[Pkg-javascript-devel] Bug#1033250: Bug#1033250: node-request: CVE-2023-28155
Pirate Praveen
praveen at onenetbeyond.org
Tue Mar 21 06:35:15 GMT 2023
On Mon, Mar 20 2023 at 07:34:33 PM +01:00:00 +01:00:00, Moritz
Mühlenhoff <jmm at inutil.org> wrote:
> Source: node-request
> X-Debbugs-CC: team at security.debian.org
> Severity: normal
> Tags: security
>
> Hi,
>
> The following vulnerability was published for node-request.
>
> CVE-2023-28155[0]:
> | ** UNSUPPORTED WHEN ASSIGNED ** The Request package through 2.88.1
> for
> | Node.js allows a bypass of SSRF mitigations via an
> attacker-controller
> | server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS
> to
> | HTTP). NOTE: This vulnerability only affects products that are no
> | longer supported by the maintainer.
>
> https://github.com/request/request/issues/3442 was reported, but seems
> the module is EOLed, so maybe we should be looking into retiring it
> for trixie?
>
$ reverse-depends node-request
Reverse-Depends
===============
* node-jsonld
* node-matrix-js-sdk
* yarnpkg
For yarnpkg, we are trying to remove the dependency to node-request,
see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=980316#43
(hopefully we will be able to remove it for trixie).
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2023-28155
> https://www.cve.org/CVERecord?id=CVE-2023-28155
>
> Please adjust the affected versions in the BTS as needed.
>
> --
> Pkg-javascript-devel mailing list
> Pkg-javascript-devel at alioth-lists.debian.net
> https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
More information about the Pkg-javascript-devel
mailing list