.16.0+~1.14.4-1.dsc
ca054d72ef574c77949fc5fff278b430fcd508ec 2813
node-follow-redirects_1.16.0+~1.14.4.orig-types-follow-redirects.tar.gz
dc06d892bc16e982abca55b2b1a650da9b91c169 94075
node-follow-redirects_1.16.0+~1.14.4.orig.tar.gz
dd668cf4e2331805d79b07191427de000edf392a 4896
node-follow-redirects_1.16.0+~1.14.4-1.debian.tar.xz
Checksums-Sha256:
b6cdd3d57ef6a175ee56658acac27f3fa9b0752ee465c28f4c741cd1df60d360 2656
node-follow-redirects_1.16.0+~1.14.4-1.dsc
88b7ad41ccdd6b77b864f048a67b7141dea86841a382d22b8b91f6c28f73a7d8 2813
node-follow-redirects_1.16.0+~1.14.4.orig-types-follow-redirects.tar.gz
cd53ece8de48c6833b21c3174f245530af6be312af17920c6d3a905aca8ce258 94075
node-follow-redirects_1.16.0+~1.14.4.orig.tar.gz
18e50da634fb801a229d964eb8dc55f5df79ec9ba7e968b62ca019cd5a31221f 4896
node-follow-redirects_1.16.0+~1.14.4-1.debian.tar.xz
Files:
380ed6d93e67b5903f94920805b1b294 2656 javascript optional
node-follow-redirects_1.16.0+~1.14.4-1.dsc
719a7019d9e21269e285e4a7c45126dc 2813 javascript optional
node-follow-redirects_1.16.0+~1.14.4.orig-types-follow-redirects.tar.gz
8deba54c24f4ec5ba04bac8657c9aed8 94075 javascript optional
node-follow-redirects_1.16.0+~1.14.4.orig.tar.gz
2df6845ec4ae58c55f7f76e590bfb657 4896 javascript optional
node-follow-redirects_1.16.0+~1.14.4-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnrV9kACgkQ9tdMp8mZ
7uma3BAAkRI/ilTKEyuqVoIUUVBg1/RJiqCdQz2KSE9ZVc2ISQWLnaZzvVWItt0a
c6iqjCALoaf3PKj/VSe39ljH/O/T0o/J1rDR2RoqTLMyu5wko6HcO5fz1IdNiFE2
5BfDmLNZxNc5ps+k43He3yPLMRgld04A7gsUNIGFsEl1QeXCYXWuW6BBENsLKPWf
pi5SXB9te8AzP3/zjF/Cy6cADU6ip9nv2Z2Ba3440djsKISz/7becSDWLmfWz0Ie
RbiFHhfAsOS1VM8muuqaHaJ8Sh191PlSNRmqRgvNS0wxy+p+n3kYZ+YeY3xUGOpF
yDsAolZE8unTcEMxMi6h+nPTemNp1Ry7lp6ClVPOKX3SXoaJom5K2e22jQP1qG2w
Y3Hz9x9+8hUZqNMoa/TQ3NwnX+AOXCq2d0cROLAyfBGhEC4cPGGjLoN+JGhP/YEI
yFqSLWTg5ywjXr0dVfDchifoVkdDkcWsiuCAL73QzsdKYoz3f/SH6Eb9hJrRnEX+
iygiAEcy1wejasZsf2Z3D38gzXQ1cB69/T3zL5mNu/Ga3EMp0rerUJLepszr0ENe
qYCNnSbOKxYbCTB8Te1jpvJ630bf+wvlsANwfyDp6YFe1lfJgHYAT9VYN0zxQGVH
J9mYuqLK/Kcc8YY5RhUeWQssGqdelbEOKgN4bU3fvFwXcZemmUU=
=FyMu
-----END PGP SIGNATURE-----
pgpaY0ddJpPjJ.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
