Control: tags -1 + moreinfo
On Fri, 2022-05-20 at 09:47 +0200, Yadd wrote:
node-raw-body embeds a patch that creates a Denial-of-Service
vulnerability into node-express.
[ Impact ]
Security issue, a simple request can crash any express application
[ Tests ]
I added a test that proves that bug is fixed: it fails with
node-raw-body 2.4.1-2 and succeeds with 2.4.1-2+deb11u1
[ Risks ]
No risk, Debian package is now exactly what upstream wrote.
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
Drop patch which replaced node-iconv-lite by node-iconv.
Why was that change made in the first place? The changelog entry from
2014 isn't particularly helpful.