Bug#927959: unblock: node-fresh/0.2.0-2
Le 26/04/2019 à 17:43, Xavier a écrit :
> Le 26/04/2019 à 17:41, Xavier a écrit :
>> Le 25/04/2019 à 15:35, Xavier Guimard a écrit :
>>> Package: release.debian.org
>>> Severity: normal
>>> User: release.debian.org@packages.debian.org
>>> Usertags: unblock
>>>
>>> Please unblock package node-fresh
>>>
>>> Hi all,
>>>
>>> node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is
>>> due to Node.js regexp parsing DDOS. I imported and adapted upstream
>>> patch to workaround this issue and enabled upstream tests in both build
>>> and autopkgtest. Full changes:
>>> * Declare compliance with policy 4.3.0
>>> * Change section to javascript
>>> * Change priority to optional
>>> * Add upstream/metadata
>>> * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119)
>>> * Fix and enable upstream test using pkg-js-tools
>>> * Fix VCS fields
>>> * Fix copyright format URL
>>>
>>> Reverse dependencies:
>>> - node-serve-favicon
>>> - node-send -------------+
>>> +-> node-serve-static -+
>>> - node-express <---------+
>>>
>>> I enabled upstream test to verify that there is no regression and tested
>>> build and tests of node-serve-static, node-send and node-express (using
>>> additional needed modules). I plan to upload a new node-express in
>>> experimental with tests enabled to see autopkgtest regression if any.
>>>
>>> Cheers,
>>> Xavier
>>>
>>> unblock node-fresh/0.2.0-2
>>
>> node-express builds well with upstream tests enabled and node-fresh
>> 0.2.0-2 (see
>> https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html)
>
> NB: test timeout is too short, so build2 failed sometimes.
autopkgtest succeeds also:
https://ci.debian.net/data/autopkgtest/unstable/amd64/n/node-express/2303232/log.gz
[node-express from experimental with node-fresh 0.2.0-2]
Reply to: