Sounds good. I agree. It was a fairly small fix. It sounds like a good approach to check usage only when it is a complicated fix.
// Ola On Mon, 12 Sept 2022 at 13:46, Sylvain Beucler <b...@beuc.net> wrote: > Hi, > > If sponsored packages are already handled, and we have time to fix this > package, and I think we can fix it. > > I think we need to evaluate a package's usage only when fixing is > problematic (time constraints, backport issues, uncooperative > upstream...). Package usage would then be used among other elements to > make a decision about the supporting the package further. > > That doesn't appear to be the case here, so I'll add it to dla-needed.txt. > > Cheers! > Sylvain > > On 09/09/2022 23:45, Ola Lundqvist wrote: > > Hi follow LTS contributors > > > > It is this kind of question again. "Is it worth it?". > > > > We have CVE-2020-7677 on node-thenify. > > > > According to popcorn we have three installations. That is of course a > > lower end number since popcorn only counts the popcorn users, but anyway > > it indicates that the installation number is really low. It is in fact > > the lowest popcorn score I have seen so far. > > > > Then about the vulnerability itself. It is an arbitrary code execution, > > but it is on the client side, and the user have get some code injected > > into it that is passed to this function. This means you have to find > > some other code that use this functionality and in some way pass it > > through. It can be done but the likelihood is lower. > > > > Further I can see that node-* packages were unsupported in stretch. They > > seem to be in buster however. > > > > Quite a lot of node-* packages have fairly severe issues declared as > > minor issues. I could not find any arbitrary code execution > > vulnerabilities though. > > > > So my question is, should we fix node-thenify? > > > > I guess so but I want to raise the question. > -- --- Inguza Technology AB --- MSc in Information Technology ---- | o...@inguza.com o...@debian.org | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | ---------------------------------------------------------------
