Accepted node-url-parse 1.2.0-2+deb10u2 (source) into oldstable
- To: debian-lts-changes@lists.debian.org, dispatch@tracker.debian.org
- Subject: Accepted node-url-parse 1.2.0-2+deb10u2 (source) into oldstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Wed, 22 Feb 2023 23:20:22 +0000
- Debian: DAK
- Debian-architecture: source
- Debian-archive-action: accept
- Debian-changes: node-url-parse_1.2.0-2+deb10u2_source.changes
- Debian-source: node-url-parse
- Debian-suite: oldstable
- Debian-version: 1.2.0-2+deb10u2
- Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=ftp-master.debian.org; s=smtpauto.seger; h=Date:Message-Id: Content-Transfer-Encoding:Content-Type:Subject:MIME-Version:To:Reply-To:From: Cc:Content-ID:Content-Description:In-Reply-To:References; bh=IViyPCz7So+x793cibC2JlUjQV3nn6CcFadPBjUTAr4=; b=tTxIXUscvFihlczUQXGnAb88O9 Wg/9e9T+JWkJxmVTtpecTJmrjQaN606QORF7OZhZveoteJG62/34RvQVb936FjB0nBEGmFTc8IcYr GrUggo0KfVkAMDXJ3581j1lQ8ZqzE+Q/eH9Ai9H1Z2tMhGbFJs+7f5dwId5SI2wyqpsQwZzkhJK9j 0fkeKmupcnQFJgDaaIu0G8PLndPv/rKNZaUjXzoRRtRYw3SEuyekI4ojbOJAdYNv7lC7MhaFv13jJ Q2zlYTYpPmBm+D4p8RK6wld6gea2rxDt97/KEhPr/rbOYLpzJsjUHDEP4t27wyb9R9sE6jzb55s4E KdR3D2FA==;
- Mail-followup-to: debian-lts@lists.debian.org
- Message-id: <E1pUyPO-000152-Uq@seger.debian.org>
- Reply-to: debian-lts@lists.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 22 Feb 2023 23:16:53 +0100
Source: node-url-parse
Architecture: source
Version: 1.2.0-2+deb10u2
Distribution: buster-security
Urgency: high
Maintainer: Debian Javascript Maintainers <pkg-javascript-devel@lists.alioth.debian.org>
Changed-By: Guilhem Moulin <guilhem@debian.org>
Closes: 985110 991577
Changes:
node-url-parse (1.2.0-2+deb10u2) buster-security; urgency=high
.
* Non-maintainer upload by the LTS Security Team.
* CVE-2021-27515: Using backslash in the protocol is valid in the browser,
while url-parse thinks it’s a relative path. An application that validates
a url using url-parse might pass a malicious link. (Closes: #985110)
* CVE-2021-3664: url-parse mishandles certain uses of a single (back) slash
such as https:\ & https:/ and interprets the URI as a relative path.
Browsers accept a single backslash after the protocol, and treat it as a
normal slash, while url-parse sees it as a relative path.
(Closes: #991577)
* CVE-2022-0512: Incorrect handling of username and password can lead to
authorization bypass.
* CVE-2022-0639: A specially crafted URL with empty userinfo and no host can
be used to bypass authorization checks.
* CVE-2022-0686: A URL with a specified but empty port can be used to bypass
authorization checks.
* CVE-2022-0691: Leading control characters are not removed. This allows an
attacker to bypass hostname checks and makes the `extractProtocol` method
return false positives.
Checksums-Sha1:
3e13f3698d3118bb7748a4266042c42b83177f9e 2267 node-url-parse_1.2.0-2+deb10u2.dsc
5035b5f85d852f09cde2a15da57d19cd9a83eb49 13319 node-url-parse_1.2.0.orig.tar.gz
e341f33889efe9ecd903a5ea5e1ab695a3208481 32884 node-url-parse_1.2.0-2+deb10u2.debian.tar.xz
85f493f8ebd1eb53023b183915516154536d787c 14592 node-url-parse_1.2.0-2+deb10u2_amd64.buildinfo
Checksums-Sha256:
42e25a45a65f82291f7e10ed67987ce960afc589348f5ab0e9139987e042ed4f 2267 node-url-parse_1.2.0-2+deb10u2.dsc
64bd52bb140708863daf43751aae91e5b56b67efd08ad156be6b6c3f0ecf4ff2 13319 node-url-parse_1.2.0.orig.tar.gz
c7ce7b114b3b246fab74c3a3a9cfff7e35a27689d903c93f5a591d233d6d54b7 32884 node-url-parse_1.2.0-2+deb10u2.debian.tar.xz
e2c4b3672287a77793fee2f4424e5da8593b07cd91a47cd27c1c6b2fc6b65bac 14592 node-url-parse_1.2.0-2+deb10u2_amd64.buildinfo
Files:
80cab9f46b1cf932becc364838930c63 2267 javascript optional node-url-parse_1.2.0-2+deb10u2.dsc
b15502c5921ee699a3344a0eae0494a6 13319 javascript optional node-url-parse_1.2.0.orig.tar.gz
8c4de9f8c31c1da1fca50a1cd4fce35f 32884 javascript optional node-url-parse_1.2.0-2+deb10u2.debian.tar.xz
7f836e13e8aaa6179db23a9a7134d9c8 14592 javascript optional node-url-parse_1.2.0-2+deb10u2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEERpy6p3b9sfzUdbME05pJnDwhpVIFAmP2lIMACgkQ05pJnDwh
pVJN3xAAvidA4jd4XqBLnRCfJN6Xz/q0mvsPd71yECfnNnQbFd8X34hmOaLJgNBj
tVu/MCqFCW2EeaabicqDL9L2AC6+ysmNXPF2MXKDdnO7qP92avznHRZzUoccit93
DgXM2lsobSaYJd2e/LCulL37sbjj9OPSG3ErKv014uXFnVaAAiK2ynPkrNmyssTR
P17dPOJXLGesiDyBlNNkuwYN9QRMX5v3mvdL0Ebkg5G2ir4S2S9TV7Ih6w4xVPlr
qR2GHgsTG+BxrL4gjexDgzsaaUy6t/XGckbOAqZo5FfoEBnvjwuFjyqvHWS8bBxF
ee7y7Jrw8vtOewJ1/OsqXYn2K7P5rjg2avn1N+SjoclE5HhC6z8kL7EbmWYw20N3
lxZ3Oh4rTdP40P7ueyCXGB8suWmVanr567VjTarXHKoPGZWdykKHQPwJfkHFDiZk
iiQYbo4negR+rROYTzqz2M5xnJN80y/ChVoOijXCdB+W9cL2CjN+ZXTZJveAbJxF
vphiGJaJ5WYqu2MuGfR0uMyq6TmE9nTnImVJ+EP6geDpgxBI/Cy1cHFxBNborORx
gOQpRRgH1R6igiwphTz6p8uW2VlLoUfmNYc6u8Ebn6chiFwWQbba14z6D9gDw/5L
l5KVI/M+erAlAJYH1KIJv9v4DokMUOi9yfifyPGN2QQOf7PGkuI=
=zYk4
-----END PGP SIGNATURE-----