Thank you for your contribution to Debian.
Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 20 Jun 2026 15:47:40 +0200 Source: node-undici Architecture: source Version: 8.5.0+dfsg+~cs3.2.0-1 Distribution: experimental Urgency: medium Maintainer: Debian Javascript Maintainers <[email protected]> Changed-By: Jérémy Lal <[email protected]> Closes: 1140363 Changes: node-undici (8.5.0+dfsg+~cs3.2.0-1) experimental; urgency=medium . * New upstream version 8.5.0+dfsg+~cs3.2.0. Fixes the following vulnerabilities. Closes: #1140363. High severity: + CVE-2026-12151: WebSocket DoS via fragment count bypass + CVE-2026-9697: TLS certificate validation bypass in SOCKS5 ProxyAgent + CVE-2026-6734: Cross-origin request routing via SOCKS5 proxy pool reuse Medium severity: + CVE-2026-9678: Cross-user information disclosure via shared cache whitespace bypass + CVE-2026-9679: HTTP header injection via Set-Cookie percent-decoding Low severity: + CVE-2026-11525: Set-Cookie SameSite attribute downgrade + CVE-2026-6733: HTTP response queue poisoning via keep-alive socket reuse * Drop applied patch * Refresh patch * Drop another test (release.js) Checksums-Sha1: 78a6a44f6b223df03bcd01812f62a475e546d997 2696 node-undici_8.5.0+dfsg+~cs3.2.0-1.dsc 1e975bdeff806d9ffb1cb822539a2d74b6b5ac17 40048 node-undici_8.5.0+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz b463f8fdbe5e05f5e3c7ef6fc7c183d093bf158e 697572 node-undici_8.5.0+dfsg+~cs3.2.0.orig.tar.xz d5c9d0a15f5337b74d90c2a798cc15f64d3a978a 215640 node-undici_8.5.0+dfsg+~cs3.2.0-1.debian.tar.xz 7e7c763d97c11462161974141816658e0346f853 9600 node-undici_8.5.0+dfsg+~cs3.2.0-1_source.buildinfo Checksums-Sha256: 6fcc295a42341d9c507a3c28bf61858f6bb7c3915518ac73a403adbcc5cc72a7 2696 node-undici_8.5.0+dfsg+~cs3.2.0-1.dsc 38d43f2df5ac3dcf51cc5a9866973fe5951f90bd44d9fab8dbf0dc2ed0f025f3 40048 node-undici_8.5.0+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz 442501c3d1f2b544bc329a3fff4ddd31551603a22ca95a4d881daab16e1a893b 697572 node-undici_8.5.0+dfsg+~cs3.2.0.orig.tar.xz 8872039103fd48d532699d8bfb3c7d1068ab88d3b1bd03a3f13b79b48aec350d 215640 node-undici_8.5.0+dfsg+~cs3.2.0-1.debian.tar.xz e0d75408fe33fa2aa9ffe685905506c819f452bee6f8068b4dd659e05292d5b9 9600 node-undici_8.5.0+dfsg+~cs3.2.0-1_source.buildinfo Files: 795d7b17e4d53d76a644d19fb8aae97d 2696 javascript optional node-undici_8.5.0+dfsg+~cs3.2.0-1.dsc a03285069cc3d8477877fba2f1eabf2f 40048 javascript optional node-undici_8.5.0+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz dc06aa89058ef76e7ad54e8442ab188f 697572 javascript optional node-undici_8.5.0+dfsg+~cs3.2.0.orig.tar.xz 0041adc72ab259924535e935b3548811 215640 javascript optional node-undici_8.5.0+dfsg+~cs3.2.0-1.debian.tar.xz da0b51ba2f5c198fac0a9c76b8fb7665 9600 javascript optional node-undici_8.5.0+dfsg+~cs3.2.0-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmo2nCgSHGthcG91ZXJA bWVsaXgub3JnAAoJEGYRwF7dOfN0oBIQAIGi2gwzdGoMNGdMQ2VuqfiCTrHF2f1W rXeaNpCuOAykmb6Uur3a4tVkxmIBKd8miyT5KxQXXm/e3jD3r/wXb9rxUNmYMaAR 4rfWYfF8X1Xx5Mq4cRhHgudJLEzsI3+WgzBEMFOeIa237GYT6EoQfYEqU3dlAB3U uGJdI64BnWHvumD0IBAW6o1qf38pVI9xzm/Wm9ORpttMIzVgTaVawVBy1qEtpMVS W6Yq7lU3Z2wCIpeuFoCnnIPvn2+cUDunOP2+Ko4KLtWOiCVwe4wlKqbDYBWRVJnB geQn4vRjYywJhth1S5udKDPEAL2fwOfU0pMNwe8CsyjXTd5Z0BbzLDb19/TWaWbH 5nLVnhC6jfHxC4IsP0VAfLF5IuRVyI6L9l4EYf8bvUISEwJHuTbC/10Qs35Lnxs7 0OImdz4/b7EiqluQCw3DDbtD9RGIp7wDXrdvDkWpHPxmtyDjDXZw15QrWPCSCAG7 6PsUGIXbiHmKYQYF1OkREjfamkk8kOieoNrnrCShfp5wJ+havs/Q5aQ4aPSjmtzx rr2UlLAsyQ6P+5YkjPu+8CO+J87Cl+6tP5XpT4SXUNXqqXqV8r/Rh+dhwMiORth1 hAL2vpEeo4lxhSYvpZk4lmCmlILXtn/WKeevMmyremscXaq67Gfa/S/8xPP8/tXY JLDsMd3EO4M4 =rxsX -----END PGP SIGNATURE-----
pgpSiJzSIoJtQ.pgp
Description: PGP signature
-- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
