Version in base suite: 0.18.0+~cs1.19.1-3

Base version: node-send_0.18.0+~cs1.19.1-3
Target version: node-send_0.18.0+~cs1.19.1-3+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-send/node-send_0.18.0+~cs1.19.1-3.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-send/node-send_0.18.0+~cs1.19.1-3+deb12u1.dsc

 changelog                    |    6 ++++++
 patches/CVE-2024-43799.patch |   43 +++++++++++++++++++++++++++++++++++++++++++
 patches/series               |    1 +
 3 files changed, 50 insertions(+)

diff -Nru node-send-0.18.0+~cs1.19.1/debian/changelog node-send-0.18.0+~cs1.19.1/debian/changelog
--- node-send-0.18.0+~cs1.19.1/debian/changelog	2022-05-02 15:41:27.000000000 +0000
+++ node-send-0.18.0+~cs1.19.1/debian/changelog	2025-04-07 13:25:46.000000000 +0000
@@ -1,3 +1,9 @@
+node-send (0.18.0+~cs1.19.1-3+deb12u1) bookworm; urgency=medium
+
+  * Fix XSS issue (Closes: #1081483, CVE-2024-43799)
+
+ -- Yadd <yadd@debian.org>  Mon, 07 Apr 2025 15:25:46 +0200
+
 node-send (0.18.0+~cs1.19.1-3) unstable; urgency=medium
 
   * Add Breaks: node-express < 4.18.1~
diff -Nru node-send-0.18.0+~cs1.19.1/debian/patches/CVE-2024-43799.patch node-send-0.18.0+~cs1.19.1/debian/patches/CVE-2024-43799.patch
--- node-send-0.18.0+~cs1.19.1/debian/patches/CVE-2024-43799.patch	1970-01-01 00:00:00.000000000 +0000
+++ node-send-0.18.0+~cs1.19.1/debian/patches/CVE-2024-43799.patch	2025-04-07 13:25:46.000000000 +0000
@@ -0,0 +1,43 @@
+Description: fix XSS issue CVE-2024-43799
+Author: Ulises Gascón <https://github.com/UlisesGascon>,
+ Chris de Almeida <https://github.com/ctcpip>
+Origin: upstream, https://github.com/pillarjs/send/commit/ae4f2989
+Bug: https://github.com/pillarjs/send/security/advisories/GHSA-m6fv-jmcg-4jfg
+Bug-Debian: https://bugs.debian.org/1081483
+Forwarded: not-needed
+Applied-Upstream: 0.19.0, commit:ae4f2989
+Reviewed-By: Yadd <yadd@debian.org>
+Last-Update: 2025-04-07
+
+--- a/index.js
++++ b/index.js
+@@ -482,8 +482,7 @@
+   }
+ 
+   var loc = encodeUrl(collapseLeadingSlashes(this.path + '/'))
+-  var doc = createHtmlDocument('Redirecting', 'Redirecting to <a href="' + escapeHtml(loc) + '">' +
+-    escapeHtml(loc) + '</a>')
++  var doc = createHtmlDocument('Redirecting', 'Redirecting to ' + escapeHtml(loc))
+ 
+   // redirect
+   res.statusCode = 301
+--- a/test/send.js
++++ b/test/send.js
+@@ -358,7 +358,7 @@
+         .get('/pets')
+         .expect('Location', '/pets/')
+         .expect('Content-Type', /html/)
+-        .expect(301, />Redirecting to <a href="\/pets\/">\/pets\/<\/a></, done)
++        .expect(301, />Redirecting to \/pets\/</, done)
+     })
+ 
+     it('should respond with default Content-Security-Policy', function (done) {
+@@ -386,7 +386,7 @@
+         .get('/snow')
+         .expect('Location', '/snow%20%E2%98%83/')
+         .expect('Content-Type', /html/)
+-        .expect(301, />Redirecting to <a href="\/snow%20%E2%98%83\/">\/snow%20%E2%98%83\/<\/a></, done)
++        .expect(301, />Redirecting to \/snow%20%E2%98%83\/</, done)
+     })
+   })
+ 
diff -Nru node-send-0.18.0+~cs1.19.1/debian/patches/series node-send-0.18.0+~cs1.19.1/debian/patches/series
--- node-send-0.18.0+~cs1.19.1/debian/patches/series	2022-04-25 20:24:56.000000000 +0000
+++ node-send-0.18.0+~cs1.19.1/debian/patches/series	2025-04-07 13:25:46.000000000 +0000
@@ -1,2 +1,3 @@
 disable-failing-test.patch
 fix-for-mime-2.patch
+CVE-2024-43799.patch