XPost: linux.debian.devel.release
This is a multi-part MIME message sent by reportbug.
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc:
[email protected],
[email protected]
Control: affects -1 + src:node-form-data
User:
[email protected]
Usertags: pu
[ Reason ]
node-form-data is vulnerable to an insufficiently random values
vulnerability (#1109551, CVE-2025-7783)
[ Impact ]
Low level security issue
[ Tests ]
Test updated inside the patch
[ Risks ]
No risk, patch is trivial
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
- Replace the use of "Math.random" by builtin "crypto" module
- Launch more tests during build/autopkgtest
Cheers,
Xavier
diff --git a/debian/changelog b/debian/changelog
index 6f6f3d7..bf5e7c8 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+node-form-data (4.0.1-1+deb12u1) bookworm; urgency=medium
+
+ * Team upload
+ * Fix "Insufficiently Random Values vulnerability"
+ (Closes: #1109551, CVE-2025-778)
+ * Launch more tests
+
+ -- Yadd <
[email protected]> Thu, 24 Jul 2025 12:50:50 +0200
+
node-form-data (4.0.1-1) unstable; urgency=medium
* Team upload
diff --git a/debian/clean b/debian/clean
new file mode 100644
index 0000000..e72f68d
--- /dev/null
+++ b/debian/clean
@@ -0,0 +1 @@
+test/tmp/
diff --git a/debian/patches/CVE-2025-7783.patch b/debian/patches/CVE-2025-7783.patch
new file mode 100644
index 0000000..a8dc92b
--- /dev/null
+++ b/debian/patches/CVE-2025-7783.patch
@@ -0,0 +1,94 @@
+Description: Switch to using `crypto` random for boundary values
+Author: Ben Shonaldmann <
[email protected]>
+Origin: upstream,
https://github.com/form-data/form-data/commit/3d172308
+Bug: <upstream-bugtracker-url>
+Bug-Debian:
https://bugs.debian.org/1