Control: tags -1 + moreinfo On Fri, 2022-05-20 at 09:47 +0200, Yadd wrote: > node-raw-body embeds a patch that creates a Denial-of-Service > vulnerability into node-express. > > [ Impact ] > Security issue, a simple request can crash any express application > > [ Tests ] > I added a test that proves that bug is fixed: it fails with > node-raw-body 2.4.1-2 and succeeds with 2.4.1-2+deb11u1 > > [ Risks ] > No risk, Debian package is now exactly what upstream wrote. > > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable > [X] the issue is verified as fixed in unstable > > [ Changes ] > Drop patch which replaced node-iconv-lite by node-iconv. >
Why was that change made in the first place? The changelog entry from 2014 isn't particularly helpful. Regards, Adam