Le 26/04/2019 à 17:43, Xavier a écrit : > Le 26/04/2019 à 17:41, Xavier a écrit : >> Le 25/04/2019 à 15:35, Xavier Guimard a écrit : >>> Package: release.debian.org >>> Severity: normal >>> User: [email protected] >>> Usertags: unblock >>> >>> Please unblock package node-fresh >>> >>> Hi all, >>> >>> node-fresh is vulnerable to CVE-2017-16119 (#927715). Vulnerability is >>> due to Node.js regexp parsing DDOS. I imported and adapted upstream >>> patch to workaround this issue and enabled upstream tests in both build >>> and autopkgtest. Full changes: >>> * Declare compliance with policy 4.3.0 >>> * Change section to javascript >>> * Change priority to optional >>> * Add upstream/metadata >>> * Add patch to fix regexp ddos (Closes: #927715, CVE-2017-16119) >>> * Fix and enable upstream test using pkg-js-tools >>> * Fix VCS fields >>> * Fix copyright format URL >>> >>> Reverse dependencies: >>> - node-serve-favicon >>> - node-send -------------+ >>> +-> node-serve-static -+ >>> - node-express <---------+ >>> >>> I enabled upstream test to verify that there is no regression and tested >>> build and tests of node-serve-static, node-send and node-express (using >>> additional needed modules). I plan to upload a new node-express in >>> experimental with tests enabled to see autopkgtest regression if any. >>> >>> Cheers, >>> Xavier >>> >>> unblock node-fresh/0.2.0-2 >> >> node-express builds well with upstream tests enabled and node-fresh >> 0.2.0-2 (see >> https://tests.reproducible-builds.org/debian/rb-pkg/experimental/arm64/node-express.html) > > NB: test timeout is too short, so build2 failed sometimes.
autopkgtest succeeds also: https://ci.debian.net/data/autopkgtest/unstable/amd64/n/node-express/2303232/log.gz [node-express from experimental with node-fresh 0.2.0-2]
