Hi Jeremy, Yadd, On Tue, Oct 07, 2025 at 09:34:52AM +0200, Jérémy Lal wrote: > Le mar. 7 oct. 2025 à 06:47, Yadd <[email protected]> a écrit : > > > Le 06/10/2025 à 21:47, Salvatore Bonaccorso a écrit : > > > Source: node-static > > > Version: 0.7.11+~0.7.7-2 > > > Severity: important > > > Tags: security upstream > > > X-Debbugs-Cc: [email protected], Debian Security Team < > > [email protected]> > > > > > > Hi, > > > > > > The following vulnerability was published for node-static. > > > > > > CVE-2025-11149[0]. > > > > > > Note this CVE is not very clear, and there is node-static in the > > > nubosoftware space. Now the CVE description references [1]. Can you > > > clarify on the state of the two projects? Our packaged one seems to > > > have still the issue? > > > > IMO, the patch does nothing (a try/catch on an async method won't catch > > anything) > > > > The patch *does* something, because fs.stat is *not* async, > so it might throw synchronously and never call cb(err).
Can you additionally clarify, we seem to use the cloudhead/node-static fork, but the commit tagged in a earlier version does not seem to be actually applied. Looking through the git history I do not either see i reverted. With the risk of looking like confused would appreciate if someone can enlight me on what is happening here. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
