From unknown Thu Sep 11 23:18:39 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#46634 <46634@debbugs.gnu.org> To: bug#46634 <46634@debbugs.gnu.org> Subject: Status: [PATCH] gnu: node: Update to 10.23.3. [security fixes] Reply-To: bug#46634 <46634@debbugs.gnu.org> Date: Fri, 12 Sep 2025 06:18:39 +0000 retitle 46634 [PATCH] gnu: node: Update to 10.23.3. [security fixes] reassign 46634 guix-patches submitter 46634 Jelle Licht severity 46634 normal tag 46634 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Fri Feb 19 06:03:06 2021 Received: (at submit) by debbugs.gnu.org; 19 Feb 2021 11:03:06 +0000 Received: from localhost ([127.0.0.1]:48800 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lD3Yp-0003vA-Om for submit@debbugs.gnu.org; Fri, 19 Feb 2021 06:03:05 -0500 Received: from lists.gnu.org ([209.51.188.17]:59586) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lD3Yl-0003uy-28 for submit@debbugs.gnu.org; Fri, 19 Feb 2021 06:02:58 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39964) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lD3Yk-0001p1-QS for guix-patches@gnu.org; Fri, 19 Feb 2021 06:02:54 -0500 Received: from mail1.fsfe.org ([2001:aa8:ffed:f5f3::151]:44950) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lD3Yh-0000HW-IE for guix-patches@gnu.org; Fri, 19 Feb 2021 06:02:54 -0500 From: Jelle Licht To: guix-patches@gnu.org Subject: [PATCH] gnu: node: Update to 10.23.3. [security fixes] Date: Fri, 19 Feb 2021 12:02:46 +0100 Message-ID: <86czww5nhl.fsf@fsfe.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Received-SPF: pass client-ip=2001:aa8:ffed:f5f3::151; envelope-from=jlicht@fsfe.org; helo=mail1.fsfe.org X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.3 (-) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) --=-=-= Content-Type: text/plain Hey Guix, The attached two patches together should address CVE-2020-8287 (in Node). I am kind of fuzzy on the details, but to me it seems that the vulnerability is actually in http-parser (and llhttp), not node. I informed upstream about my findings, but in the mean time we should probably apply these. The node package subsequently has a regression test to demonstrate that the applied fix works. Nonetheless, http-parser has quite some dependents, and I only verified everything to still work with node. - Jelle --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0001-gnu-http-parser-Update-to-2.9.4-1.ec8b5ee-fixes-CVE-.patch >From a89046a7d2dc585c7f0760ed1799ad8c7c9eff1a Mon Sep 17 00:00:00 2001 From: Jelle Licht Date: Tue, 16 Feb 2021 23:28:58 +0100 Subject: [PATCH] gnu: http-parser: Update to 2.9.4-1.ec8b5ee [fixes CVE-2020-8287]. Fixes CVE-2020-8287. * gnu/packages/web.scm (http-parser): Update to 2.9.4-1.ec8b5ee. [source]: Add patch to mitigate CVE. * gnu/packages/patches/patches/http-parser-CVE-2020-8287.patch: New file. * gnu/local.mk [dist_patch_DATA]: New patch. --- gnu/local.mk | 1 + .../patches/http-parser-CVE-2020-8287.patch | 75 ++++++++++ gnu/packages/web.scm | 136 +++++++++--------- 3 files changed, 146 insertions(+), 66 deletions(-) create mode 100644 gnu/packages/patches/http-parser-CVE-2020-8287.patch diff --git a/gnu/local.mk b/gnu/local.mk index 250901f6d9..2e20638047 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1164,6 +1164,7 @@ dist_patch_DATA = \ %D%/packages/patches/hdf-eos5-remove-gctp.patch \ %D%/packages/patches/hdf-eos5-fix-szip.patch \ %D%/packages/patches/hdf-eos5-fortrantests.patch \ + %D%/packages/patches/http-parser-CVE-2020-8287.patch \ %D%/packages/patches/http-parser-fix-assertion-on-armhf.patch \ %D%/packages/patches/hubbub-sort-entities.patch \ %D%/packages/patches/hurd-cross.patch \ diff --git a/gnu/packages/patches/http-parser-CVE-2020-8287.patch b/gnu/packages/patches/http-parser-CVE-2020-8287.patch new file mode 100644 index 0000000000..580f773099 --- /dev/null +++ b/gnu/packages/patches/http-parser-CVE-2020-8287.patch @@ -0,0 +1,75 @@ +From fc70ce08f5818a286fb5899a1bc3aff5965a745e Mon Sep 17 00:00:00 2001 +From: Fedor Indutny +Date: Wed, 18 Nov 2020 20:50:21 -0800 +Subject: [PATCH] http: unset `F_CHUNKED` on new `Transfer-Encoding` + +Duplicate `Transfer-Encoding` header should be a treated as a single, +but with original header values concatenated with a comma separator. In +the light of this, even if the past `Transfer-Encoding` ended with +`chunked`, we should be not let the `F_CHUNKED` to leak into the next +header, because mere presence of another header indicates that `chunked` +is not the last transfer-encoding token. + +CVE-ID: CVE-2020-8287 +PR-URL: https://github.com/nodejs-private/node-private/pull/235 +Reviewed-By: Fedor Indutny +--- + http_parser.c | 7 +++++++ + test.c | 26 ++++++++++++++++++++++++++ + 2 files changed, 33 insertions(+) + +diff --git a/http_parser.c b/http_parser.c +index 9be003e7322..e9b2b9e83b9 100644 +--- a/http_parser.c ++++ b/http_parser.c +@@ -1344,6 +1344,13 @@ size_t http_parser_execute (http_parser *parser, + } else if (parser->index == sizeof(TRANSFER_ENCODING)-2) { + parser->header_state = h_transfer_encoding; + parser->uses_transfer_encoding = 1; ++ ++ /* Multiple `Transfer-Encoding` headers should be treated as ++ * one, but with values separate by a comma. ++ * ++ * See: https://tools.ietf.org/html/rfc7230#section-3.2.2 ++ */ ++ parser->flags &= ~F_CHUNKED; + } + break; + +diff --git a/test.c b/test.c +index 3f7c77b3494..2e5a9ebd678 100644 +--- a/test.c ++++ b/test.c +@@ -2154,6 +2154,32 @@ const struct message responses[] = + ,.body= "2\r\nOK\r\n0\r\n\r\n" + ,.num_chunks_complete= 0 + } ++#define HTTP_200_DUPLICATE_TE_NOT_LAST_CHUNKED 30 ++, {.name= "HTTP 200 response with `chunked` and duplicate Transfer-Encoding" ++ ,.type= HTTP_RESPONSE ++ ,.raw= "HTTP/1.1 200 OK\r\n" ++ "Transfer-Encoding: chunked\r\n" ++ "Transfer-Encoding: identity\r\n" ++ "\r\n" ++ "2\r\n" ++ "OK\r\n" ++ "0\r\n" ++ "\r\n" ++ ,.should_keep_alive= FALSE ++ ,.message_complete_on_eof= TRUE ++ ,.http_major= 1 ++ ,.http_minor= 1 ++ ,.status_code= 200 ++ ,.response_status= "OK" ++ ,.content_length= -1 ++ ,.num_headers= 2 ++ ,.headers= ++ { { "Transfer-Encoding", "chunked" } ++ , { "Transfer-Encoding", "identity" } ++ } ++ ,.body= "2\r\nOK\r\n0\r\n\r\n" ++ ,.num_chunks_complete= 0 ++ } + }; + + /* strnlen() is a POSIX.2008 addition. Can't rely on it being available so diff --git a/gnu/packages/web.scm b/gnu/packages/web.scm index d55e3ac70c..6745d7b5fd 100644 --- a/gnu/packages/web.scm +++ b/gnu/packages/web.scm @@ -6162,78 +6162,82 @@ into your tests. It automatically starts up a HTTP server in a separate thread (license license:expat))) (define-public http-parser - (package - (name "http-parser") - (version "2.9.4") - (home-page "https://github.com/nodejs/http-parser") - (source - (origin - (method git-fetch) - (uri (git-reference (url home-page) - (commit (string-append "v" version)))) - (sha256 - (base32 "1vda4dp75pjf5fcph73sy0ifm3xrssrmf927qd1x8g3q46z0cv6c")) - (file-name (git-file-name name version)) - (patches - (list - (origin - ;; Treat an empty port (e.g. `http://hostname:/`) when parsing - ;; URLs as if no port were specified. This patch is applied - ;; to Fedora's http-parser and to libgit2's bundled version. - (method url-fetch) - (uri (string-append - "https://src.fedoraproject.org/rpms/http-parser/raw/" - "e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/" - "f/0001-url-treat-empty-port-as-default.patch")) - (sha256 - (base32 - "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g"))))))) - (build-system gnu-build-system) - (arguments - `(#:test-target "test" - #:make-flags - (list (string-append "PREFIX=" - (assoc-ref %outputs "out")) - "library" - ,@(if (%current-target-system) - '() - '("CC=gcc"))) - #:phases - (modify-phases %standard-phases - ,@(match (%current-system) + (let ((commit "ec8b5ee63f0e51191ea43bb0c6eac7bfbff3141d") + (revision "1")) + (package + (name "http-parser") + (version (git-version "2.9.4" revision commit)) + (home-page "https://github.com/nodejs/http-parser") + (source + (origin + (method git-fetch) + (uri (git-reference (url home-page) + (commit commit))) + (sha256 + (base32 "0f297hrbx0kvy3qwgm9rhmbnjww6iljlcz9grsc9d4km1qj1071i")) + (file-name (git-file-name name version)) + (patches + (append + (search-patches "http-parser-CVE-2020-8287.patch") + (list + (origin + ;; Treat an empty port (e.g. `http://hostname:/`) when parsing + ;; URLs as if no port were specified. This patch is applied + ;; to Fedora's http-parser and to libgit2's bundled version. + (method url-fetch) + (uri (string-append + "https://src.fedoraproject.org/rpms/http-parser/raw/" + "e89b4c4e2874c19079a5a1a2d2ccc61b551aa289/" + "f/0001-url-treat-empty-port-as-default.patch")) + (sha256 + (base32 + "0pbxf2nq9pcn299k2b2ls8ldghaqln9glnp79gi57mamx4iy0f6g")))))))) + (build-system gnu-build-system) + (arguments + `(#:test-target "test" + #:make-flags + (list (string-append "PREFIX=" + (assoc-ref %outputs "out")) + "library" + ,@(if (%current-target-system) + '() + '("CC=gcc"))) + #:phases + (modify-phases %standard-phases + ,@(match (%current-system) + ("armhf-linux" + '((add-before 'check 'apply-assertion.patch + (lambda* (#:key inputs #:allow-other-keys) + (let ((patch (assoc-ref inputs "assertion.patch"))) + (invoke "patch" "-p1" "-i" patch) + #t))))) + (_ '())) + ,@(if (%current-target-system) + '((replace 'configure + (lambda* (#:key target #:allow-other-keys) + (substitute* (find-files "." "Makefile") + (("CC\\?=.*$") + (string-append "CC=" target "-gcc\n")) + (("AR\\?=.*$") + (string-append "AR=" target "-ar\n"))) + #t))) + '((delete 'configure)))))) + (native-inputs + `(,@(match (%current-system) ("armhf-linux" - '((add-before 'check 'apply-assertion.patch - (lambda* (#:key inputs #:allow-other-keys) - (let ((patch (assoc-ref inputs "assertion.patch"))) - (invoke "patch" "-p1" "-i" patch) - #t))))) - (_ '())) - ,@(if (%current-target-system) - '((replace 'configure - (lambda* (#:key target #:allow-other-keys) - (substitute* (find-files "." "Makefile") - (("CC\\?=.*$") - (string-append "CC=" target "-gcc\n")) - (("AR\\?=.*$") - (string-append "AR=" target "-ar\n"))) - #t))) - '((delete 'configure)))))) - (native-inputs - `(,@(match (%current-system) - ("armhf-linux" - ;; A fix for which in turn - ;; breaks i686-linux builds. - `(("assertion.patch" - ,@(search-patches "http-parser-fix-assertion-on-armhf.patch")))) - (_ '())))) - (synopsis "HTTP request/response parser for C") - (description "This is a parser for HTTP messages written in C. It parses + ;; A fix for which in turn + ;; breaks i686-linux builds. + `(("assertion.patch" + ,@(search-patches "http-parser-fix-assertion-on-armhf.patch")))) + (_ '())))) + (synopsis "HTTP request/response parser for C") + (description "This is a parser for HTTP messages written in C. It parses both requests and responses. The parser is designed to be used in high-performance HTTP applications. It does not make any syscalls nor allocations, it does not buffer data, it can be interrupted at anytime. Depending on your architecture, it only requires about 40 bytes of data per message stream (in a web server that is per connection).") - (license license:expat))) + (license license:expat)))) (define-public python-httpretty (package -- 2.30.1 --=-=-= Content-Type: text/x-patch Content-Disposition: inline; filename=0002-gnu-node-Update-to-10.23.3.patch >From 44f5b6f6ee7ffbec1c38d52ac8356b3f5a252e61 Mon Sep 17 00:00:00 2001 From: Jelle Licht Date: Wed, 17 Feb 2021 00:06:04 +0100 Subject: [PATCH] gnu: node: Update to 10.23.3. * gnu/packages/node.scm (node): Update to 10.23.3. --- gnu/packages/node.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm index 77c47ec71f..051c4c3b41 100644 --- a/gnu/packages/node.scm +++ b/gnu/packages/node.scm @@ -50,14 +50,14 @@ (define-public node (package (name "node") - (version "10.22.1") + (version "10.23.3") (source (origin (method url-fetch) (uri (string-append "https://nodejs.org/dist/v" version "/node-v" version ".tar.xz")) (sha256 (base32 - "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl")) + "13za06bz17k71gcxyrx41l2j8al1kr3j627b8m7kqrf3l7rdfnsi")) (modules '((guix build utils))) (snippet `(begin -- 2.30.1 --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Tue Feb 23 14:29:45 2021 Received: (at 46634) by debbugs.gnu.org; 23 Feb 2021 19:29:45 +0000 Received: from localhost ([127.0.0.1]:60569 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lEdNR-0004C6-1Y for submit@debbugs.gnu.org; Tue, 23 Feb 2021 14:29:45 -0500 Received: from mout.web.de ([217.72.192.78]:40341) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lEdNP-0004Bs-EI for 46634@debbugs.gnu.org; Tue, 23 Feb 2021 14:29:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1614108576; bh=RTeFP95aW1HvvB1t4zfL7ewUX1f9+qFXHPDL1kkpSgk=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=TYIYubidwi4YsTsML6xr1xaDwbkq5nIgLwbK/cOFjqhGRZH+Tr2zwaXYLI0+clV43 5ecaYc0CdPHeUdiuzM6Ry6K9uo/gRod83fRa5L2hWwaDlucxFSLHx5Vhj4Wa2wwu+J Rli84TtzNV0dwRQDL1E3y8KAdlb547bOs4N97hnE= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from [192.168.178.88] ([88.152.184.4]) by smtp.web.de (mrweb101 [213.165.67.124]) with ESMTPSA (Nemesis) id 0LlWKh-1ln8Vk3teJ-00bGAa; Tue, 23 Feb 2021 20:29:35 +0100 Subject: Re: [bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes] To: Jelle Licht , 46634@debbugs.gnu.org References: <86czww5nhl.fsf@fsfe.org> From: Jonathan Brielmaier Message-ID: <9a584e1f-4f43-57f6-61ae-4de39c8e8015@web.de> Date: Tue, 23 Feb 2021 20:29:35 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Icedove/78.7.1 MIME-Version: 1.0 In-Reply-To: <86czww5nhl.fsf@fsfe.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: de-DE Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:DHy+N50aRqi2PTUiCi0/3Ku78XK/1vH5Bb4kQrg4iJCzqZ4lOsY lkU1z9Sd6/TjQD79H6x/lJFkXELx8ywHQDd8AzmhgbQT5rZkEt7RwBwNkvBXlVBIOMExZ2v eUOyubJHiQgTsUsGkwdzaR83blDsUQRQdlkIub974X8Pm+W8i3wCvFepf+VnF40CyekE+Ee ohILL/MqqA/1vE5PcVHRA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:zO6Fd7skUV4=:786Xyaha94r123TqmgeWYZ QKTABlGjKFJCAV/iWGkwEjWMvpug9m4TjO32Qgl0PhXos9qhKsjT764B8rURTjjQv/0/5rfCr PnSbLmmsDUJAz2BHdKgskE+LvjVQDlZvdRcobuZ29/8ZCcyLhCICtnXEvM6fr3oH5a+QLaiiB KJhvV+ARnexIHfZFiGHbFwGJi8dw1CpaAdcx5OCzJmz0jJm3+8RCtE1Nt8ip+icZjX+sKPy2T vn3zjxX/1sfYnrP9+8E8gKq5gJ403gAVqZJEni9rUGQItNI7THYDbZovVXFCjQ2ko5TWLynEd Z5L05MtcIFN25N+/s+R9yP/1McmBDHzTHSNV/XjsZ7io3WotKnuJocmht+YpPnYSNPEUHTmja 3uKOhYyaK/ok7dkcH8zXbR906Y71vnxE1iK8AyXi4kXijQ8mMrRZsB8PRnT7OYIQl3sLHrY1c SWmdr6bGR9ogaLiy/yX2532JT5k5BAO2Ep3sYLZK3Mpci4MEELlmPgOcL7FgMDL9pVjAyHkhP El5Kr3eRgyaXmO+hEKxncKYhE3m1uWd22rlVjJ85nJ1dAJLWmxYmmefjlOkT5FioV+/zl8W+a lGcAHA1x6P/X5eS7/U2RmqAZFU9CYAs1uXH09FLSUj+214EEplUFDTle4h7SLRMVzbZ0lYrqx 1cJWXvKWwkTGILcTw6H3Q26pWSICLXrN+7IyZlHe5u9sCYGjcTpkSD8HhD6BorE9Y4WoOypLa AFQlXTDs12UOdAQmct6ao+iCO5DydfbuUfRDWgI9tPEh1DlRa6UGKsX/NXBmdwuAGqD3IaPVz ZzKkh+lpeSi3Xvge35k8xpeZHrJIywJN5bCD6Y7Hxl6WewuQqmL67XXV5Vf+KloVQexcotWQ4 UuaRBiJsxgmx/sr8cVMwmmhy+vPRYiUyeP9V2Ct4Y= X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 46634 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) On 19.02.21 12:02, Jelle Licht wrote: > Hey Guix, > > The attached two patches together should address CVE-2020-8287 (in > Node). I am kind of fuzzy on the details, but to me it seems that the > vulnerability is actually in http-parser (and llhttp), not node. I > informed upstream about my findings, but in the mean time we should > probably apply these. > > The node package subsequently has a regression test to demonstrate that > the applied fix works. Nonetheless, http-parser has quite some > dependents, and I only verified everything to still work with node. > > - Jelle Impressive work. Looks nice! node-10.23 is required for Firefox >=3D 86.0 so as well for the next ESR branch of icecat and icedove... From debbugs-submit-bounces@debbugs.gnu.org Wed Feb 24 04:38:40 2021 Received: (at 46634-done) by debbugs.gnu.org; 24 Feb 2021 09:38:40 +0000 Received: from localhost ([127.0.0.1]:33358 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lEqcy-0002Af-ID for submit@debbugs.gnu.org; Wed, 24 Feb 2021 04:38:40 -0500 Received: from mail1.fsfe.org ([217.69.89.151]:36960) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lEqcx-0002AV-4p for 46634-done@debbugs.gnu.org; Wed, 24 Feb 2021 04:38:39 -0500 From: Jelle Licht To: Jonathan Brielmaier , 46634-done@debbugs.gnu.org Subject: Re: [bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes] In-Reply-To: <9a584e1f-4f43-57f6-61ae-4de39c8e8015@web.de> References: <86czww5nhl.fsf@fsfe.org> <9a584e1f-4f43-57f6-61ae-4de39c8e8015@web.de> Date: Wed, 24 Feb 2021 10:38:34 +0100 Message-ID: <86v9ahkdph.fsf@fsfe.org> MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: 46634-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -6.0 (------) Jonathan Brielmaier writes: > On 19.02.21 12:02, Jelle Licht wrote: >> Hey Guix, >> >> The attached two patches together should address CVE-2020-8287 (in >> Node). I am kind of fuzzy on the details, but to me it seems that the >> vulnerability is actually in http-parser (and llhttp), not node. I >> informed upstream about my findings, but in the mean time we should >> probably apply these. >> >> The node package subsequently has a regression test to demonstrate that >> the applied fix works. Nonetheless, http-parser has quite some >> dependents, and I only verified everything to still work with node. >> >> - Jelle > > Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0 > so as well for the next ESR branch of icecat and icedove... Good to know, I wouldn't want to block any other ongoing packaging efforts: I pushed the patches to master, with the security fix at 66fa2d318a. - Jelle From unknown Thu Sep 11 23:18:39 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Wed, 24 Mar 2021 11:24:06 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator