all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed
From: Jelle Licht <jlicht@fsfe.org>
To: Jonathan Brielmaier <jonathan.brielmaier@web.de>,
	46634-done@debbugs.gnu.org
Subject: bug#46634: [PATCH] gnu: node: Update to 10.23.3. [security fixes]
Date: Wed, 24 Feb 2021 10:38:34 +0100	[thread overview]
Message-ID: <86v9ahkdph.fsf@fsfe.org> (raw)
In-Reply-To: <9a584e1f-4f43-57f6-61ae-4de39c8e8015@web.de>

Jonathan Brielmaier <jonathan.brielmaier@web.de> writes:

> On 19.02.21 12:02, Jelle Licht wrote:
>> Hey Guix,
>>
>> The attached two patches together should address CVE-2020-8287 (in
>> Node). I am kind of fuzzy on the details, but to me it seems that the
>> vulnerability is actually in http-parser (and llhttp), not node. I
>> informed upstream about my findings, but in the mean time we should
>> probably apply these.
>>
>> The node package subsequently has a regression test to demonstrate that
>> the applied fix works. Nonetheless, http-parser has quite some
>> dependents, and I only verified everything to still work with node.
>>
>>   - Jelle
>
> Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0
> so as well for the next ESR branch of icecat and icedove...

Good to know, I wouldn't want to block any other ongoing packaging efforts:

I pushed the patches to master, with the security fix at 66fa2d318a.
 - Jelle





      reply	other threads:[~2021-02-24  9:39 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-19 11:02 [bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes] Jelle Licht
2021-02-23 19:29 ` Jonathan Brielmaier
2021-02-24  9:38   ` Jelle Licht [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=86v9ahkdph.fsf@fsfe.org \
    --to=jlicht@fsfe.org \
    --cc=46634-done@debbugs.gnu.org \
    --cc=jonathan.brielmaier@web.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.