- Package:
- release.debian.org
- Source:
- release.debian.org
- Submitter:
- Yadd
- Date:
- 2022-07-09 10:52:14 UTC
- Severity:
- normal
- Tags:
[ Reason ]
node-ejs is vulnerable to server-side template injection
(CVE-2022-29078, #1010359) and probably to prototype pollution.
[ Impact ]
Medium security issue
[ Tests ]
New test added, confirms that issue is fixed
[ Risks ]
Low risk, code is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* Replace {} by `new Object`
* check localsName value
Cheers,
Yadd
Control: tags -1 + confirmed Please go ahead. Regards, Adam
package release.debian.org tags 1010383 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details ============== Package: node-ejs Version: 2.5.7-3+deb11u1 Explanation: fix server-side template injection issue [CVE-2022-29078]
package release.debian.org tags 1010383 = bullseye pending thanks Hi, The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bullseye. Thanks for your contribution! Upload details ============== Package: node-ejs Version: 2.5.7-3+deb11u1 Explanation: fix server-side template injection issue [CVE-2022-29078]
Hi Yadd, tried three times). Can you have a look and check if it's serious? Paul https://ci.debian.net/packages/n/node-nodeunit/stable/ppc64el/ [1mtest-httputil[22m ✔ testHttpUtilBasics Error: connect ECONNREFUSED 127.0.0.1:3000 at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1138:16) at TCPConnectWrap.callbackTrampoline (internal/async_hooks.js:126:14) [31m[1mFAILURES: Undone tests (or their setups/teardowns): [22m[39m - testHttpUtilJsonHandling
Hi Yadd, tried three times). Can you have a look and check if it's serious? Paul https://ci.debian.net/packages/n/node-nodeunit/stable/ppc64el/ [1mtest-httputil[22m ✔ testHttpUtilBasics Error: connect ECONNREFUSED 127.0.0.1:3000 at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1138:16) at TCPConnectWrap.callbackTrampoline (internal/async_hooks.js:126:14) [31m[1mFAILURES: Undone tests (or their setups/teardowns): [22m[39m - testHttpUtilJsonHandling
Hi, Thanks for the report, I'll test this tomorrow. Cheers. Yadd Le 31 mai 2022 22:13:23 GMT+02:00, Paul Gevers <elbrus@debian.org> a écrit :
Hi, Thanks for the report, I'll test this tomorrow. Cheers. Yadd Le 31 mai 2022 22:13:23 GMT+02:00, Paul Gevers <elbrus@debian.org> a écrit :
Hi, Thanks for the report, I'll test this tomorrow. Cheers. Yadd Le 31 mai 2022 22:13:23 GMT+02:00, Paul Gevers <elbrus@debian.org> a écrit :
Hi Paul, it seems that test uses port 3000 and your machine probably uses also this port for something else. You just have to set PORT environment variable to have this test succeed (easy to add in debian/tests/pkg-js/test). I tested also locally, no problem to build & test node-ejs and node-nodeunit. So this failures are related to node-nodeunit test only, not related to node-ejs changes Cheers, Yadd
Hi Yadd, While this may be so, why does the test pass without the new node-ejs and fails with the new node-ejs then? There has no been one failure before the new node-ejs and no run with node-ejs passed yet, on ppc64el. You have ppc64el available, wow. The issue isn't present on any other arch, only on ppc64el in stable. Although I must admit that now I look at other suites, I do find that the test fails once in a while. Could be just extremely bad luck. Paul
(re-sending with fixed bug numbers) Hi, The updates discussed in these bugs were included in today's bullseye point release. Regards, Adam