#1010383 bullseye-pu: package node-ejs/2.5.7-3+deb11u1

#1010383#5
Date:
2022-04-30 07:11:21 UTC
From:
To:
[ Reason ]
node-ejs is vulnerable to server-side template injection
(CVE-2022-29078, #1010359) and probably to prototype pollution.

[ Impact ]
Medium security issue

[ Tests ]
New test added, confirms that issue is fixed

[ Risks ]
Low risk, code is trivial

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
 * Replace {} by `new Object`
 * check localsName value

Cheers,
Yadd

#1010383#10
Date:
2022-05-28 19:13:40 UTC
From:
To:
Control: tags -1 + confirmed

Please go ahead.

Regards,

Adam

#1010383#17
Date:
2022-05-29 18:18:56 UTC
From:
To:
package release.debian.org
tags 1010383 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==============

Package: node-ejs
Version: 2.5.7-3+deb11u1

Explanation: fix server-side template injection issue [CVE-2022-29078]

#1010383#22
Date:
2022-05-29 18:18:56 UTC
From:
To:
package release.debian.org
tags 1010383 = bullseye pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye.

Thanks for your contribution!

Upload details
==============

Package: node-ejs
Version: 2.5.7-3+deb11u1

Explanation: fix server-side template injection issue [CVE-2022-29078]

#1010383#27
Date:
2022-05-31 20:13:23 UTC
From:
To:
Hi Yadd,
tried three times). Can you have a look and check if it's serious?

Paul

https://ci.debian.net/packages/n/node-nodeunit/stable/ppc64el/

test-httputil
✔ testHttpUtilBasics
Error: connect ECONNREFUSED 127.0.0.1:3000
     at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1138:16)
     at TCPConnectWrap.callbackTrampoline (internal/async_hooks.js:126:14)

FAILURES: Undone tests (or their setups/teardowns): 
- testHttpUtilJsonHandling

#1010383#30
Date:
2022-05-31 20:13:23 UTC
From:
To:
Hi Yadd,
tried three times). Can you have a look and check if it's serious?

Paul

https://ci.debian.net/packages/n/node-nodeunit/stable/ppc64el/

test-httputil
✔ testHttpUtilBasics
Error: connect ECONNREFUSED 127.0.0.1:3000
     at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1138:16)
     at TCPConnectWrap.callbackTrampoline (internal/async_hooks.js:126:14)

FAILURES: Undone tests (or their setups/teardowns): 
- testHttpUtilJsonHandling

#1010383#35
Date:
2022-05-31 21:09:35 UTC
From:
To:
Hi,

Thanks for the report, I'll test this tomorrow.

Cheers.
Yadd

Le 31 mai 2022 22:13:23 GMT+02:00, Paul Gevers <elbrus@debian.org> a écrit :

#1010383#40
Date:
2022-05-31 21:09:35 UTC
From:
To:
Hi,

Thanks for the report, I'll test this tomorrow.

Cheers.
Yadd

Le 31 mai 2022 22:13:23 GMT+02:00, Paul Gevers <elbrus@debian.org> a écrit :

#1010383#43
Date:
2022-05-31 21:09:35 UTC
From:
To:
Hi,

Thanks for the report, I'll test this tomorrow.

Cheers.
Yadd

Le 31 mai 2022 22:13:23 GMT+02:00, Paul Gevers <elbrus@debian.org> a écrit :

#1010383#48
Date:
2022-06-01 04:10:57 UTC
From:
To:
Hi Paul,

it seems that test uses port 3000 and your machine probably uses also
this port for something else. You just have to set PORT environment
variable to have this test succeed (easy to add in
debian/tests/pkg-js/test).

I tested also locally, no problem to build & test node-ejs and
node-nodeunit.

So this failures are related to node-nodeunit test only, not related to
node-ejs changes

Cheers,
Yadd

#1010383#53
Date:
2022-06-01 19:02:26 UTC
From:
To:
Hi Yadd,

While this may be so, why does the test pass without the new node-ejs
and fails with the new node-ejs then? There has no been one failure
before the new node-ejs and no run with node-ejs passed yet, on ppc64el.

You have ppc64el available, wow. The issue isn't present on any other
arch, only on ppc64el in stable. Although I must admit that now I look
at other suites, I do find that the test fails once in a while. Could be
just extremely bad luck.

Paul

#1010383#58
Date:
2022-07-09 10:47:43 UTC
From:
To:
(re-sending with fixed bug numbers)

Hi,

The updates discussed in these bugs were included in today's bullseye
point release.

Regards,

Adam