[Pkg-javascript-devel] Bug#970173: Bug#970173: node-fetch: CVE-2020-15168
Xavier
yadd at debian.org
Sun Sep 13 16:29:56 BST 2020
Le 12/09/2020 à 15:33, Salvatore Bonaccorso a écrit :
> Source: node-fetch
> Version: 1.7.3-2
> Severity: important
> Tags: security upstream
> X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
> Control: found -1 1.7.3-1
>
> Hi,
>
> The following vulnerability was published for node-fetch.
>
> CVE-2020-15168[0]:
> | node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the
> | size option after following a redirect, which means that when a
> | content size was over the limit, a FetchError would never get thrown
> | and the process would end without failure. For most people, this fix
> | will have a little or no impact. However, if you are relying on node-
> | fetch to gate files above a size, the impact could be significant, for
> | example: If you don't double-check the size of the data after fetch()
> | has completed, your JS thread could get tied up doing work on a large
> | file (DoS) and/or cost you money in computing.
>
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2020-15168
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15168
> [1] https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r
>
> Regards
> Salvatore
Hi,
the upstream patches
(https://github.com/node-fetch/node-fetch/commit/2358a6c2 or
https://github.com/node-fetch/node-fetch/commit/eaff0094) seem not easy
to backport to 1.7.3 without major changes. I think we should keep this
minor bug unfixed in buster.
Cheers,
Xavier
More information about the Pkg-javascript-devel
mailing list