Hi Xavier, On Sun, Sep 13, 2020 at 05:29:56PM +0200, Xavier wrote: > Le 12/09/2020 à 15:33, Salvatore Bonaccorso a écrit : > > Source: node-fetch > > Version: 1.7.3-2 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: car...@debian.org, Debian Security Team > > <t...@security.debian.org> > > Control: found -1 1.7.3-1 > > > > Hi, > > > > The following vulnerability was published for node-fetch. > > > > CVE-2020-15168[0]: > > | node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the > > | size option after following a redirect, which means that when a > > | content size was over the limit, a FetchError would never get thrown > > | and the process would end without failure. For most people, this fix > > | will have a little or no impact. However, if you are relying on node- > > | fetch to gate files above a size, the impact could be significant, for > > | example: If you don't double-check the size of the data after fetch() > > | has completed, your JS thread could get tied up doing work on a large > > | file (DoS) and/or cost you money in computing. > > > > > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2020-15168 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15168 > > [1] > > https://github.com/node-fetch/node-fetch/security/advisories/GHSA-w7rc-rwvf-8q5r > > > > Regards > > Salvatore > > Hi, > > the upstream patches > (https://github.com/node-fetch/node-fetch/commit/2358a6c2 or > https://github.com/node-fetch/node-fetch/commit/eaff0094) seem not easy > to backport to 1.7.3 without major changes. I think we should keep this > minor bug unfixed in buster.
Sounds sensible (and good once the new version from experimental would move to unstable). Regards, Salvatore -- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
