Bug#927959: unblock: node-fresh/0.2.0-2
Le 25/04/2019 à 15:35, Xavier Guimard a écrit :
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
>
> Please unblock package node-fresh
>
> Hi all,
>
> node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is
> due to Node.js regexp parsing DDOS. I imported and adapted upstream
> patch to workaround this issue and enabled upstream tests in both build
> and autopkgtest. Full changes:
> * Declare compliance with policy 4.3.0
> * Change section to javascript
> * Change priority to optional
> * Add upstream/metadata
> * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119)
> * Fix and enable upstream test using pkg-js-tools
> * Fix VCS fields
> * Fix copyright format URL
>
> Reverse dependencies:
> - node-serve-favicon
> - node-send -------------+
> +-> node-serve-static -+
> - node-express <---------+
>
> I enabled upstream test to verify that there is no regression and tested
> build and tests of node-serve-static, node-send and node-express (using
> additional needed modules). I plan to upload a new node-express in
> experimental with tests enabled to see autopkgtest regression if any.
>
> Cheers,
> Xavier
>
> unblock node-fresh/0.2.0-2
node-express builds well with upstream tests enabled and node-fresh
0.2.0-2 (see
https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html)
Reply to: