[Pkg-javascript-devel] Bug#1102310: bookworm-pu: package node-send/0.18.0+~cs1.19.1-3+deb12u1

Mon Apr 7 14:28:30 BST 2025

Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: node-send at packages.debian.org, yadd at debian.org
Control: affects -1 + src:node-send
User: release.debian.org at packages.debian.org
Usertags: pu

[ Reason ]
node-send is vulnerable to XSS issue (#1081483, CVE-2024-43799)0

[ Impact ]
Medium security issue

[ Tests ]
Test updated in patch

[ Risks ]
Low risk, patch is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
Don't insert data from user into HTML code

Cheers,
Xavier
-------------- next part --------------

diff --git a/debian/changelog b/debian/changelog
index 09bf7b8..0e87b9c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+node-send (0.18.0+~cs1.19.1-3+deb12u1) bookworm; urgency=medium
+
+  * Fix XSS issue (Closes: #1081483, CVE-2024-43799)
+
+ -- Yadd <yadd at debian.org>  Mon, 07 Apr 2025 15:25:46 +0200
+
 node-send (0.18.0+~cs1.19.1-3) unstable; urgency=medium
 
   * Add Breaks: node-express < 4.18.1~
diff --git a/debian/patches/CVE-2024-43799.patch b/debian/patches/CVE-2024-43799.patch
new file mode 100644
index 0000000..b0e8cd7
--- /dev/null
+++ b/debian/patches/CVE-2024-43799.patch
@@ -0,0 +1,43 @@
+Description: fix XSS issue CVE-2024-43799
+Author: Ulises Gasc?n <https://github.com/UlisesGascon>,
+ Chris de Almeida <https://github.com/ctcpip>
+Origin: upstream, https://github.com/pillarjs/send/commit/ae4f2989
+Bug: https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg
+Bug-Debian: https://bugs.debian.org/1081483
+Forwarded: not-needed
+Applied-Upstream: 0.19.0, commit:ae4f2989
+Reviewed-By: Yadd <yadd at debian.org>
+Last-Update: 2025-04-07
+
+--- a/index.js
++++ b/index.js
+@@ -482,8 +482,7 @@
+   }
+ 
+   var loc = encodeUrl(collapseLeadingSlashes(this.path + '/'))
+-  var doc = createHtmlDocument('Redirecting', 'Redirecting to <a href="' + escapeHtml(loc) + '">' +
+-    escapeHtml(loc) + '</a>')
++  var doc = createHtmlDocument('Redirecting', 'Redirecting to ' + escapeHtml(loc))
+ 
+   // redirect
+   res.statusCode = 301
+--- a/test/send.js
++++ b/test/send.js
+@@ -358,7 +358,7 @@
+         .get('/pets')
+         .expect('Location', '/pets/')
+         .expect('Content-Type', /html/)
+-        .expect(301, />Redirecting to <a href="\/pets\/">\/pets\/<\/a></, done)
++        .expect(301, />Redirecting to \/pets\/</, done)
+     })
+ 
+     it('should respond with default Content-Security-Policy', function (done) {
+@@ -386,7 +386,7 @@
+         .get('/snow')
+         .expect('Location', '/snow%20%E2%98%83/')
+         .expect('Content-Type', /html/)
+-        .expect(301, />Redirecting to <a href="\/snow%20%E2%98%83\/">\/snow%20%E2%98%83\/<\/a></, done)
++        .expect(301, />Redirecting to \/snow%20%E2%98%83\/</, done)
+     })
+   })
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 5fe0e4c..e454667 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 disable-failing-test.patch
 fix-for-mime-2.patch
+CVE-2024-43799.patch
