Hi, On Sat, Dec 19, 2020 at 10:46:16AM +0100, Christoph Biedl wrote: > Control: tags 977467 pending > > Moritz Muehlenhoff wrote... > > > https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/ > > is for nodejs, but the underlying issue is in http-parser, which Debian's > > nodejs uses. This is already fixed in experimental, if this can't be used > > there's also an isolated patch at > > https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b > > Greetings, > > to me, it seemed better to go forward. So I'll upload 2.9.4-1 to > experimental in a few moments and trigger the transition then. Let me > know if you prefer a different approach.
No sounds good if this will be possible. > About stable (10/buster), according to security tracker it's affected as > well. Shall I go the stable point release approach? I haven't checked > anything there yet, though. Indeed, as marked already as no-dsa (unless you object), so point release update sounds good. Regards, Salvatore
