GNU bug report logs - #46634
[PATCH] gnu: node: Update to 10.23.3. [security fixes]

Previous Next

Package: guix-patches;

Reported by: Jelle Licht <jlicht <at> fsfe.org>

Date: Fri, 19 Feb 2021 11:04:01 UTC

Severity: normal

Tags: patch

Done: Jelle Licht <jlicht <at> fsfe.org>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Jonathan Brielmaier <jonathan.brielmaier <at> web.de>
To: Jelle Licht <jlicht <at> fsfe.org>, 46634 <at> debbugs.gnu.org
Subject: [bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes]
Date: Tue, 23 Feb 2021 20:29:35 +0100

On 19.02.21 12:02, Jelle Licht wrote:
> Hey Guix,
>
> The attached two patches together should address CVE-2020-8287 (in
> Node). I am kind of fuzzy on the details, but to me it seems that the
> vulnerability is actually in http-parser (and llhttp), not node. I
> informed upstream about my findings, but in the mean time we should
> probably apply these.
>
> The node package subsequently has a regression test to demonstrate that
> the applied fix works. Nonetheless, http-parser has quite some
> dependents, and I only verified everything to still work with node.
>
>   - Jelle

Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0
so as well for the next ESR branch of icecat and icedove...

This bug report was last modified 4 years and 172 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #46634 [PATCH] gnu: node: Update to 10.23.3. [security fixes]

GNU bug report logs - #46634
[PATCH] gnu: node: Update to 10.23.3. [security fixes]