Hi,
If sponsored packages are already handled, and we have time to fix this
package, and I think we can fix it.
I think we need to evaluate a package's usage only when fixing is
problematic (time constraints, backport issues, uncooperative
upstream...). Package usage would then be used among other elements to
make a decision about the supporting the package further.
That doesn't appear to be the case here, so I'll add it to dla-needed.txt.
Cheers!
Sylvain
On 09/09/2022 23:45, Ola Lundqvist wrote:
> Hi follow LTS contributors
>
> It is this kind of question again. "Is it worth it?".
>
> We have CVE-2020-7677 on node-thenify.
>
> According to popcorn we have three installations. That is of course a
> lower end number since popcorn only counts the popcorn users, but anyway
> it indicates that the installation number is really low. It is in fact
> the lowest popcorn score I have seen so far.
>
> Then about the vulnerability itself. It is an arbitrary code execution,
> but it is on the client side, and the user have get some code injected
> into it that is passed to this function. This means you have to find
> some other code that use this functionality and in some way pass it
> through. It can be done but the likelihood is lower.
>
> Further I can see that node-* packages were unsupported in stretch. They
> seem to be in buster however.
>
> Quite a lot of node-* packages have fairly severe issues declared as
> minor issues. I could not find any arbitrary code execution
> vulnerabilities though.
>
> So my question is, should we fix node-thenify?
>
> I guess so but I want to raise the question.