Your message dated Sun, 04 Jul 2021 19:15:21 +0000
with message-id <[email protected]>
and subject line unblock libuv1
has caused the Debian Bug report #990663,
regarding unblock: libuv1/1.40.0-1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
990663: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990663
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
Please unblock package libuv1
[ Reason ]
libuv1 1.40.0-1 is affected by CVE-2021-22918
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990561
In more details:
> Node.js (through libuv1) is vulnerable to out-of-bounds read in
> libuv's uv__idna_toascii() function which is used to convert strings
> to ASCII. This is called by Node's dns module's lookup() function and
> can lead to information disclosures or crashes.
See https://nodejs.org/en/blog/vulnerability/july-2021-security-releases/
I've applied a patch prepared by upstream.
https://github.com/nodejs/node/commit/d33aead28bcec32a2a450f884907a6d971631829
Debdiff does not give much information besides the changelog.
The patch is:
https://salsa.debian.org/debian/libuv1/-/blob/debian/sid/debian/patches/fix-cve-2021-22918
[ Impact ] Without this patch, libuv1 (hence nodejs and may be raku)
are vulnerable to specially crafted host names encoded in punicode.
[ Tests ]
Upstream patch contains specific tests that check that the
vulnerability was fixed.
[ Risks ] Hmm. I guess risk is low as the patch is not so big. I also
trust the judgment of upstream.
[ Checklist ]
[X ] all changes are documented in the d/changelog
[X ] I reviewed all changes and I approve them
[X ] attach debdiff against the package in testing
unblock libuv1/1.40.0-1
diff -Nru libuv1-1.40.0/debian/changelog libuv1-1.40.0/debian/changelog
--- libuv1-1.40.0/debian/changelog 2020-10-31 18:43:46.000000000 +0100
+++ libuv1-1.40.0/debian/changelog 2021-07-04 09:43:38.000000000 +0200
@@ -1,3 +1,9 @@
+libuv1 (1.40.0-2) unstable; urgency=medium
+
+ * add patch for CVE-2021-22918 (Closes: #990561)
+
+ -- Dominique Dumont <[email protected]> Sun, 04 Jul 2021 09:43:38 +0200
+
libuv1 (1.40.0-1) unstable; urgency=medium
* new upstream version
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
