Package: nodejs Version: 18.19.0+dfsg-6~deb12u2 Severity: critical Dear Debian Community,
We are currently working with the Debian Bookworm<https://packages.debian.org/bookworm/nodejs> 12.9 release for our project and observed that the nodejs version is 18.19.0+dfsg-6~deb12u2. However, upon reviewing the salsa-debian/bookworm<https://salsa.debian.org/js-team/nodejs/-/blob/debian/bookworm/debian/changelog?ref_type=heads> branch, we noticed that version 18.20.4+dfsg-1~deb12u1 is available, which includes fixes for multiple CVE issues, such as, * CVE-2024-27983<https://security-tracker.debian.org/tracker/CVE-2024-27983> (8.2 HIGH) * CVE-2024-21892<https://security-tracker.debian.org/tracker/CVE-2024-21892> (7.5 HIGH) * CVE-2024-22019<https://security-tracker.debian.org/tracker/CVE-2024-22019> (7.5 HIGH) These fixes are not included in the current Bookworm release. Having the severity of some of these vulnerabilities as High, we are eager for these fixes to be available. Could you please help clarify why there is a discrepancy between the version in the Bookworm release and the one on salsa? Is there a any specific reason for the delay and, is there any fixed timeline for resolving this? I appreciate your time and guidance on this matter. Best Regards, Syeda Shagufta Naaz Senior Software Developer SIEMENS FT FDS (Foundational Services)
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
