Discussion:
Bug#1094751: bookworm-pu: package node-axios/1.2.1+dfsg-1+deb12u2
Add Reply
Yadd
2025-01-30 18:00:01 UTC
Reply
Permalink
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-***@packages.debian.org
Control: affects -1 + src:node-axios
User: ***@packages.debian.org
Usertags: pu

[ Reason ]
In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a
URL object when determining an origin, and has a potentially
unwanted setAttribute('href',href) call.

[ Impact ]
Potential security issue

[ Tests ]
No regression, autopkgtest passed

[ Risks ]
Low risk, it replace a specific library by the node URL API

[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable

[ Changes ]
Replace a specific library by the node URL API

Cheers,
Xavier
Debian Bug Tracking System
2025-01-30 18:00:02 UTC
Reply
Permalink
Post by Yadd
affects -1 + src:node-axios
Bug #1094751 [release.debian.org] bookworm-pu: package node-axios/1.2.1+dfsg-1+deb12u2
Added indication that 1094751 affects src:node-axios
--
1094751: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094751
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Salvatore Bonaccorso
2025-01-30 21:40:01 UTC
Reply
Permalink
Hi,
Post by Yadd
Package: release.debian.org
Severity: normal
Tags: bookworm
Control: affects -1 + src:node-axios
Usertags: pu
[ Reason ]
In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a
URL object when determining an origin, and has a potentially
unwanted setAttribute('href',href) call.
[ Impact ]
Potential security issue
[ Tests ]
No regression, autopkgtest passed
[ Risks ]
Low risk, it replace a specific library by the node URL API
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Replace a specific library by the node URL API
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index ad1d642..5c966ce 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+node-axios (1.2.1+dfsg-1+deb12u2) bookworm; urgency=medium
+
+ * Team upload
+ * Fix potential vulnerability in URL when determining an origin
+ (Closes: #1094731, CVE-2024-57965)
+
Do you know what happened to the 1.2.1+dfsg-1+deb12u1 version?
According to the git commit this was aimed to fix CVE-2023-45857 via a
point release as well but never got uploaded?

Regards,
Salvatore
Salvatore Bonaccorso
2025-01-31 06:40:01 UTC
Reply
Permalink
Hi,

Thanks for your reply.

Disclaimer not part of the release team.
Post by Salvatore Bonaccorso
Hi,
Post by Yadd
Package: release.debian.org
Severity: normal
Tags: bookworm
Control: affects -1 + src:node-axios
Usertags: pu
[ Reason ]
In axios before 1.7.8, lib/helpers/isURLSameOrigin.js does not use a
URL object when determining an origin, and has a potentially
unwanted setAttribute('href',href) call.
[...]
Do you know what happened to the 1.2.1+dfsg-1+deb12u1 version?
According to the git commit this was aimed to fix CVE-2023-45857 via a
point release as well but never got uploaded?
Regards,
Salvatore
Hi,
I don't remember what happened here.
Ok, guess no worries. Stable release managers, there is a previous
change as well which fixes another no-dsa change which should be
included.

Xavier, maybe you can post the debdiff additionally to the version
which is currently in stable to get the full view.

Regards,
Salvatore
Debian Bug Tracking System
2025-02-01 21:30:02 UTC
Reply
Permalink
tag -1 confirmed
Bug #1094751 [release.debian.org] bookworm-pu: package node-axios/1.2.1+dfsg-1+deb12u2
Added tag(s) confirmed.
--
1094751: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094751
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Jonathan Wiltshire
2025-02-01 21:30:02 UTC
Reply
Permalink
Control: tag -1 confirmed

Assuming +deb12u1 was never in the archive, yes please squash them and go
ahead.

Thanks,
--
Jonathan Wiltshire ***@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1
Jonathan Wiltshire
2025-02-03 17:10:01 UTC
Reply
Permalink
package release.debian.org
tags 1094751 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: node-axios
Version: 1.2.1+dfsg-1+deb12u1

Explanation: fix CSRF vulnerability [CVE-2023-45857]; fix potential vulnerability in URL when determining an origin [CVE-2024-57965]
Debian Bug Tracking System
2025-02-03 17:10:02 UTC
Reply
Permalink
Post by Jonathan Wiltshire
package release.debian.org
Limiting to bugs with field 'package' containing at least one of 'release.debian.org'
Limit currently set to 'package':'release.debian.org'
Post by Jonathan Wiltshire
tags 1094751 = bookworm pending
Bug #1094751 [release.debian.org] bookworm-pu: package node-axios/1.2.1+dfsg-1+deb12u2
Added tag(s) pending; removed tag(s) confirmed.
Post by Jonathan Wiltshire
thanks
Stopping processing here.

Please contact me if you need assistance.
--
1094751: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1094751
Debian Bug Tracking System
Contact ***@bugs.debian.org with problems
Loading...