Le mar. 7 oct. 2025 à 06:47, Yadd <[email protected]> a écrit : > Le 06/10/2025 à 21:47, Salvatore Bonaccorso a écrit : > > Source: node-static > > Version: 0.7.11+~0.7.7-2 > > Severity: important > > Tags: security upstream > > X-Debbugs-Cc: [email protected], Debian Security Team < > [email protected]> > > > > Hi, > > > > The following vulnerability was published for node-static. > > > > CVE-2025-11149[0]. > > > > Note this CVE is not very clear, and there is node-static in the > > nubosoftware space. Now the CVE description references [1]. Can you > > clarify on the state of the two projects? Our packaged one seems to > > have still the issue? > > IMO, the patch does nothing (a try/catch on an async method won't catch > anything) >
The patch *does* something, because fs.stat is *not* async, so it might throw synchronously and never call cb(err). > > If you fix the vulnerability please also make sure to include the > > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > > > For further information see: > > > > [0] https://security-tracker.debian.org/tracker/CVE-2025-11149 > > https://www.cve.org/CVERecord?id=CVE-2025-11149 > > [1] > https://github.com/cloudhead/node-static/commit/78879dc665f0f7137063794b6e0b6203a81c7f67 > > > > Please adjust the affected versions in the BTS as needed. > > > > Regards, > > Salvatore > > >
-- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
