On Sun, Oct 25, 2020 at 02:04:30PM -0400, Roberto C. Sánchez wrote: > Hi fellow LTS folks, > > I am working on the update for brotli as it relates to CVE-2020-8927. > The upstream Git project contains a commit [0] which fixes the issue > along with several other issues in the same commit. However, there does > not appear to be any available information regarding the specifics of > the vulnerability nor is there a PoC that can be used to validate the > fix. There also appears to be no prior iteration of the PR which > contains the changes in separate commits. > > That said, I have done my best to exclude the parts of the upstream > commit that do not appear related to CVE-2020-8927 and then to backport > the remainder to brotli as it exists in stretch. I would like it if > someone else could review the attached patch, comparing it to the > upstream commit, and provide feedback on the completeness of the patch. > > Please make sure to follow-up with a reply to the list before reviewing > so that there is not duplicate work on this. >
Since two weeks have elapsed since I made my request, I intend to upload the brotli package within the next 24 hours. Regards, -Roberto -- Roberto C. Sánchez
