Le ven. 30 juil. 2021 à 16:36, Debian Bug Tracking System < ow...@bugs.debian.org> a écrit :
> Your message dated Fri, 30 Jul 2021 16:32:35 +0200 > with message-id <CAJxTCxy_20WuHmxObnDmM= > 7wab3i9k_ch07wkp6moypdpit...@mail.gmail.com> > and subject line Re: Bug#991707: Acknowledgement (unblock: > nodejs/12.22.4~dfsg-1) > has caused the Debian Bug report #991707, > regarding unblock: nodejs/12.22.4~dfsg-1 > to be marked as done. > > This means that you claim that the problem has been dealt with. > If this is not the case it is now your responsibility to reopen the > Bug report if necessary, and/or fix the problem forthwith. > > (NB: If you are a system administrator and have no idea what this > message is talking about, this may indicate a serious mail system > misconfiguration somewhere. Please contact ow...@bugs.debian.org > immediately.) > > > -- > 991707: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991707 > Debian Bug Tracking System > Contact ow...@bugs.debian.org with problems > > > > ---------- Forwarded message ---------- > From: "Jérémy Lal" <kapo...@melix.org> > To: Debian Bug Tracking System <sub...@bugs.debian.org> > Cc: > Bcc: > Date: Fri, 30 Jul 2021 15:27:24 +0200 > Subject: unblock: nodejs/12.22.4~dfsg-1 > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > X-Debbugs-Cc: secur...@debian.org > > Please unblock package nodejs > > [ Reason ] > Debian security team plans to upload nodejs security updates "as-is", > at least while upstream still maintain nodejs 12.x. This is what was > done in Buster. > > Latest security update is 12.22.4 (severity high). > I did not try to get nodejs > 12.21.0 into bullseye up until now > because upstream changes were essentially not concerning the debian > package. > > However the 12.22.4 release has many v8 fixes, and a security fix (high). > > > [ Impact ] > If not in Bullseye, it will require users to download nodejs a second time > just after installation, through security updates. > So it will postpone any issue post-release. > > > [ Tests ] > Usual thorough upstream test suite + all dependents packages tests. > > [ Risks ] > Low, but when considering the regressions i saw false positives: > - node-chokidar seems to have a flaky test > - node-esquery, node-caniuse-api, node-browserslist suites fail on their > own, > for an unrelated problem > - node-websocket-driver was already broken, probably for a long time. > I opened #991700 and will ask its removal from testing. > > Also an undocumented internal api has been deprecated, and old modules > trying > accessing it will now print a warning (process.binding('http_parser')). > Only node-websocket-driver is actually using it... > A code search shows node-http-signature, node-fastcgi are using it in their > test suites, but it doesn't pose any problem. > > https://codesearch.debian.net/search?q=process%5C.binding%5C%28%5B%27%22%5Dhttp_parser%5B%27%22%5D%5C%29&literal=0 > > [ Checklist ] > [x] all changes are documented in the d/changelog > [x] I reviewed all changes and I approve them > [x] attach debdiff against the package in testing > > [ Other info ] > debdiff is without deps/cares (not used), deps/openssl (not used), test/*, > benchmark/*, tools/msvs/*. > Still waiting for armhf test results when writing this request. > > unblock nodejs/12.22.4~dfsg-1 > > > ---------- Forwarded message ---------- > From: "Jérémy Lal" <kapo...@melix.org> > To: 991707-d...@bugs.debian.org > Cc: > Bcc: > Date: Fri, 30 Jul 2021 16:32:35 +0200 > Subject: Re: Bug#991707: Acknowledgement (unblock: nodejs/12.22.4~dfsg-1) > I just double-checked nodejs 12.22.4 was actually fixing > CVE-2021-22930, supposed to be reproducible with > https://github.com/mdouglass/repro-node-crash > > It does not, so i'm closing this bug until i find out what's happening. > What was happening was an incomplete upstream fix, released in nodejs 12.22.5. I suppose it's too late for an unblock request so i'll just propose it to security updates. Jérémy >
