Le 12/09/2020 à 15:33, Salvatore Bonaccorso a écrit : > Source: node-fetch > Version: 1.7.3-2 > Severity: important > Tags: security upstream > X-Debbugs-Cc: car...@debian.org, Debian Security Team > <t...@security.debian.org> > Control: found -1 1.7.3-1 > > Hi, > > The following vulnerability was published for node-fetch. > > CVE-2020-15168[0]: > | node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the > | size option after following a redirect, which means that when a > | content size was over the limit, a FetchError would never get thrown > | and the process would end without failure. For most people, this fix > | will have a little or no impact. However, if you are relying on node- > | fetch to gate files above a size, the impact could be significant, for > | example: If you don't double-check the size of the data after fetch() > | has completed, your JS thread could get tied up doing work on a large > | file (DoS) and/or cost you money in computing. > > > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2020-15168 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15168 > [1] > https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r > > Regards > Salvatore
Hi, the upstream patches (https://github.com/node-fetch/node-fetch/commit/2358a6c2 or https://github.com/node-fetch/node-fetch/commit/eaff0094) seem not easy to backport to 1.7.3 without major changes. I think we should keep this minor bug unfixed in buster. Cheers, Xavier -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
