Bug#993708: bullseye-pu: package node-axios/0.21.1+dfsg-1+deb11u1
Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian.org@packages.debian.org
Usertags: pu
[ Reason ]
node-axios is vulnerable to a Regex Denial of Service
[ Impact ]
Little vulnerability
[ Tests ]
Test passed
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Regex update
Cheers,
Yadd
diff --git a/debian/changelog b/debian/changelog
index 17d3b55..5db1f2c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+node-axios (0.21.1+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload
+ * Fix ReDoS (Closes: CVE-2021-3749)
+
+ -- Yadd <yadd@debian.org> Sun, 05 Sep 2021 08:28:15 +0200
+
node-axios (0.21.1+dfsg-1) unstable; urgency=medium
* Team upload
diff --git a/debian/patches/CVE-2021-3749.patch b/debian/patches/CVE-2021-3749.patch
new file mode 100644
index 0000000..1c99a9b
--- /dev/null
+++ b/debian/patches/CVE-2021-3749.patch
@@ -0,0 +1,19 @@
+Description: fix ReDoS
+Author: ready-research <72916209+ready-research@users.noreply.github.com>
+Origin: upstream, https://github.com/axios/axios/commit/eef56014
+Bug: https://github.com/axios/axios/pull/3980
+Forwarded: not-needed
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2021-09-05
+
+--- a/lib/utils.js
++++ b/lib/utils.js
+@@ -187,7 +187,7 @@
+ * @returns {String} The String freed of excess whitespace
+ */
+ function trim(str) {
+- return str.replace(/^\s*/, '').replace(/\s*$/, '');
++ return str.trim ? str.trim() : str.replace(/^\s+|\s+$/g, '');
+ }
+
+ /**
diff --git a/debian/patches/series b/debian/patches/series
index 7133bc2..84cf811 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@ use-webpack3.patch
use-webpack4.patch
fix-bootstrap-path.diff
adapt-example.diff
+CVE-2021-3749.patch
Reply to: