[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: node-thenify

Sounds good. I agree. It was a fairly small fix.
It sounds like a good approach to check usage only when it is a complicated fix.

// Ola

On Mon, 12 Sept 2022 at 13:46, Sylvain Beucler <beuc@beuc.net> wrote:

If sponsored packages are already handled, and we have time to fix this
package, and I think we can fix it.

I think we need to evaluate a package's usage only when fixing is
problematic (time constraints, backport issues, uncooperative
upstream...). Package usage would then be used among other elements to
make a decision about the supporting the package further.

That doesn't appear to be the case here, so I'll add it to dla-needed.txt.


On 09/09/2022 23:45, Ola Lundqvist wrote:
> Hi follow LTS contributors
> It is this kind of question again. "Is it worth it?".
> We have CVE-2020-7677 on node-thenify.
> According to popcorn we have three installations. That is of course a
> lower end number since popcorn only counts the popcorn users, but anyway
> it indicates that the installation number is really low. It is in fact
> the lowest popcorn score I have seen so far.
> Then about the vulnerability itself. It is an arbitrary code execution,
> but it is on the client side, and the user have get some code injected
> into it that is passed to this function. This means you have to find
> some other code that use this functionality and in some way pass it
> through. It can be done but the likelihood is lower.
> Further I can see that node-* packages were unsupported in stretch. They
> seem to be in buster however.
> Quite a lot of node-* packages have fairly severe issues declared as
> minor issues. I could not find any arbitrary code execution
> vulnerabilities though.
> So my question is, should we fix node-thenify?
> I guess so but I want to raise the question.

 --- Inguza Technology AB --- MSc in Information Technology ----
|  ola@inguza.com                    opal@debian.org            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |

Reply to: