Bug#927959: unblock: node-fresh/0.2.0-2
Le 26/04/2019 à 17:41, Xavier a écrit :
> Le 25/04/2019 à 15:35, Xavier Guimard a écrit :
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian.org@packages.debian.org
>> Usertags: unblock
>>
>> Please unblock package node-fresh
>>
>> Hi all,
>>
>> node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is
>> due to Node.js regexp parsing DDOS. I imported and adapted upstream
>> patch to workaround this issue and enabled upstream tests in both build
>> and autopkgtest. Full changes:
>> * Declare compliance with policy 4.3.0
>> * Change section to javascript
>> * Change priority to optional
>> * Add upstream/metadata
>> * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119)
>> * Fix and enable upstream test using pkg-js-tools
>> * Fix VCS fields
>> * Fix copyright format URL
>>
>> Reverse dependencies:
>> - node-serve-favicon
>> - node-send -------------+
>> +-> node-serve-static -+
>> - node-express <---------+
>>
>> I enabled upstream test to verify that there is no regression and tested
>> build and tests of node-serve-static, node-send and node-express (using
>> additional needed modules). I plan to upload a new node-express in
>> experimental with tests enabled to see autopkgtest regression if any.
>>
>> Cheers,
>> Xavier
>>
>> unblock node-fresh/0.2.0-2
>
> node-express builds well with upstream tests enabled and node-fresh
> 0.2.0-2 (see
> https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html)
NB: test timeout is too short, so build2 failed sometimes.
Reply to: