From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:c151::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id bvHdMsgeNmDLNwAA0tVLHw (envelope-from ) for ; Wed, 24 Feb 2021 09:39:20 +0000 Received: from aspmx2.migadu.com ([2001:41d0:2:c151::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id OIMbLsgeNmDOAwAAbx9fmQ (envelope-from ) for ; Wed, 24 Feb 2021 09:39:20 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx2.migadu.com (Postfix) with ESMTPS id 1D47124A95 for ; Wed, 24 Feb 2021 10:39:20 +0100 (CET) Received: from localhost ([::1]:33306 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lEqda-0008AZ-JY for larch@yhetil.org; Wed, 24 Feb 2021 04:39:18 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:53734) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lEqdM-0008AF-QJ for guix-patches@gnu.org; Wed, 24 Feb 2021 04:39:04 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:50045) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lEqdK-0001Of-Mk for guix-patches@gnu.org; Wed, 24 Feb 2021 04:39:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lEqdK-0002BI-Kg for guix-patches@gnu.org; Wed, 24 Feb 2021 04:39:02 -0500 Subject: bug#46634: [PATCH] gnu: node: Update to 10.23.3. [security fixes] Resent-From: Jelle Licht Original-Sender: "Debbugs-submit" Resent-To: guix-patches@gnu.org Resent-Date: Wed, 24 Feb 2021 09:39:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: cc-closed 46634 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Jonathan Brielmaier , 46634-done@debbugs.gnu.org Mail-Followup-To: 46634@debbugs.gnu.org, jlicht@fsfe.org, jlicht@fsfe.org Received: via spool by 46634-done@debbugs.gnu.org id=D46634.16141595208353 (code D ref 46634); Wed, 24 Feb 2021 09:39:02 +0000 Received: (at 46634-done) by debbugs.gnu.org; 24 Feb 2021 09:38:40 +0000 Received: from localhost ([127.0.0.1]:33358 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lEqcy-0002Af-ID for submit@debbugs.gnu.org; Wed, 24 Feb 2021 04:38:40 -0500 Received: from mail1.fsfe.org ([217.69.89.151]:36960) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lEqcx-0002AV-4p for 46634-done@debbugs.gnu.org; Wed, 24 Feb 2021 04:38:39 -0500 From: Jelle Licht In-Reply-To: <9a584e1f-4f43-57f6-61ae-4de39c8e8015@web.de> References: <86czww5nhl.fsf@fsfe.org> <9a584e1f-4f43-57f6-61ae-4de39c8e8015@web.de> Date: Wed, 24 Feb 2021 10:38:34 +0100 Message-ID: <86v9ahkdph.fsf@fsfe.org> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -2.27 Authentication-Results: aspmx2.migadu.com; dkim=none; dmarc=fail reason="SPF not aligned (relaxed), No valid DKIM" header.from=fsfe.org (policy=none); spf=pass (aspmx2.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 1D47124A95 X-Spam-Score: -2.27 X-Migadu-Scanner: scn0.migadu.com X-TUID: zS1uULrwxh3l Jonathan Brielmaier writes: > On 19.02.21 12:02, Jelle Licht wrote: >> Hey Guix, >> >> The attached two patches together should address CVE-2020-8287 (in >> Node). I am kind of fuzzy on the details, but to me it seems that the >> vulnerability is actually in http-parser (and llhttp), not node. I >> informed upstream about my findings, but in the mean time we should >> probably apply these. >> >> The node package subsequently has a regression test to demonstrate that >> the applied fix works. Nonetheless, http-parser has quite some >> dependents, and I only verified everything to still work with node. >> >> - Jelle > > Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0 > so as well for the next ESR branch of icecat and icedove... Good to know, I wouldn't want to block any other ongoing packaging efforts: I pushed the patches to master, with the security fix at 66fa2d318a. - Jelle