[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#927959: unblock: node-fresh/0.2.0-2

Le 25/04/2019 à 15:35, Xavier Guimard a écrit :
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package node-fresh
> 
> Hi all,
> 
> node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is
> due to Node.js regexp parsing DDOS. I imported and adapted upstream
> patch to workaround this issue and enabled upstream tests in both build
> and autopkgtest. Full changes:
>   * Declare compliance with policy 4.3.0
>   * Change section to javascript
>   * Change priority to optional
>   * Add upstream/metadata
>   * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119)
>   * Fix and enable upstream test using pkg-js-tools
>   * Fix VCS fields
>   * Fix copyright format URL
> 
> Reverse dependencies:
>  - node-serve-favicon
>  - node-send -------------+
>    +-> node-serve-static -+
>  - node-express <---------+
> 
> I enabled upstream test to verify that there is no regression and tested
> build and tests of node-serve-static, node-send and node-express (using
> additional needed modules). I plan to upload a new node-express in
> experimental with tests enabled to see autopkgtest regression if any.
> 
> Cheers,
> Xavier
> 
> unblock node-fresh/0.2.0-2

node-express builds well with upstream tests enabled and node-fresh
0.2.0-2 (see
https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html)
Reply to: