Hi follow LTS contributors It is this kind of question again. "Is it worth it?".
We have CVE-2020-7677 on node-thenify. According to popcorn we have three installations. That is of course a lower end number since popcorn only counts the popcorn users, but anyway it indicates that the installation number is really low. It is in fact the lowest popcorn score I have seen so far. Then about the vulnerability itself. It is an arbitrary code execution, but it is on the client side, and the user have get some code injected into it that is passed to this function. This means you have to find some other code that use this functionality and in some way pass it through. It can be done but the likelihood is lower. Further I can see that node-* packages were unsupported in stretch. They seem to be in buster however. Quite a lot of node-* packages have fairly severe issues declared as minor issues. I could not find any arbitrary code execution vulnerabilities though. So my question is, should we fix node-thenify? I guess so but I want to raise the question. Cheers // Ola -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
