Version in base suite: 1.13.1-1 Base version: node-follow-redirects_1.13.1-1 Target version: node-follow-redirects_1.13.1-1+deb11u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-follow-redirects/node-follow-redirects_1.13.1-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-follow-redirects/node-follow-redirects_1.13.1-1+deb11u1.dsc changelog | 8 +++ patches/CVE-2022-0155.patch | 22 +++++++++ patches/CVE-2022-0536.patch | 99 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 2 4 files changed, 131 insertions(+) diff -Nru node-follow-redirects-1.13.1/debian/changelog node-follow-redirects-1.13.1/debian/changelog --- node-follow-redirects-1.13.1/debian/changelog 2020-12-15 11:16:12.000000000 +0000 +++ node-follow-redirects-1.13.1/debian/changelog 2022-02-12 11:05:01.000000000 +0000 @@ -1,3 +1,11 @@ +node-follow-redirects (1.13.1-1+deb11u1) bullseye; urgency=medium + + * Team upload + * Drop Cookie header across domains (Closes: CVE-2022-0155) + * Drop confidential headers across schemes (Closes: CVE-2022-0536) + + -- Yadd Sat, 12 Feb 2022 12:05:01 +0100 + node-follow-redirects (1.13.1-1) unstable; urgency=medium * Team upload diff -Nru node-follow-redirects-1.13.1/debian/patches/CVE-2022-0155.patch node-follow-redirects-1.13.1/debian/patches/CVE-2022-0155.patch --- node-follow-redirects-1.13.1/debian/patches/CVE-2022-0155.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-follow-redirects-1.13.1/debian/patches/CVE-2022-0155.patch 2022-02-12 11:05:01.000000000 +0000 @@ -0,0 +1,22 @@ +Description: Drop Cookie header across domains. +Author: Ruben Verborgh +Origin: upstream, https://github.com/follow-redirects/follow-redirects/commit/8b347cbc +Bug: https://github.com/follow-redirects/follow-redirects/issues/183 +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-01-11 + +--- a/index.js ++++ b/index.js +@@ -345,9 +345,9 @@ + var redirectUrlParts = url.parse(redirectUrl); + Object.assign(this._options, redirectUrlParts); + +- // Drop the Authorization header if redirecting to another host ++ // Drop the confidential headers when redirecting to another domain + if (redirectUrlParts.hostname !== previousHostName) { +- removeMatchingHeaders(/^authorization$/i, this._options.headers); ++ removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); + } + + // Evaluate the beforeRedirect callback diff -Nru node-follow-redirects-1.13.1/debian/patches/CVE-2022-0536.patch node-follow-redirects-1.13.1/debian/patches/CVE-2022-0536.patch --- node-follow-redirects-1.13.1/debian/patches/CVE-2022-0536.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-follow-redirects-1.13.1/debian/patches/CVE-2022-0536.patch 2022-02-12 11:05:01.000000000 +0000 @@ -0,0 +1,99 @@ +Description: Drop confidential headers across schemes +Author: Ruben Verborgh +Origin: upstream, https://github.com/follow-redirects/follow-redirects/commit/62e546a9 +Bug: https://github.com/advisories/GHSA-pw2r-vq6v-hr8c +Forwarded: not-needed +Reviewed-By: Yadd +Last-Update: 2022-02-12 + +--- a/index.js ++++ b/index.js +@@ -335,8 +335,9 @@ + } + + // Drop the Host header, as the redirect might lead to a different host +- var previousHostName = removeMatchingHeaders(/^host$/i, this._options.headers) || +- url.parse(this._currentUrl).hostname; ++ var currentHostHeader = removeMatchingHeaders(/^host$/i, this._options.headers); ++ var currentUrlParts = url.parse(this._currentUrl); ++ var currentHost = currentHostHeader || currentUrlParts.host; + + // Create the redirected request + var redirectUrl = url.resolve(this._currentUrl, location); +@@ -345,8 +346,10 @@ + var redirectUrlParts = url.parse(redirectUrl); + Object.assign(this._options, redirectUrlParts); + +- // Drop the confidential headers when redirecting to another domain +- if (redirectUrlParts.hostname !== previousHostName) { ++ // Drop the Host header, as the redirect might lead to a different host ++ // Drop confidential headers when redirecting to another scheme:domain ++ if (redirectUrlParts.protocol !== currentUrlParts.protocol || ++ !isSameOrSubdomain(redirectUrlParts.host, currentHost)) { + removeMatchingHeaders(/^(?:authorization|cookie)$/i, this._options.headers); + } + +@@ -499,6 +502,14 @@ + return CustomError; + } + ++function isSameOrSubdomain(subdomain, domain) { ++ if (subdomain === domain) { ++ return true; ++ } ++ const dot = subdomain.length - domain.length - 1; ++ return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain); ++} ++ + // Exports + module.exports = wrap({ http: http, https: https }); + module.exports.wrap = wrap; +--- a/test/test.js ++++ b/test/test.js +@@ -730,6 +730,38 @@ + }); + }); + }); ++ ++ }); ++ ++ [ ++ "Authorization", ++ "Cookie", ++ ].forEach(function (header) { ++ describe("when the client passes an header named " + header, function () { ++ it("ignores it when null", function () { ++ app.get("/a", redirectsTo(302, "http://localhost:3600/b")); ++ app.get("/b", function (req, res) { ++ res.end(JSON.stringify(req.headers)); ++ }); ++ ++ var opts = url.parse("http://127.0.0.1:3600/a"); ++ opts.headers = { host: "localhost" }; ++ opts.headers[header] = null; ++ ++ return server.start(app) ++ .then(asPromise(function (resolve, reject) { ++ http.get(opts, resolve).on("error", reject); ++ })) ++ .then(asPromise(function (resolve, reject, res) { ++ res.pipe(concat({ encoding: "string" }, resolve)).on("error", reject); ++ })) ++ .then(function (str) { ++ var body = JSON.parse(str); ++ assert.equal(body.host, "localhost:3600"); ++ assert.equal(body[header.toLowerCase()], undefined); ++ }); ++ }); ++ }); + }); + + describe("should switch to safe methods when appropriate", function () { +@@ -1237,7 +1269,6 @@ + .then(function (str) { + var body = JSON.parse(str); + assert.equal(body.host, "localhost:3600"); +- assert.equal(body.authorization, "bearer my-token-1234"); + }); + }); + diff -Nru node-follow-redirects-1.13.1/debian/patches/series node-follow-redirects-1.13.1/debian/patches/series --- node-follow-redirects-1.13.1/debian/patches/series 2020-12-15 11:12:00.000000000 +0000 +++ node-follow-redirects-1.13.1/debian/patches/series 2022-02-12 11:05:01.000000000 +0000 @@ -1 +1,3 @@ fix-test.patch +CVE-2022-0155.patch +CVE-2022-0536.patch