Le 25/04/2019 à 15:35, Xavier Guimard a écrit : > Package: release.debian.org > Severity: normal > User: release.debian....@packages.debian.org > Usertags: unblock > > Please unblock package node-fresh > > Hi all, > > node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is > due to Node.js regexp parsing DDOS. I imported and adapted upstream > patch to workaround this issue and enabled upstream tests in both build > and autopkgtest. Full changes: > * Declare compliance with policy 4.3.0 > * Change section to javascript > * Change priority to optional > * Add upstream/metadata > * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119) > * Fix and enable upstream test using pkg-js-tools > * Fix VCS fields > * Fix copyright format URL > > Reverse dependencies: > - node-serve-favicon > - node-send -------------+ > +-> node-serve-static -+ > - node-express <---------+ > > I enabled upstream test to verify that there is no regression and tested > build and tests of node-serve-static, node-send and node-express (using > additional needed modules). I plan to upload a new node-express in > experimental with tests enabled to see autopkgtest regression if any. > > Cheers, > Xavier > > unblock node-fresh/0.2.0-2
node-express builds well with upstream tests enabled and node-fresh 0.2.0-2 (see https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html)