[From nobody Sat Jun 20 15:37:07 2026
Received: (at 1140363-close) by bugs.debian.org; 20 Jun 2026 14:34:48 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-114.1 required=4.0 tests=ALL_TRUSTED,BAYES_00,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FOURLA,
 FVGT_m_MULTI_ODD,HAS_BUG_NUMBER,MD5_SHA1_SUM,PGPSIGNATURE,
 SPF_HELO_PASS,SPF_PASS,USER_IN_DKIM_WELCOMELIST autolearn=ham
 autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 98; hammy, 150; neutral, 233; spammy,
 0. spammytokens: hammytokens:0.000-+--HX-Debian:DAK,
 0.000-+--H*rp:D*ftp-master.debian.org, 0.000-+--HX-DAK:process-upload,
 0.000-+--UD:debian.tar.xz, 0.000-+--H*r:sk:fasolo.
Return-path: &lt;envelope@ftp-master.debian.org&gt;
Received: from mailly.debian.org ([2001:41b8:202:deb:6564:a62:52c3:4b72]:41314)
 by buxtehude.debian.org with esmtps
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;envelope@ftp-master.debian.org&gt;)
 id 1wawmW-009q7t-1K for 1140363-close@bugs.debian.org;
 Sat, 20 Jun 2026 14:34:48 +0000
Received: via submission
 from C=NA, ST=NA, L=Ankh Morpork, O=Debian SMTP, OU=Debian SMTP CA,
 CN=fasolo.debian.org, EMAIL=hostmaster@fasolo.debian.org (verified)
 by mailly.debian.org with esmtps
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.96) (envelope-from &lt;envelope@ftp-master.debian.org&gt;)
 id 1wawmU-005TLu-2B for 1140363-close@bugs.debian.org;
 Sat, 20 Jun 2026 14:34:46 +0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
 d=ftp-master.debian.org; s=smtpauto.fasolo; h=Date:Message-Id:Content-Type:
 Subject:MIME-Version:To:Reply-To:From:Cc:Content-Transfer-Encoding:Content-ID
 :Content-Description:In-Reply-To:References;
 bh=lN03aL/z5D1Aan8HFUPPBYfokq57yi4MQ4VsdIOuPzI=; b=EL65zqS4pSnTQ45lfaLqn5JMa3
 IqinwdQ09hM/1yDc/Dczta14SAgPSCjE/VWo4YUyujJ2f0dZrYVo3RPiDPFxuZX/UHLhAg5vzqlwG
 RZmrbFQDmPtWfyrhEVtAf7tPpk0ddktM9fGP7WynJjrsP6v+82/OkgbnUNBSyqrjcHjMDj9jXnAVC
 eq1Q9t36EliEIsX/e7DiwUGR+Ql1yUMpTSumgXpU1M/8lxJpa7RWHliwuna/BAiJMfhnPhIjiyiPa
 q4Ot0mykbdWXDbcpVrxIQ/CHaB5QQPFFEvKj2lAL7xlpjaJjZNToMtPN98AgsJOqOuhaHNHPoZsUr
 3MiPxc/Q==;
Received: from dak by fasolo.debian.org with local (Exim 4.98.2)
 (envelope-from &lt;envelope@ftp-master.debian.org&gt;)
 id 1wawmT-0000000HXAp-37W0; Sat, 20 Jun 2026 14:34:45 +0000
From: Debian FTP Masters &lt;ftpmaster@ftp-master.debian.org&gt;
Reply-To: =?utf-8?b?SsOpcsOpbXkgTGFs?= &lt;kapouer@melix.org&gt;
To: 1140363-close@bugs.debian.org
X-DAK: dak process-upload
X-Debian: DAK
X-Debian-Package: node-undici
Debian: DAK
Debian-Changes: node-undici_8.5.0+dfsg+~cs3.2.0-1_source.changes
Debian-Source: node-undici
Debian-Version: 8.5.0+dfsg+~cs3.2.0-1
Debian-Architecture: source
Debian-Suite: experimental
Debian-Archive-Action: accept
MIME-Version: 1.0
Subject: Bug#1140363: fixed in node-undici 8.5.0+dfsg+~cs3.2.0-1
Content-Type: multipart/signed; micalg=&quot;pgp-sha256&quot;;
 protocol=&quot;application/pgp-signature&quot;;
 boundary=&quot;===============7664739507837777214==&quot;
Message-Id: &lt;E1wawmT-0000000HXAp-37W0@fasolo.debian.org&gt;
Date: Sat, 20 Jun 2026 14:34:45 +0000

--===============7664739507837777214==
Content-Type: text/plain; charset=&quot;utf-8&quot;
Content-Transfer-Encoding: quoted-printable

Source: node-undici
Source-Version: 8.5.0+dfsg+~cs3.2.0-1
Done: J=C3=A9r=C3=A9my Lal &lt;kapouer@melix.org&gt;

We believe that the bug you reported is fixed in the latest version of
node-undici, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1140363@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
J=C3=A9r=C3=A9my Lal &lt;kapouer@melix.org&gt; (supplier of updated node-undici pac=
kage)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 20 Jun 2026 15:47:40 +0200
Source: node-undici
Architecture: source
Version: 8.5.0+dfsg+~cs3.2.0-1
Distribution: experimental
Urgency: medium
Maintainer: Debian Javascript Maintainers &lt;pkg-javascript-devel@lists.alioth.=
debian.org&gt;
Changed-By: J=C3=A9r=C3=A9my Lal &lt;kapouer@melix.org&gt;
Closes: 1140363
Changes:
 node-undici (8.5.0+dfsg+~cs3.2.0-1) experimental; urgency=3Dmedium
 .
   * New upstream version 8.5.0+dfsg+~cs3.2.0.
     Fixes the following vulnerabilities. Closes: #1140363.
     High severity:
     + CVE-2026-12151: WebSocket DoS via fragment count bypass
     + CVE-2026-9697: TLS certificate validation bypass in SOCKS5 ProxyAgent
     + CVE-2026-6734: Cross-origin request routing via SOCKS5 proxy pool reuse
     Medium severity:
     + CVE-2026-9678: Cross-user information disclosure via shared cache whit=
espace bypass
     + CVE-2026-9679: HTTP header injection via Set-Cookie percent-decoding
     Low severity:
     + CVE-2026-11525: Set-Cookie SameSite attribute downgrade
     + CVE-2026-6733: HTTP response queue poisoning via keep-alive socket reu=
se
   * Drop applied patch
   * Refresh patch
   * Drop another test (release.js)
Checksums-Sha1:
 78a6a44f6b223df03bcd01812f62a475e546d997 2696 node-undici_8.5.0+dfsg+~cs3.2.=
0-1.dsc
 1e975bdeff806d9ffb1cb822539a2d74b6b5ac17 40048 node-undici_8.5.0+dfsg+~cs3.2=
.0.orig-fastify-busboy.tar.xz
 b463f8fdbe5e05f5e3c7ef6fc7c183d093bf158e 697572 node-undici_8.5.0+dfsg+~cs3.=
2.0.orig.tar.xz
 d5c9d0a15f5337b74d90c2a798cc15f64d3a978a 215640 node-undici_8.5.0+dfsg+~cs3.=
2.0-1.debian.tar.xz
 7e7c763d97c11462161974141816658e0346f853 9600 node-undici_8.5.0+dfsg+~cs3.2.=
0-1_source.buildinfo
Checksums-Sha256:
 6fcc295a42341d9c507a3c28bf61858f6bb7c3915518ac73a403adbcc5cc72a7 2696 node-u=
ndici_8.5.0+dfsg+~cs3.2.0-1.dsc
 38d43f2df5ac3dcf51cc5a9866973fe5951f90bd44d9fab8dbf0dc2ed0f025f3 40048 node-=
undici_8.5.0+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz
 442501c3d1f2b544bc329a3fff4ddd31551603a22ca95a4d881daab16e1a893b 697572 node=
-undici_8.5.0+dfsg+~cs3.2.0.orig.tar.xz
 8872039103fd48d532699d8bfb3c7d1068ab88d3b1bd03a3f13b79b48aec350d 215640 node=
-undici_8.5.0+dfsg+~cs3.2.0-1.debian.tar.xz
 e0d75408fe33fa2aa9ffe685905506c819f452bee6f8068b4dd659e05292d5b9 9600 node-u=
ndici_8.5.0+dfsg+~cs3.2.0-1_source.buildinfo
Files:
 795d7b17e4d53d76a644d19fb8aae97d 2696 javascript optional node-undici_8.5.0+=
dfsg+~cs3.2.0-1.dsc
 a03285069cc3d8477877fba2f1eabf2f 40048 javascript optional node-undici_8.5.0=
+dfsg+~cs3.2.0.orig-fastify-busboy.tar.xz
 dc06aa89058ef76e7ad54e8442ab188f 697572 javascript optional node-undici_8.5.=
0+dfsg+~cs3.2.0.orig.tar.xz
 0041adc72ab259924535e935b3548811 215640 javascript optional node-undici_8.5.=
0+dfsg+~cs3.2.0-1.debian.tar.xz
 da0b51ba2f5c198fac0a9c76b8fb7665 9600 javascript optional node-undici_8.5.0+=
dfsg+~cs3.2.0-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmo2nCgSHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN0oBIQAIGi2gwzdGoMNGdMQ2VuqfiCTrHF2f1W
rXeaNpCuOAykmb6Uur3a4tVkxmIBKd8miyT5KxQXXm/e3jD3r/wXb9rxUNmYMaAR
4rfWYfF8X1Xx5Mq4cRhHgudJLEzsI3+WgzBEMFOeIa237GYT6EoQfYEqU3dlAB3U
uGJdI64BnWHvumD0IBAW6o1qf38pVI9xzm/Wm9ORpttMIzVgTaVawVBy1qEtpMVS
W6Yq7lU3Z2wCIpeuFoCnnIPvn2+cUDunOP2+Ko4KLtWOiCVwe4wlKqbDYBWRVJnB
geQn4vRjYywJhth1S5udKDPEAL2fwOfU0pMNwe8CsyjXTd5Z0BbzLDb19/TWaWbH
5nLVnhC6jfHxC4IsP0VAfLF5IuRVyI6L9l4EYf8bvUISEwJHuTbC/10Qs35Lnxs7
0OImdz4/b7EiqluQCw3DDbtD9RGIp7wDXrdvDkWpHPxmtyDjDXZw15QrWPCSCAG7
6PsUGIXbiHmKYQYF1OkREjfamkk8kOieoNrnrCShfp5wJ+havs/Q5aQ4aPSjmtzx
rr2UlLAsyQ6P+5YkjPu+8CO+J87Cl+6tP5XpT4SXUNXqqXqV8r/Rh+dhwMiORth1
hAL2vpEeo4lxhSYvpZk4lmCmlILXtn/WKeevMmyremscXaq67Gfa/S/8xPP8/tXY
JLDsMd3EO4M4
=3DrxsX
-----END PGP SIGNATURE-----


--===============7664739507837777214==
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----

iHUEABYIAB0WIQTziqJOuF8J+ZI8pJSb9qggYcy5IQUCajalBQAKCRCb9qggYcy5
IdfDAP45VVF+f42vhJ7ZMPM/BihdrY4yiK/0+bLX+a9vXRb3ugD+OVXKED1vTSsN
6MDwCZYgximkn5cbLAZxiBlZvcj6Zg0=
=PKTC
-----END PGP SIGNATURE-----

--===============7664739507837777214==--
]