[Pkg-javascript-devel] Bug#1136650: marked as done (node-proxy-agents: CVE-2026-44240)

Fri, 15 May 2026 03:37:16 -0700 

Your message dated Fri, 15 May 2026 10:34:32 +0000
with message-id <[email protected]>
and subject line Bug#1136650: fixed in node-proxy-agents 
0~2025070717+~cs15.3.8-1
has caused the Debian Bug report #1136650,
regarding node-proxy-agents: CVE-2026-44240
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1136650: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136650
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Source: node-proxy-agents
Version: 0~2025070717+~cs15.3.7-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerability was published for node-proxy-agents.

CVE-2026-44240[0]:
| basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is
| vulnerable to client-side denial of service when parsing FTP
| control-channel multiline responses. A malicious or compromised FTP
| server can send an unterminated multiline response during the
| initial FTP banner phase, before authentication. The client keeps
| appending attacker-controlled data into FtpContext._partialResponse
| and repeatedly reparses the accumulated buffer without enforcing a
| maximum control response size. As a result, an application using
| basic-ftp can remain stuck in connect() while memory and CPU usage
| grow under attacker-controlled input. This can lead to process-level
| denial of service, container OOM kills, worker restarts, queue
| backlog, or service degradation in applications that automatically
| connect to FTP endpoints. This vulnerability is fixed in 5.3.1.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-44240
    https://www.cve.org/CVERecord?id=CVE-2026-44240
[1] 
https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-rpmf-866q-6p89

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: node-proxy-agents
Source-Version: 0~2025070717+~cs15.3.8-1
Done: Xavier Guimard <[email protected]>

We believe that the bug you reported is fixed in the latest version of
node-proxy-agents, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated node-proxy-agents package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Fri, 15 May 2026 12:04:43 +0200
Source: node-proxy-agents
Architecture: source
Version: 0~2025070717+~cs15.3.8-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers 
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1136650
Changes:
 node-proxy-agents (0~2025070717+~cs15.3.8-1) unstable; urgency=medium
 .
   * Team upload
   * Apply multiarch hints from UDD
   * New upstream version 0~2025070717+~cs15.3.8
     (Closes: #1136650, CVE-2026-44240)
Checksums-Sha1: 
 60fe7c2b8475d5dacf632bc117c776b264d782c5 4487 
node-proxy-agents_0~2025070717+~cs15.3.8-1.dsc
 7d35204244f0477cba2be82bc20b5373638473af 58360 
node-proxy-agents_0~2025070717+~cs15.3.8.orig-args.tar.xz
 57b97f75f4798d3d291a4000f86a569102f5d6cd 61464 
node-proxy-agents_0~2025070717+~cs15.3.8.orig-basic-ftp.tar.xz
 45f6d4e3467ceeadc2938cc272dd3a533d46dc2b 1948 
node-proxy-agents_0~2025070717+~cs15.3.8.orig-types-args.tar.xz
 2b361627ea55f5e78e13034fc6b171a01298ee27 208396 
node-proxy-agents_0~2025070717+~cs15.3.8.orig.tar.xz
 57b8c2909e0495f3c37b80b33b68ac80b22474fc 48508 
node-proxy-agents_0~2025070717+~cs15.3.8-1.debian.tar.xz
Checksums-Sha256: 
 eb234897ef9251f120a6fa2e43f7e432808cde26a26b17167b94364b05a18d4e 4487 
node-proxy-agents_0~2025070717+~cs15.3.8-1.dsc
 a6e8d2f8ae740b299b66071251575bd4e69af91ff5ddf32fe323b83e16a8fb77 58360 
node-proxy-agents_0~2025070717+~cs15.3.8.orig-args.tar.xz
 0826d8212d5fcb9baf38bd80505f1da40985e363ce813fadca8a0adf79ba012f 61464 
node-proxy-agents_0~2025070717+~cs15.3.8.orig-basic-ftp.tar.xz
 86b7beed4803048ff50732536dc4d6283b13120c617cbd3dd5831e004d8cce34 1948 
node-proxy-agents_0~2025070717+~cs15.3.8.orig-types-args.tar.xz
 ec93ca1ce8d64d056f05fefa76ca9a4d1fc12575cb28dc4ba2123d91b242ff92 208396 
node-proxy-agents_0~2025070717+~cs15.3.8.orig.tar.xz
 e031b0054219ef4465c42ef3feb1d45ed572b17b7f282f31cfd029af21b0798b 48508 
node-proxy-agents_0~2025070717+~cs15.3.8-1.debian.tar.xz
Files: 
 67d0297119e14e2f6da9cf5c58f79331 4487 javascript optional 
node-proxy-agents_0~2025070717+~cs15.3.8-1.dsc
 c93c1f90ee4d496ee08324f96f93ace8 58360 javascript optional 
node-proxy-agents_0~2025070717+~cs15.3.8.orig-args.tar.xz
 a18dac5138f64ad5f26ea33e27b99a18 61464 javascript optional 
node-proxy-agents_0~2025070717+~cs15.3.8.orig-basic-ftp.tar.xz
 8e0052d60d18d531dddb3eb1d0e2479c 1948 javascript optional 
node-proxy-agents_0~2025070717+~cs15.3.8.orig-types-args.tar.xz
 e8642b6014de7e6afc920112cc8aeabe 208396 javascript optional 
node-proxy-agents_0~2025070717+~cs15.3.8.orig.tar.xz
 ea0e7e603ebd081e8b92e729977eed63 48508 javascript optional 
node-proxy-agents_0~2025070717+~cs15.3.8-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmoG8RkACgkQ9tdMp8mZ
7uk49A//UTPCjM1p45olfzo+eu9ZzwobLZcLebtMW56NlY/WXXJQnPbGY7yCZrCs
5TPQKq7MV6ppvJ3mgOK8QSROS1EW0i7JK/8G66V3CAIpGdOKt9eblGYS20TDKOb6
FuEh3XTotj7i1iQPgCTu2LzQOLCq7Q6XVPComDdt7OEUD2ArZsbP87irj0/9MVVa
NLMrWa8PVjXFCjAEFf8Vj2ho2uTHZ7zqqCjSAuvqk82aMqqC7ny/pzXRyr4yZ9Vf
ofSYlSwlcHQVofy5T+AV3Dl4cDmjBHE41EUrZQaFg3n2juf5u3v6J9HOgTzdUvhG
HZvsemrxdti59VZr/Vtgc2Y9bFwnE8mdxSU3ViTIL00GHakTCqOLse0EeFntjOqm
RE0fiiTiORigfatih+stEhkSvcmZkgtdUUum365XK8zKghEyISQm0Shfq0rGjWvq
EIbXv04O2H9Y/SGsjaKoSl7jTU0mJfyhQG6wfFjuOMb9G3O6y0DcU+vwK3RXys30
M/U9A2Zpr0RCj8o8qd3YbDPQIAiU5QMqcU7F2N3Ci8/BJnwKmJrU6xXSZaXOF4Ca
cXZgDiYG0IMchm5+/kiCHeBcZI7UZVI4l+7rbG5zI85q+EpvinxueMLQZA1YA8hd
X/Zeru0MtuzvvcndKbT0HZSteSO89fTH3AdFKVA6FemdtCbFY3g=
=yikM
-----END PGP SIGNATURE-----

Attachment: pgpM5o1sb9hpK.pgp
Description: PGP signature


--- End Message ---
-- 
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel

Reply via email to