From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id wDHbN9lXNWB5DwAA0tVLHw (envelope-from ) for ; Tue, 23 Feb 2021 19:30:33 +0000 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id iOWfM9lXNWCtQgAAbx9fmQ (envelope-from ) for ; Tue, 23 Feb 2021 19:30:33 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8E7A623263 for ; Tue, 23 Feb 2021 20:30:33 +0100 (CET) Received: from localhost ([::1]:59268 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lEdOC-0005ym-PQ for larch@yhetil.org; Tue, 23 Feb 2021 14:30:32 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:53508) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lEdNi-0005xt-U2 for guix-patches@gnu.org; Tue, 23 Feb 2021 14:30:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:49023) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lEdNi-0001fZ-M1 for guix-patches@gnu.org; Tue, 23 Feb 2021 14:30:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lEdNi-0004Cw-In for guix-patches@gnu.org; Tue, 23 Feb 2021 14:30:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes] Resent-From: Jonathan Brielmaier Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 23 Feb 2021 19:30:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 46634 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Jelle Licht , 46634@debbugs.gnu.org Received: via spool by 46634-submit@debbugs.gnu.org id=B46634.161410858516131 (code B ref 46634); Tue, 23 Feb 2021 19:30:02 +0000 Received: (at 46634) by debbugs.gnu.org; 23 Feb 2021 19:29:45 +0000 Received: from localhost ([127.0.0.1]:60569 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lEdNR-0004C6-1Y for submit@debbugs.gnu.org; Tue, 23 Feb 2021 14:29:45 -0500 Received: from mout.web.de ([217.72.192.78]:40341) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lEdNP-0004Bs-EI for 46634@debbugs.gnu.org; Tue, 23 Feb 2021 14:29:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=web.de; s=dbaedf251592; t=1614108576; bh=RTeFP95aW1HvvB1t4zfL7ewUX1f9+qFXHPDL1kkpSgk=; h=X-UI-Sender-Class:Subject:To:References:From:Date:In-Reply-To; b=TYIYubidwi4YsTsML6xr1xaDwbkq5nIgLwbK/cOFjqhGRZH+Tr2zwaXYLI0+clV43 5ecaYc0CdPHeUdiuzM6Ry6K9uo/gRod83fRa5L2hWwaDlucxFSLHx5Vhj4Wa2wwu+J Rli84TtzNV0dwRQDL1E3y8KAdlb547bOs4N97hnE= X-UI-Sender-Class: c548c8c5-30a9-4db5-a2e7-cb6cb037b8f9 Received: from [192.168.178.88] ([88.152.184.4]) by smtp.web.de (mrweb101 [213.165.67.124]) with ESMTPSA (Nemesis) id 0LlWKh-1ln8Vk3teJ-00bGAa; Tue, 23 Feb 2021 20:29:35 +0100 References: <86czww5nhl.fsf@fsfe.org> From: Jonathan Brielmaier Message-ID: <9a584e1f-4f43-57f6-61ae-4de39c8e8015@web.de> Date: Tue, 23 Feb 2021 20:29:35 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Icedove/78.7.1 MIME-Version: 1.0 In-Reply-To: <86czww5nhl.fsf@fsfe.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: de-DE Content-Transfer-Encoding: quoted-printable X-Provags-ID: V03:K1:DHy+N50aRqi2PTUiCi0/3Ku78XK/1vH5Bb4kQrg4iJCzqZ4lOsY lkU1z9Sd6/TjQD79H6x/lJFkXELx8ywHQDd8AzmhgbQT5rZkEt7RwBwNkvBXlVBIOMExZ2v eUOyubJHiQgTsUsGkwdzaR83blDsUQRQdlkIub974X8Pm+W8i3wCvFepf+VnF40CyekE+Ee ohILL/MqqA/1vE5PcVHRA== X-UI-Out-Filterresults: notjunk:1;V03:K0:zO6Fd7skUV4=:786Xyaha94r123TqmgeWYZ QKTABlGjKFJCAV/iWGkwEjWMvpug9m4TjO32Qgl0PhXos9qhKsjT764B8rURTjjQv/0/5rfCr PnSbLmmsDUJAz2BHdKgskE+LvjVQDlZvdRcobuZ29/8ZCcyLhCICtnXEvM6fr3oH5a+QLaiiB KJhvV+ARnexIHfZFiGHbFwGJi8dw1CpaAdcx5OCzJmz0jJm3+8RCtE1Nt8ip+icZjX+sKPy2T vn3zjxX/1sfYnrP9+8E8gKq5gJ403gAVqZJEni9rUGQItNI7THYDbZovVXFCjQ2ko5TWLynEd Z5L05MtcIFN25N+/s+R9yP/1McmBDHzTHSNV/XjsZ7io3WotKnuJocmht+YpPnYSNPEUHTmja 3uKOhYyaK/ok7dkcH8zXbR906Y71vnxE1iK8AyXi4kXijQ8mMrRZsB8PRnT7OYIQl3sLHrY1c SWmdr6bGR9ogaLiy/yX2532JT5k5BAO2Ep3sYLZK3Mpci4MEELlmPgOcL7FgMDL9pVjAyHkhP El5Kr3eRgyaXmO+hEKxncKYhE3m1uWd22rlVjJ85nJ1dAJLWmxYmmefjlOkT5FioV+/zl8W+a lGcAHA1x6P/X5eS7/U2RmqAZFU9CYAs1uXH09FLSUj+214EEplUFDTle4h7SLRMVzbZ0lYrqx 1cJWXvKWwkTGILcTw6H3Q26pWSICLXrN+7IyZlHe5u9sCYGjcTpkSD8HhD6BorE9Y4WoOypLa AFQlXTDs12UOdAQmct6ao+iCO5DydfbuUfRDWgI9tPEh1DlRa6UGKsX/NXBmdwuAGqD3IaPVz ZzKkh+lpeSi3Xvge35k8xpeZHrJIywJN5bCD6Y7Hxl6WewuQqmL67XXV5Vf+KloVQexcotWQ4 UuaRBiJsxgmx/sr8cVMwmmhy+vPRYiUyeP9V2Ct4Y= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -1.27 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=web.de header.s=dbaedf251592 header.b=TYIYubid; dmarc=fail reason="SPF not aligned (relaxed)" header.from=web.de (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 8E7A623263 X-Spam-Score: -1.27 X-Migadu-Scanner: scn1.migadu.com X-TUID: RlmFaxUoYXOi On 19.02.21 12:02, Jelle Licht wrote: > Hey Guix, > > The attached two patches together should address CVE-2020-8287 (in > Node). I am kind of fuzzy on the details, but to me it seems that the > vulnerability is actually in http-parser (and llhttp), not node. I > informed upstream about my findings, but in the mean time we should > probably apply these. > > The node package subsequently has a regression test to demonstrate that > the applied fix works. Nonetheless, http-parser has quite some > dependents, and I only verified everything to still work with node. > > - Jelle Impressive work. Looks nice! node-10.23 is required for Firefox >=3D 86.0 so as well for the next ESR branch of icecat and icedove...