Forum: >>> Magnum BBS <<<

Bug#1102310: bookworm-pu: package node-send/0.18.0+~cs1.19.1-3+deb12u1

From Yadd@21:1/5 to All on Mon Apr 7 15:40:01 2025

XPost: linux.debian.devel.release

This is a multi-part MIME message sent by reportbug.

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-send@packages.debian.org, yadd@debian.org
Control: affects -1 + src:node-send
User: release.debian.org@packages.debian.org
Usertags: pu

[ Reason ]
node-send is vulnerable to XSS issue (#1081483, CVE-2024-43799)0

[ Impact ]
Medium security issue

[ Tests ]
Test updated in patch

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable

[ Changes ]
Don't insert data from user into HTML code

Cheers,
Xavier

ZGlmZiAtLWdpdCBhL2RlYmlhbi9jaGFuZ2Vsb2cgYi9kZWJpYW4vY2hhbmdlbG9nCmluZGV4IDA5 YmY3YjguLjBlODdiOWMgMTAwNjQ0Ci0tLSBhL2RlYmlhbi9jaGFuZ2Vsb2cKKysrIGIvZGViaWFu L2NoYW5nZWxvZwpAQCAtMSwzICsxLDkgQEAKK25vZGUtc2VuZCAoMC4xOC4wK35jczEuMTkuMS0z K2RlYjEydTEpIGJvb2t3b3JtOyB1cmdlbmN5PW1lZGl1bQorCisgICogRml4IFhTUyBpc3N1ZSAo Q2xvc2VzOiAjMTA4MTQ4MywgQ1ZFLTIwMjQtNDM3OTkpCisKKyAtLSBZYWRkIDx5YWRkQGRlYmlh bi5vcmc+ICBNb24sIDA3IEFwciAyMDI1IDE1OjI1OjQ2ICswMjAwCisKIG5vZGUtc2VuZCAoMC4x OC4wK35jczEuMTkuMS0zKSB1bnN0YWJsZTsgdXJnZW5jeT1tZWRpdW0KIAogICAqIEFkZCBCcmVh a3M6IG5vZGUtZXhwcmVzcyA8IDQuMTguMX4KZGlmZiAtLWdpdCBhL2RlYmlhbi9wYXRjaGVzL0NW RS0yMDI0LTQzNzk5LnBhdGNoIGIvZGViaWFuL3BhdGNoZXMvQ1ZFLTIwMjQtNDM3OTkucGF0Y2gK bmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMC4uYjBlOGNkNwotLS0gL2Rldi9udWxs CisrKyBiL2RlYmlhbi9wYXRjaGVzL0NWRS0yMDI0LTQzNzk5LnBhdGNoCkBAIC0wLDAgKzEsNDMg QEAKK0Rlc2NyaXB0aW9uOiBmaXggWFNTIGlzc3VlIENWRS0yMDI0LTQzNzk5CitBdXRob3I6IFVs aXNlcyBHYXNjw7NuIDxodHRwczovL2dpdGh1Yi5jb20vVWxpc2VzR2FzY29uPiwKKyBDaHJpcyBk ZSBBbG1laWRhIDxodHRwczovL2dpdGh1Yi5jb20vY3RjcGlwPgorT3JpZ2luOiB1cHN0cmVhbSwg aHR0cHM6Ly9naXRodWIuY29tL3BpbGxhcmpzL3NlbmQvY29tbWl0L2FlNGYyOTg5CitCdWc6IGh0 dHBzOi8vZ2l0aHViLmNvbS9waWxsYXJqcy9zZW5kL3NlY3VyaXR5L2Fkdmlzb3JpZXMvR0hTQS1t NmZ2LWptY2ctNGpmZworQnVnLURlYmlhbjogaHR0cHM6Ly9idWdzLmRlYmlhbi5vcmcvMTA4MTQ4 MworRm9yd2FyZGVkOiBub3QtbmVlZGVkCitBcHBsaWVkLVVwc3RyZWFtOiAwLjE5LjAsIGNvbW1p dDphZTRmMjk4OQorUmV2aWV3ZWQtQnk6IFlhZGQgPHlhZGRAZGViaWFuLm9yZz4KK0xhc3QtVXBk YXRlOiAyMDI1LTA0LTA3CisKKy0tLSBhL2luZGV4LmpzCisrKysgYi9pbmRleC5qcworQEAgLTQ4 Miw4ICs0ODIsNyBAQAorICAgfQorIAorICAgdmFyIGxvYyA9IGVuY29kZVVybChjb2xsYXBzZUxl YWRpbmdTbGFzaGVzKHRoaXMucGF0aCArICcvJykpCistICB2YXIgZG9jID0gY3JlYXRlSHRtbERv Y3VtZW50KCdSZWRpcmVjdGluZycsICdSZWRpcmVjdGluZyB0byA8YSBocmVmPSInICsgZXNjYXBl SHRtbChsb2MpICsgJyI+JyArCistICAgIGVzY2FwZUh0bWwobG9jKSArICc8L2E+JykKKysgIHZh ciBkb2MgPSBjcmVhdGVIdG1sRG9jdW1lbnQoJ1JlZGlyZWN0aW5nJywgJ1JlZGlyZWN0aW5nIHRv ICcgKyBlc2NhcGVIdG1sKGxvYykpCisgCisgICAvLyByZWRpcmVjdAorICAgcmVzLnN0YXR1c0Nv ZGUgPSAzMDEKKy0tLSBhL3Rlc3Qvc2VuZC5qcworKysrIGIvdGVzdC9zZW5kLmpzCitAQCAtMzU4 LDcgKzM1OCw3IEBACisgICAgICAgICAuZ2V0KCcvcGV0cycpCisgICAgICAgICAuZXhwZWN0KCdM b2NhdGlvbicsICcvcGV0cy8nKQorICAgICAgICAgLmV4cGVjdCgnQ29udGVudC1UeXBlJywgL2h0 bWwvKQorLSAgICAgICAgLmV4cGVjdCgzMDEsIC8+UmVkaXJlY3RpbmcgdG8gPGEgaHJlZj0iXC9w ZXRzXC8iPlwvcGV0c1wvPFwvYT48LywgZG9uZSkKKysgICAgICAgIC5leHBlY3QoMzAxLCAvPlJl ZGlyZWN0aW5nIHRvIFwvcGV0c1wvPC8sIGRvbmUpCisgICAgIH0pCisgCisgICAgIGl0KCdzaG91 bGQgcmVzcG9uZCB3aXRoIGRlZmF1bHQgQ29udGVudC1TZWN1cml0eS1Qb2xpY3knLCBmdW5jdGlv biAoZG9uZSkgeworQEAgLTM4Niw3ICszODYsNyBAQAorICAgICAgICAgLmdldCgnL3Nub3cnKQor ICAgICAgICAgLmV4cGVjdCgnTG9jYXRpb24nLCAnL3Nub3clMjAlRTIlOTglODMvJykKKyAgICAg ICAgIC5leHBlY3QoJ0NvbnRlbnQtVHlwZScsIC9odG1sLykKKy0gICAgICAgIC5leHBlY3QoMzAx LCAvPlJlZGlyZWN0aW5nIHRvIDxhIGhyZWY9Ilwvc25vdyUyMCVFMiU5OCU4M1wvIj5cL3Nub3cl MjAlRTIlOTglODNcLzxcL2E+PC8sIGRvbmUpCisrICAgICAgICAuZXhwZWN0KDMwMSwgLz5SZWRp cmVjdGluZyB0byBcL3Nub3clMjAlRTIlOTglODNcLzwvLCBkb25lKQorICAgICB9KQorICAgfSkK KyAKZGlmZiAtLWdpdCBhL2RlYmlhbi9wYXRjaGVzL3NlcmllcyBiL2RlYmlhbi9wYXRjaGVzL3Nl cmllcwppbmRleCA1ZmUwZTRjLi5lNDU0NjY3IDEwMDY0NAotLS0gYS9kZWJpYW4vcGF0Y2hlcy9z ZXJpZXMKKysrIGIvZGViaWFuL3BhdGNoZXMvc2VyaWVzCkBAIC0xLDIgKzEsMyBAQAogZGlzYWJs ZS1mYWlsaW5nLXRlc3QucGF0Y2gKIGZpeC1mb3ItbWltZS0yLnBhdGNoCitDVkUtMjAyNC00Mzc5 OS5wYXRjaAo=

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Adam D. Barratt@21:1/5 to Yadd on Sat May 10 17:00:01 2025

XPost: linux.debian.devel.release

Control: tags -1 + confirmed

On Mon, 2025-04-07 at 15:28 +0200, Yadd wrote:

node-send is vulnerable to XSS issue (#1081483, CVE-2024-43799)0

Please go ahead.

Regards,

Adam

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Adam D Barratt@21:1/5 to All on Sun May 11 11:50:01 2025

XPost: linux.debian.devel.release

package release.debian.org
tags 1102310 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: node-send
Version: 0.18.0+~cs1.19.1-3+deb12u1

Explanation: fix cross-site scripting issue [CVE-2024-43799]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	491
Nodes:	16 (2 / 14)
Uptime:	109:19:28
Calls:	9,684
Files:	13,725
Messages:	6,175,705

Bug#1102310: bookworm-pu: package node-send/0.18.0+~cs1.19.1-3+deb12u1

Who's Online

System Info