[bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes]

guix-patches

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes]

From:	Jonathan Brielmaier
Subject:	[bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes]
Date:	Tue, 23 Feb 2021 20:29:35 +0100
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Icedove/78.7.1

On 19.02.21 12:02, Jelle Licht wrote:

Hey Guix,

The attached two patches together should address CVE-2020-8287 (in
Node). I am kind of fuzzy on the details, but to me it seems that the
vulnerability is actually in http-parser (and llhttp), not node. I
informed upstream about my findings, but in the mean time we should
probably apply these.

The node package subsequently has a regression test to demonstrate that
the applied fix works. Nonetheless, http-parser has quite some
dependents, and I only verified everything to still work with node.

  - Jelle


Impressive work. Looks nice! node-10.23 is required for Firefox >= 86.0
so as well for the next ESR branch of icecat and icedove...

[Prev in Thread]

Current Thread

[Next in Thread]

[bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes], Jelle Licht, 2021/02/19
- [bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes], Jonathan Brielmaier <=
  - bug#46634: [PATCH] gnu: node: Update to 10.23.3. [security fixes], Jelle Licht, 2021/02/24

Prev by Date: [bug#46724] helps OpenCV build
Next by Date: [bug#45409] [PATCH 2/2] substitute: Print backtraces to (current-error-port).
Previous by thread: [bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes]
Next by thread: bug#46634: [PATCH] gnu: node: Update to 10.23.3. [security fixes]
Index(es):
- Date
- Thread