[From nobody Tue Apr 7 08:07:04 2026 Received: (at submit) by bugs.debian.org; 6 Oct 2025 19:47:16 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=4.0 tests=BAYES_00,FROMDEVELOPER, MD5_SHA1_SUM,RCVD_IN_PBL,RDNS_NONE,SPF_HELO_NONE,SPF_NONE, XMAILER_REPORTBUG autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 29; hammy, 140; neutral, 34; spammy, 3. spammytokens:0.993-+--Our, 0.951-+--our, 0.943-+--H*r:bugs.debian.org hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--Hx-authordomain:debian.org, 0.000-+--Hx-senderdomain:debian.org Return-path: <carnil@debian.org> Received: from [2001:b07:646f:5100:33cc:58ad:18be:a30d] (port=38752 helo=eldamar.lan) by buxtehude.debian.org with esmtp (Exim 4.96) (envelope-from <carnil@debian.org>) id 1v5rAx-008LNm-0d for submit@bugs.debian.org; Mon, 06 Oct 2025 19:47:16 +0000 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Salvatore Bonaccorso <carnil@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: node-static: CVE-2025-11149 Message-ID: <175978003256.10962.16515839479764906772.reportbug@eldamar.lan> X-Mailer: reportbug 13.2.0 Date: Mon, 06 Oct 2025 21:47:12 +0200 Delivered-To: submit@bugs.debian.org Source: node-static Version: 0.7.11+~0.7.7-2 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerability was published for node-static. CVE-2025-11149[0]. Note this CVE is not very clear, and there is node-static in the nubosoftware space. Now the CVE description references [1]. Can you clarify on the state of the two projects? Our packaged one seems to have still the issue? If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-11149 https://www.cve.org/CVERecord?id=CVE-2025-11149 [1] https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67 Please adjust the affected versions in the BTS as needed. Regards, Salvatore ]