Le 26/04/2019 à 17:41, Xavier a écrit : > Le 25/04/2019 à 15:35, Xavier Guimard a écrit : >> Package: release.debian.org >> Severity: normal >> User: release.debian....@packages.debian.org >> Usertags: unblock >> >> Please unblock package node-fresh >> >> Hi all, >> >> node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is >> due to Node.js regexp parsing DDOS. I imported and adapted upstream >> patch to workaround this issue and enabled upstream tests in both build >> and autopkgtest. Full changes: >> * Declare compliance with policy 4.3.0 >> * Change section to javascript >> * Change priority to optional >> * Add upstream/metadata >> * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119) >> * Fix and enable upstream test using pkg-js-tools >> * Fix VCS fields >> * Fix copyright format URL >> >> Reverse dependencies: >> - node-serve-favicon >> - node-send -------------+ >> +-> node-serve-static -+ >> - node-express <---------+ >> >> I enabled upstream test to verify that there is no regression and tested >> build and tests of node-serve-static, node-send and node-express (using >> additional needed modules). I plan to upload a new node-express in >> experimental with tests enabled to see autopkgtest regression if any. >> >> Cheers, >> Xavier >> >> unblock node-fresh/0.2.0-2 > > node-express builds well with upstream tests enabled and node-fresh > 0.2.0-2 (see > https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html)
NB: test timeout is too short, so build2 failed sometimes.
