Bug#927959: unblock: node-fresh/0.2.0-2

[Xavier <yadd@debian.org>]

Le 26/04/2019 à 17:41, Xavier a écrit :
> Le 25/04/2019 à 15:35, Xavier Guimard a écrit :
>> Package: release.debian.org
>> Severity: normal
>> User: release.debian.org@packages.debian.org
>> Usertags: unblock
>>
>> Please unblock package node-fresh
>>
>> Hi all,
>>
>> node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is
>> due to Node.js regexp parsing DDOS. I imported and adapted upstream
>> patch to workaround this issue and enabled upstream tests in both build
>> and autopkgtest. Full changes:
>>   * Declare compliance with policy 4.3.0
>>   * Change section to javascript
>>   * Change priority to optional
>>   * Add upstream/metadata
>>   * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119)
>>   * Fix and enable upstream test using pkg-js-tools
>>   * Fix VCS fields
>>   * Fix copyright format URL
>>
>> Reverse dependencies:
>>  - node-serve-favicon
>>  - node-send -------------+
>>    +-> node-serve-static -+
>>  - node-express <---------+
>>
>> I enabled upstream test to verify that there is no regression and tested
>> build and tests of node-serve-static, node-send and node-express (using
>> additional needed modules). I plan to upload a new node-express in
>> experimental with tests enabled to see autopkgtest regression if any.
>>
>> Cheers,
>> Xavier
>>
>> unblock node-fresh/0.2.0-2
> 
> node-express builds well with upstream tests enabled and node-fresh
> 0.2.0-2 (see
> https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html)

NB: test timeout is too short, so build2 failed sometimes.