• Bug#1102310: bookworm-pu: package node-send/0.18.0+~cs1.19.1-3+deb12u1

    From Yadd@21:1/5 to All on Mon Apr 7 15:40:01 2025
    XPost: linux.debian.devel.release

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    Tags: bookworm
    X-Debbugs-Cc: node-send@packages.debian.org, yadd@debian.org
    Control: affects -1 + src:node-send
    User: release.debian.org@packages.debian.org
    Usertags: pu

    [ Reason ]
    node-send is vulnerable to XSS issue (#1081483, CVE-2024-43799)0

    [ Impact ]
    Medium security issue

    [ Tests ]
    Test updated in patch

    [ Risks ]
    Low risk, patch is trivial

    [ Checklist ]
    [X] *all* changes are documented in the d/changelog
    [X] I reviewed all changes and I approve them
    [X] attach debdiff against the package in (old)stable
    [X] the issue is verified as fixed in unstable

    [ Changes ]
    Don't insert data from user into HTML code

    Cheers,
    Xavier

    ZGlmZiAtLWdpdCBhL2RlYmlhbi9jaGFuZ2Vsb2cgYi9kZWJpYW4vY2hhbmdlbG9nCmluZGV4IDA5 YmY3YjguLjBlODdiOWMgMTAwNjQ0Ci0tLSBhL2RlYmlhbi9jaGFuZ2Vsb2cKKysrIGIvZGViaWFu L2NoYW5nZWxvZwpAQCAtMSwzICsxLDkgQEAKK25vZGUtc2VuZCAoMC4xOC4wK35jczEuMTkuMS0z K2RlYjEydTEpIGJvb2t3b3JtOyB1cmdlbmN5PW1lZGl1bQorCisgICogRml4IFhTUyBpc3N1ZSAo Q2xvc2VzOiAjMTA4MTQ4MywgQ1ZFLTIwMjQtNDM3OTkpCisKKyAtLSBZYWRkIDx5YWRkQGRlYmlh bi5vcmc+ICBNb24sIDA3IEFwciAyMDI1IDE1OjI1OjQ2ICswMjAwCisKIG5vZGUtc2VuZCAoMC4x OC4wK35jczEuMTkuMS0zKSB1bnN0YWJsZTsgdXJnZW5jeT1tZWRpdW0KIAogICAqIEFkZCBCcmVh a3M6IG5vZGUtZXhwcmVzcyA8IDQuMTguMX4KZGlmZiAtLWdpdCBhL2RlYmlhbi9wYXRjaGVzL0NW RS0yMDI0LTQzNzk5LnBhdGNoIGIvZGViaWFuL3BhdGNoZXMvQ1ZFLTIwMjQtNDM3OTkucGF0Y2gK bmV3IGZpbGUgbW9kZSAxMDA2NDQKaW5kZXggMDAwMDAwMC4uYjBlOGNkNwotLS0gL2Rldi9udWxs CisrKyBiL2RlYmlhbi9wYXRjaGVzL0NWRS0yMDI0LTQzNzk5LnBhdGNoCkBAIC0wLDAgKzEsNDMg QEAKK0Rlc2NyaXB0aW9uOiBmaXggWFNTIGlzc3VlIENWRS0yMDI0LTQzNzk5CitBdXRob3I6IFVs aXNlcyBHYXNjw7NuIDxodHRwczovL2dpdGh1Yi5jb20vVWxpc2VzR2FzY29uPiwKKyBDaHJpcyBk ZSBBbG1laWRhIDxodHRwczovL2dpdGh1Yi5jb20vY3RjcGlwPgorT3JpZ2luOiB1cHN0cmVhbSwg aHR0cHM6Ly9naXRodWIuY29tL3BpbGxhcmpzL3NlbmQvY29tbWl0L2FlNGYyOTg5CitCdWc6IGh0 dHBzOi8vZ2l0aHViLmNvbS9waWxsYXJqcy9zZW5kL3NlY3VyaXR5L2Fkdmlzb3JpZXMvR0hTQS1t NmZ2LWptY2ctNGpmZworQnVnLURlYmlhbjogaHR0cHM6Ly9idWdzLmRlYmlhbi5vcmcvMTA4MTQ4 MworRm9yd2FyZGVkOiBub3QtbmVlZGVkCitBcHBsaWVkLVVwc3RyZWFtOiAwLjE5LjAsIGNvbW1p dDphZTRmMjk4OQorUmV2aWV3ZWQtQnk6IFlhZGQgPHlhZGRAZGViaWFuLm9yZz4KK0xhc3QtVXBk YXRlOiAyMDI1LTA0LTA3CisKKy0tLSBhL2luZGV4LmpzCisrKysgYi9pbmRleC5qcworQEAgLTQ4 Miw4ICs0ODIsNyBAQAorICAgfQorIAorICAgdmFyIGxvYyA9IGVuY29kZVVybChjb2xsYXBzZUxl YWRpbmdTbGFzaGVzKHRoaXMucGF0aCArICcvJykpCistICB2YXIgZG9jID0gY3JlYXRlSHRtbERv Y3VtZW50KCdSZWRpcmVjdGluZycsICdSZWRpcmVjdGluZyB0byA8YSBocmVmPSInICsgZXNjYXBl SHRtbChsb2MpICsgJyI+JyArCistICAgIGVzY2FwZUh0bWwobG9jKSArICc8L2E+JykKKysgIHZh ciBkb2MgPSBjcmVhdGVIdG1sRG9jdW1lbnQoJ1JlZGlyZWN0aW5nJywgJ1JlZGlyZWN0aW5nIHRv ICcgKyBlc2NhcGVIdG1sKGxvYykpCisgCisgICAvLyByZWRpcmVjdAorICAgcmVzLnN0YXR1c0Nv ZGUgPSAzMDEKKy0tLSBhL3Rlc3Qvc2VuZC5qcworKysrIGIvdGVzdC9zZW5kLmpzCitAQCAtMzU4 LDcgKzM1OCw3IEBACisgICAgICAgICAuZ2V0KCcvcGV0cycpCisgICAgICAgICAuZXhwZWN0KCdM b2NhdGlvbicsICcvcGV0cy8nKQorICAgICAgICAgLmV4cGVjdCgnQ29udGVudC1UeXBlJywgL2h0 bWwvKQorLSAgICAgICAgLmV4cGVjdCgzMDEsIC8+UmVkaXJlY3RpbmcgdG8gPGEgaHJlZj0iXC9w ZXRzXC8iPlwvcGV0c1wvPFwvYT48LywgZG9uZSkKKysgICAgICAgIC5leHBlY3QoMzAxLCAvPlJl ZGlyZWN0aW5nIHRvIFwvcGV0c1wvPC8sIGRvbmUpCisgICAgIH0pCisgCisgICAgIGl0KCdzaG91 bGQgcmVzcG9uZCB3aXRoIGRlZmF1bHQgQ29udGVudC1TZWN1cml0eS1Qb2xpY3knLCBmdW5jdGlv biAoZG9uZSkgeworQEAgLTM4Niw3ICszODYsNyBAQAorICAgICAgICAgLmdldCgnL3Nub3cnKQor ICAgICAgICAgLmV4cGVjdCgnTG9jYXRpb24nLCAnL3Nub3clMjAlRTIlOTglODMvJykKKyAgICAg ICAgIC5leHBlY3QoJ0NvbnRlbnQtVHlwZScsIC9odG1sLykKKy0gICAgICAgIC5leHBlY3QoMzAx LCAvPlJlZGlyZWN0aW5nIHRvIDxhIGhyZWY9Ilwvc25vdyUyMCVFMiU5OCU4M1wvIj5cL3Nub3cl MjAlRTIlOTglODNcLzxcL2E+PC8sIGRvbmUpCisrICAgICAgICAuZXhwZWN0KDMwMSwgLz5SZWRp cmVjdGluZyB0byBcL3Nub3clMjAlRTIlOTglODNcLzwvLCBkb25lKQorICAgICB9KQorICAgfSkK KyAKZGlmZiAtLWdpdCBhL2RlYmlhbi9wYXRjaGVzL3NlcmllcyBiL2RlYmlhbi9wYXRjaGVzL3Nl cmllcwppbmRleCA1ZmUwZTRjLi5lNDU0NjY3IDEwMDY0NAotLS0gYS9kZWJpYW4vcGF0Y2hlcy9z ZXJpZXMKKysrIGIvZGViaWFuL3BhdGNoZXMvc2VyaWVzCkBAIC0xLDIgKzEsMyBAQAogZGlzYWJs ZS1mYWlsaW5nLXRlc3QucGF0Y2gKIGZpeC1mb3ItbWltZS0yLnBhdGNoCitDVkUtMjAyNC00Mzc5 OS5wYXRjaAo=

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adam D. Barratt@21:1/5 to Yadd on Sat May 10 17:00:01 2025
    XPost: linux.debian.devel.release

    Control: tags -1 + confirmed

    On Mon, 2025-04-07 at 15:28 +0200, Yadd wrote:
    node-send is vulnerable to XSS issue (#1081483, CVE-2024-43799)0

    Please go ahead.

    Regards,

    Adam

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adam D Barratt@21:1/5 to All on Sun May 11 11:50:01 2025
    XPost: linux.debian.devel.release

    package release.debian.org
    tags 1102310 = bookworm pending
    thanks

    Hi,

    The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

    Thanks for your contribution!

    Upload details
    ==============

    Package: node-send
    Version: 0.18.0+~cs1.19.1-3+deb12u1

    Explanation: fix cross-site scripting issue [CVE-2024-43799]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)