Version in base suite: 0~2024040606-6 Base version: node-proxy-agents_0~2024040606-6 Target version: node-proxy-agents_0~2024040606-6+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/n/node-proxy-agents/node-proxy-agents_0~2024040606-6.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/n/node-proxy-agents/node-proxy-agents_0~2024040606-6+deb13u1.dsc changelog | 7 +++++++ patches/CVE-2026-27699.patch | 32 ++++++++++++++++++++++++++++++++ patches/series | 1 + 3 files changed, 40 insertions(+) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmplq5t5uo_/node-proxy-agents_0~2024040606-6.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmplq5t5uo_/node-proxy-agents_0~2024040606-6+deb13u1.dsc: no acceptable signature found diff -Nru node-proxy-agents-0~2024040606/debian/changelog node-proxy-agents-0~2024040606/debian/changelog --- node-proxy-agents-0~2024040606/debian/changelog 2025-05-20 08:05:31.000000000 +0000 +++ node-proxy-agents-0~2024040606/debian/changelog 2026-02-27 06:58:26.000000000 +0000 @@ -1,3 +1,10 @@ +node-proxy-agents (0~2024040606-6+deb13u1) trixie; urgency=medium + + * Team upload + * Fix basic-ftp traversal vulnerability (Closes: #1129093, CVE-2026-27699) + + -- Yadd Fri, 27 Feb 2026 07:58:26 +0100 + node-proxy-agents (0~2024040606-6) unstable; urgency=medium * Team upload diff -Nru node-proxy-agents-0~2024040606/debian/patches/CVE-2026-27699.patch node-proxy-agents-0~2024040606/debian/patches/CVE-2026-27699.patch --- node-proxy-agents-0~2024040606/debian/patches/CVE-2026-27699.patch 1970-01-01 00:00:00.000000000 +0000 +++ node-proxy-agents-0~2024040606/debian/patches/CVE-2026-27699.patch 2026-02-27 06:58:26.000000000 +0000 @@ -0,0 +1,32 @@ +From: Patrick Juchli +Date: feb., 23 2026 09:01:12 +0100 +Subject: [PATCH] Skip invalid filenames +Origin: upstream, https://github.com/patrickjuchli/basic-ftp/commit/2a2a0e65 +Bug: https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-5rq4-664w-9x2c +Bug-Debian: https://bugs.debian.org/1129093 +Forwarded: not-needed +Applied-Upstream: 5.2.0, commit:2a2a0e65 +Reviewed-By: Yadd + +--- a/basic-ftp/src/Client.ts ++++ b/basic-ftp/src/Client.ts +@@ -1,5 +1,5 @@ + import { createReadStream, createWriteStream, mkdir, readdir, stat, open, close, unlink } from "fs" +-import { join } from "path" ++import { basename, join } from "path" + import { Readable, Writable } from "stream" + import { connect as connectTLS, ConnectionOptions as TLSConnectionOptions } from "tls" + import { promisify } from "util" +@@ -694,6 +694,12 @@ + protected async _downloadFromWorkingDir(localDirPath: string): Promise { + await ensureLocalDirectory(localDirPath) + for (const file of await this.list()) { ++ const hasInvalidName = !file.name || basename(file.name) !== file.name ++ if (hasInvalidName) { ++ const safeName = JSON.stringify(file.name) ++ this.ftp.log(`Invalid filename from server listing, will skip file. (${safeName})`) ++ continue ++ } + const localPath = join(localDirPath, file.name) + if (file.isDirectory) { + await this.cd(file.name) diff -Nru node-proxy-agents-0~2024040606/debian/patches/series node-proxy-agents-0~2024040606/debian/patches/series --- node-proxy-agents-0~2024040606/debian/patches/series 2025-05-20 08:03:54.000000000 +0000 +++ node-proxy-agents-0~2024040606/debian/patches/series 2026-02-27 06:58:26.000000000 +0000 @@ -3,3 +3,4 @@ tsc-workaround.patch 0004-Use-modern-lru-cache.patch 0005-get-uri-compilation.patch +CVE-2026-27699.patch