[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: node-thenify


If sponsored packages are already handled, and we have time to fix this package, and I think we can fix it.

I think we need to evaluate a package's usage only when fixing is problematic (time constraints, backport issues, uncooperative upstream...). Package usage would then be used among other elements to make a decision about the supporting the package further.

That doesn't appear to be the case here, so I'll add it to dla-needed.txt.


On 09/09/2022 23:45, Ola Lundqvist wrote:
Hi follow LTS contributors

It is this kind of question again. "Is it worth it?".

We have CVE-2020-7677 on node-thenify.

According to popcorn we have three installations. That is of course a lower end number since popcorn only counts the popcorn users, but anyway it indicates that the installation number is really low. It is in fact the lowest popcorn score I have seen so far.

Then about the vulnerability itself. It is an arbitrary code execution, but it is on the client side, and the user have get some code injected into it that is passed to this function. This means you have to find some other code that use this functionality and in some way pass it through. It can be done but the likelihood is lower.

Further I can see that node-* packages were unsupported in stretch. They seem to be in buster however.

Quite a lot of node-* packages have fairly severe issues declared as minor issues. I could not find any arbitrary code execution vulnerabilities though.

So my question is, should we fix node-thenify?

I guess so but I want to raise the question.

Reply to: